Survey of High Interaction Honeypot Tools: Merits and Shortcomings Abdulrazaq Almutairi (Author) Prof. David Parish, Dr. Raphael Phan (Coauthors) School of Electronic, Electrical and Systems Engineering School of Electronic, Electrical and Systems Engineering Loughborough University Loughborough University Leicestershire, UK LE11 3TU Leicestershire, UK LE11 3TU Email: A.Almutairi@lboro.ac.uk Email: D.J.Parish@lboro.ac.uk, R.Phan@lboro.ac.uk Abstract—Honeypots are the defined as fictional vulnerable services and host attacks include unauthorised logins, setup of systems that present themselves as generic system that can be malware, access to files and changing of privileges. used for the purpose of unauthorized / illicit use by abusers Unlike common IDSs, honeypot technology tends to provide where the objective is to study their attack / system the attacker with important resources that needed for a compromising methodology and to gather forensic information. successful attack. Honeypot or honeynet based decoy system Honeypots system are categorized based on the level of interaction as low, medium or high interaction based honeypots is implemented for the purpose of intrusion detection and where high-interaction honeypots offer functionality to collect a protection. large amount of information about attackers viz. attack strategy, A honeypot is difficult to define as there are number of actions, tools, origin, identity etc. that suits the needs of the interpretations that have been understood from the literature forensics data analyst making high interaction honeypot tools which include domains of attack prevention, attack detection, very useful. However, tools from this category also introduce data collection in context of security. It is distinctive as it is high level of risk with regard to putting other machines in high- technology and not a solution or procedure / process to resolve risk position as well as from data analysis perspective making it a particular security issues. A honeypot is a trap set to detect, very difficult to analyse captured data due to level of flexibility / deflect or in some cases counteract the attempts of interaction provided to attacker. This paper discusses features of unauthorised usage of production systems. It appears to be part various high interaction honeypot tools available to researchers of a network but remains isolated and protected. Its value lies and compares them using a detection method. It has been in being probed, attacked and compromised . Hence, realised that most of the tools have similar features other than honeypots has no production value and they should not work data analysis functionality that vary between tools. with any legitimate traffic or events. According to , the purpose of honeypot or monitored honeynet networks include Keywords-Honeypots, High Interaction Honeypots, Forensic Analysis the following: 1. They form a defensive distraction system in order to direct I. INTRODUCTION AND BACKGROUND an attacker towards machines containing no valuable Information security is becoming a primary concern in this age information; of information. The classical method of security that was more 2. They serve the purpose of a early warning system that can or less defensive is now being scaled to more aggressive inform about exploitation trends; and defence format. Intrusion detection is a process of monitoring networks and machine within the network for unauthorised 3. They become a data collection store that can be used to usage and / or activity. examine the methods and processes of exploitation of a Reference  explains Intrusion Detection Systems (IDSs) as honeypot. system for detection of unwanted manipulation to system. This The interaction with honeypots is expected from attackers; manipulation may be in form of attack by an attacker or hence the value of honeypot lies in unauthorised interaction simply by use of malicious script that changes the fingerprint conducted by abusers of the vulnerable honeypot. of the system under attack . Typically, an IDS is required Another term that is used regularly with honeypots is for detection of all malicious traffic that cannot be detected by Honeynet that means a network that is formed of one or more generally deployed tools such as firewall. IDSs are categorised honeypots . Honeypots are classified based on level of into host-based (HIDS) – where data on individual computer interaction and purpose. Further details regarding the same are system is examined and network-based (NIDS) – where discussed in Section 3. analysis of data packets that transit over the network is carried This paper has been organised as follows: In Section 2, we out. According to , various types of network attacks include discuss various types of honeypots followed by Section 3 data driven attacks on applications and network attack on where details regarding monitoring methods used by ISBN: 978-1-902560-26-7 © 2012 PGNet Honeypots is discussed in detail. Section 4, enumerates advantages and shortcomings of Honeypots / Honeynet and Section 5 presents brief discussion about research being conducted by the author. Finally, Section 6, concludes the paper along with discussion regarding future of Honeypots. II. CLASSIFICATION OF HONEYPOTS Honeypots can be classified based on the level of interaction (low and high) and based on their purpose (research and production). The level of interaction defines the extent of activity honeypot allows an attacker. A. Level of Interaction 1) Low-Interaction Honeypots A low-interaction honeypot simulates only limited services that cannot be exploited enough to gain total control of the Figure 1. Control panel for specter tool showing services that may be emulated (Source: ) honeypot . The low level honeypot provides emulating services and operating system to the attacker, which makes it easier to deploy, and maintain. Example of emulated services include FTP service, listening on port 21 (Telnet), login to FTP server etc. The emulated services mitigate risk by containing the attacker’s activity. The interaction between this type of honeypot and production system is very limited. These type of honeypots can be compared to passive IDS as network traffic is not modified in any way and they do not interact with the attacker thus mitigating the risk associated with this category of honeypots. Generally, low-interaction honeypots are used to analyse spammers and can also be used for providing countermeasures against worms. A well-known example of a commercial low interaction honeypot is Honeyd . Honeyd  is a daemon that can used to simulate a large network on a single network host. It is a framework for creating virtual honeypots using unused IP addresses of a network, which simulates various operating Figure 2. HTTP service emulation setup using KFSensor (Source: ) systems and services. Other low-interaction honeypot include Specter  and KFSensor . Specter can monitor a total of 14 capture extensive amounts of information by allowing the TCP ports and of these 14 monitored ports, 7 ports are called attackers to interact with real systems . This facilitates traps, and the other 7 are called services. Traps are port listeners: when the attacker makes a connection, the attempt is capturing / logging of full extent of attacker’s behaviour that terminated, and then logged. Services are more advanced can be analysed at later stage. According to , as the where there is interaction with the attacker, emulating the attacker has more resources to exploit at his disposal, a high application . The level of emulation depends on each interaction honeypot should be regularly monitored to ensure service. For example, the HTTP service emulates a simple Web that it does not become a security issue. server with default static Web pages. Figure 1, shows the Example of high interaction honeypots include Honeynets , control panel for low-interaction honeypot tool – Specter. Sebek , Argos  etc. Argos offer a full operating system KFSensor simulates system services at the application layer to the attacker and when the attackers tries to do something . Reference  explains the methods in which KFSensor can malicious the honeypot will shut down and makes dumps of be used to setup new firewall rules. Figure 2, shows the HTTP memory and disk to get information about what the attacker service emulation within low interaction honeypot tool – was trying to do . A greater detail regarding the high KFSensor. interaction monitoring methods is discussed in Section 3. 2) High-Interaction Honeypots B. Purpose of Honeypot High interaction honeypots are complex solutions, which 1) Research Honeypot include deploying of a real operating systems and applications A research honeypot is used to gain the information about the . As it involves real operating system, the level of risk is attacker’s community and does not add any direct value to the increased by many folds, but it is a trade-off in order to organisation . The purpose of research honeypots is to gather intelligence regarding general threats that an organisation may face and hence allow organisation to protect itself in a better form against those analysed threats. The primary function is to study the method how attacker attacks, such as TCPDUMP  and Ethereal . In the host-based understand their objectives and behaviour . These type of method, specialised sensors are deployed within the honeypot honeypots are like high-interaction honeypots that are in order to monitor and record system events. complex to deploy and difficult to maintain. They are It should be noted that both approaches have their strengths generally used within research and commercial community in and weakness. For instance, the network-based approach addition to military and defence organisations. According to though being transparent and invisible to the attacker can sniff , they add tremendous value to research providing a packets by being deployed outside the honeypot but it cannot platform to study cyber threats and attacks. They may also be capture internal system events on a vulnerable honeypot. suitable for aiding in development of analysis and forensic Furthermore, it may be ineffective or perform at lower skills.  provides the instance where honeypot was used as effectiveness, if the network data traffic is encrypted. On the a forensic analysis for DNS attack. other hand, the host-based method, if detected by the attacker 2) Production Honeyppots can be tampered with, thus leaving it ineffective. Production honeypots are used within the environment of a Data capture modules in high interaction honeypots deals with organisation to protect the information assets of the collection and recording of all the activities of Honeypot. It organisation and help in mitigation of risk . Unlike deceives the intruder by capturing all activity within honeypot research honeypots, they have direct values as they provide without attacker knowing about any monitoring i.e. with security to organisation’s production resources. As they do not introduction of decoy systems. require a large amount of functionality, they are not too A. Sebek complex to deploy or maintain and consequently, they are unable to provide a large amount of information regarding the attackers. Their primary function is to mirror the production Sebek is a high interaction honeypot system that works as network of the organisation and invite attackers to interact follows for the purpose of monitoring: with them, so that vulnerabilities of the network can be • Sebek installs as a loadable hidden kernel module that exposed. They are considered to add value to detection of would capture all host activities. As a result of attacks rather than prevention of attacks. One the examples of installation, Sebek, replaces a number of sensitive system production honeypot is Nepenthes . calls in the original operating system. For instance, in the latest Sebek development for Linux 11 system calls have TABLE I. CLASSIFICATION OF HONEYPOTS been replaced viz: sys_open, sys_read, sys_readv, Categories sys_pread64, sys_write, sys_writev, sys_pwrite64, Classification sys_fork, sys_vfork, sys_clone, sys_socketcall . The of Examples Brief Description of Honeypot Honeypot hashtable for system calls is updated / hijacked by Sebek A low-interaction honeypot with its own system handlers as shown in Figure 3. HoneyD, Low simulates only limited services Specter, Interaction that cannot be exploited KFSensor, Honeypot enough to gain total control of MWCollect Level of the honeypot. Interaction High interaction honeypots are Figure 3. Instance of modified sys_read system call after loading of Sebek High Honeynet, complex solutions, which Interaction Sebek, include deploying of a real Honeypot Argos operating systems and • Upon successful replacement of system calls by Sebek, it applications. would intercept any subsequent invocations of above A research honeypot is used to mentioned system calls and capture the arguments as well gain the information about the Research Honeynets attacker’s community and as any context information such as PID. After capturing, Honeypot Sebek invokes system call handlers and execute the does not add any direct value Purpose of to the organisation. system call together with passed arguments in order to Production honeypots are used complete requested service call. Honeypot within the environment of a Production organisation to protect the • All collected information about invoked replaced system Nepenthes calls would be sent to remote Sebek server so that it can Honeypot information assets of the organisation and help in analysed in real time or saved for later analysis. mitigation of risk. Figure 4, shows the Sebek based approach to honeypot monitoring. For the purpose of monitoring the malicious activity in the III. MONITORING METHODS OF HIGH-INTERACTION honeypot, the internal sensors like Sebek need to be HONEYPOTS transparent and tamper-resistant. However, as mentioned Honeypot monitoring is a very important component of any before, it case of comprise, attacker may introduce anomalies honeypot deployment. There are two methods that used for such as : monitoring of honeypots viz. external method (network-based) • modification of replaced system call table, and internal method (host-based). In the network-based • inconsistency in statistics transmitted by honeypot, method, all packets that are sent to or received from the • Unsebek  of a honeypot system. monitored honeypot are captured and traffic sniffing tools that all traffic can flow in and out of honeynet without attackers detecting control activities . • Data Capture: This part captures all activities within the honeynet and the data entering and leaving the honeynet without attacker knowing that they are being monitored. Figure 4. Sebek based approach in honeypot monitoring in context of HTTP All the activities of the attacker are logged and the (Source: ) captured data is analysed to understand vulnerabilities and motives of the attacker. • Data Collection: All captured data is forwarded to a centralised data collection point. This facilitates captured data to be collected, analysed and archived at one location. IV. ADVANTAGES AND DISADVANTAGES OF HONEYPOTS Upon understanding about background and detection of honeypots, following distinct advantages have been realised as compared to other security systems : • Small Data Sets: Honeypots are always interested in the traffic that arrived to them rather than the traffic overload that is generally observed in production systems, where it is difficult and complex task to differentiate between legitimate and illegitimate packets. Overall, it collects small data sets of high value. • Catch new attacks, false negatives: As honeypots capture everything arriving to them, they are capable of catching new tactics and attack methods which may previously be considered false negatives. • Work in encrypted or IPv6 environments: Honeypots have been tested to work with encrypted traffic as well as have scaled to IPv6 environments. • Minimal Resources: As only limited data is captured, a high-end set of resources is not required in case of honeypots. It is a simple concept tat requires minimal Figure 5. Honeywall architecture (Source: ) resources. B. Honeynets Some of the disadvantages associated with honeypots as compared to other security system / approaches are as follows Honeynet is a high interaction honeypot developed by The : Honeynet Project  in order to capture information on the • Limited field of View (Microscope): It is inherent to network. The primary purpose of the honeynet is to gather honeypots that the only activity or data captured by them information on security issues. It acts as a gateway called is when the attacker directly interacts with them. Attacks Honeywall, by collecting data from and to the honeypots on happening on the other parts of honeypot network is the network. unknown to a particular honeypot. Figure 5, shows the honeywall gateway that forms the main part of the Honeynet and work by capturing all the traffic • Risk (mainly high-interaction honeypots): Though entering or leaving the honeypot network. It separates the unlikely in low-interaction honeypots but in case high honeypots victims from rest of the network. According to , interaction honeypots, as the deployment of a real it can be configured as layer 2 or layer 3 routing gateway, operating systems and applications is committed, in however layer 3 configuration is preferred as in bridge mode it scenarios of compromise, parts of production network is difficult to be detected by the attackers as the gateway may be attacked that could be a major concern for an would not have any IP address associated with itself. A highly organisation. controlled network where every packet entering or leaving is V. RESEARCH PROPOSAL monitored, captured, and analyzed consists of data control, data capture and data analysis. Cyber forensics is a problem of great significance to • Data Control: In a scenario where a honeypot deployed information infrastructure protection because computer within honeynet is compromised, honeynet have to networks are at the heart of the operational control of much of the mission critical operations. Analysing network activity in contain all the activities and ensure that production order to discover the source of security policy violations or systems are not harmed in anyway. It should be ensured information assurance breaches is very critical. Capturing network activity for forensic analysis may be perceived trivial,  N. Sharma and S. S. Sran, "Detection of threats in Honeynet using Honeywall," International Journal on Computer Science and but it is relatively difficult in practice. Not all the information Engineering (IJCSE), vol. 3, pp. 3332-3336, 2011. captured or recorded will be useful for analysis. Our research  N. Provos, "Honeyd-a virtual honeypot daemon," in 10th concerns with network forensics, offline intrusion analysis and DFNCERT Workshop, 2003. the related issue of identifying important input features for  Netsec. (2012, 15th March). Specter. Available: http://www.specter.com/default50.htm computer forensics and intrusion detection. Honeypots can not  KFSensor. (2012, 15th March). KFSensor: Advanced Windows help in understanding the motives and behaviour of blackhat Honeypot System. Available: http://www.keyfocus.net/kfsensor/ community but also in certain cases trace back to cyber  H. Saini, et al., "Extended Honeypot Framework to Detect old/new criminals with evidence of process / method they use for cyber attacks," International Journal of Engineering Science compromising the system in a proactive manner. We (IJEST), vol. 3, pp. 2421-2426, 2011.  A. N. Singh and R. Joshi, "A honeypot system for efficient capture endeavour create an automated network forensic system that and analysis of network attack traffic," in International Conference would use high interaction honeypots at its core. on Signal Processing, Communication, Computing and Networking Technologies (ICSCCN), 2011, 2011, pp. 514-519. VI. CONCLUSION  T. H. Project. (2012, 1st March). The Honeynet Project. Available: http://www.honeynet.org In this paper we provided a concise overview of honeypots  P. S. Huang, et al., "Design and implementation of a distributed and their uses. We also discussed various classifications and early warning system combined with intrusion detection system categories of the honeypots namely research, production, low- and honeypot," in Proceedings of the 2009 International Conference on Hybrid Information Technology ICHIT '09 2009, interaction and high interaction honeypots. We also looked in pp. 232-238. detail into detection methods used by two different high  G. Portokalidis, et al., "Argos: an emulator for fingerprinting zero- interaction honeypot systems viz. Sebek and Honeynet. day attacks for advertised honeypots with automatic signature Although, honeypots have been active area of research for a generation," ACM SIGOPS Operating Systems Review, vol. 40, pp. 15-27, 2006. decade, but they are gaining popularity due to degree of  K. Sadasivam, et al., "Design of network security projects using analysis tools and capturing and detection techniques that are honeypots," Journal of Computing Sciences in Colleges, vol. 20, becoming invaluable in the world of cyber crime and network pp. 282-293, 2005. forensics.  L. Spitzner, "Know your enemy: A forensic analysis," URL: http://www. securityfocus. com/focus/ih/articles/foranalysis. html, REFERENCES 2000.  P. Baecher, et al., "The nepenthes platform: An efficient approach  M. Meijerink and J. Spellen, "Intrusion Detection System to collect malware," in Recent Advances in Intrusion Detection, honeypots," Master Program System and Network Administration, 2006, pp. 165-184. University of Amsterdam, Amsterdam, 2006.  TCPDUMP. (2012, 16th March). TCPDUMP. Available:  I. Kuwatly, et al., "A dynamic honeypot design for intrusion http://www.tcpdump.org detection," in IEEE/ACS International Conference on Pervasive  Ethereal. (2012, 1st March). Ethereal: A Network Protocol Services, 2004. ICPS 2004, 2004, pp. 95-104. Analyser. Available: http://www.ethereal.com  L. Spitzner, "Honeypots: simple, cost-effective detection,"  X. Jiang and X. Wang, "Out-of-the-box monitoring of VM-based SecurityFocus InFocus Article, high-interaction honeypots," in Proceedings of the 10th http://www.securityfocus.com/infocus/1690, 2003. international conference on Recent advances in intrusion detection  I. Mokube and M. Adams, "Honeypots: concepts, approaches, and RAID'07 Gold Goast, Australia, 2007, pp. 198-218. challenges," in Proceedings of the 45th annual southeast regional  J. Corey. (2003) Local honeypot identification. Fake Phrack conference ACM-SE 45, Winston-Salem, North Carolina, 2007, pp. Magazine http://www.ouah.org/p62-0x07.txt. 321-326.  P. Gupta, et al., "Securing WMN using Honeypot Technique," International Journal on Computer Science and Engineering, vol. 4, pp. 235-238, 2012.
Pages to are hidden for
"Survey of High Interaction Honeypot Tools Merits"Please download to view full document