Survey of High Interaction Honeypot Tools Merits by iinventers


More Info
									   Survey of High Interaction Honeypot Tools: Merits
                   and Shortcomings

              Abdulrazaq Almutairi (Author)                                   Prof. David Parish, Dr. Raphael Phan (Coauthors)
 School of Electronic, Electrical and Systems Engineering                    School of Electronic, Electrical and Systems Engineering
                Loughborough University                                                     Loughborough University
              Leicestershire, UK LE11 3TU                                                 Leicestershire, UK LE11 3TU
             Email:                                    Email:,

Abstract—Honeypots are the defined as fictional vulnerable              services and host attacks include unauthorised logins, setup of
systems that present themselves as generic system that can be           malware, access to files and changing of privileges.
used for the purpose of unauthorized / illicit use by abusers           Unlike common IDSs, honeypot technology tends to provide
where the objective is to study their attack / system                   the attacker with important resources that needed for a
compromising methodology and to gather forensic information.
                                                                        successful attack. Honeypot or honeynet based decoy system
Honeypots system are categorized based on the level of
interaction as low, medium or high interaction based honeypots          is implemented for the purpose of intrusion detection and
where high-interaction honeypots offer functionality to collect a       protection.
large amount of information about attackers viz. attack strategy,           A honeypot is difficult to define as there are number of
actions, tools, origin, identity etc. that suits the needs of the       interpretations that have been understood from the literature
forensics data analyst making high interaction honeypot tools           which include domains of attack prevention, attack detection,
very useful. However, tools from this category also introduce           data collection in context of security. It is distinctive as it is
high level of risk with regard to putting other machines in high-       technology and not a solution or procedure / process to resolve
risk position as well as from data analysis perspective making it       a particular security issues. A honeypot is a trap set to detect,
very difficult to analyse captured data due to level of flexibility /   deflect or in some cases counteract the attempts of
interaction provided to attacker. This paper discusses features of      unauthorised usage of production systems. It appears to be part
various high interaction honeypot tools available to researchers        of a network but remains isolated and protected. Its value lies
and compares them using a detection method. It has been                 in being probed, attacked and compromised [3]. Hence,
realised that most of the tools have similar features other than        honeypots has no production value and they should not work
data analysis functionality that vary between tools.
                                                                        with any legitimate traffic or events. According to [4], the
                                                                        purpose of honeypot or monitored honeynet networks include
   Keywords-Honeypots, High Interaction Honeypots, Forensic
                                                                        the following:
                                                                        1.   They form a defensive distraction system in order to direct
             I.    INTRODUCTION AND BACKGROUND                               an attacker towards machines containing no valuable
Information security is becoming a primary concern in this age               information;
of information. The classical method of security that was more
                                                                        2.   They serve the purpose of a early warning system that can
or less defensive is now being scaled to more aggressive                     inform about exploitation trends; and
defence format. Intrusion detection is a process of monitoring
networks and machine within the network for unauthorised                3.   They become a data collection store that can be used to
usage and / or activity.                                                     examine the methods and processes of exploitation of a
Reference [1] explains Intrusion Detection Systems (IDSs) as                 honeypot.
system for detection of unwanted manipulation to system. This           The interaction with honeypots is expected from attackers;
manipulation may be in form of attack by an attacker or                 hence the value of honeypot lies in unauthorised interaction
simply by use of malicious script that changes the fingerprint          conducted by abusers of the vulnerable honeypot.
of the system under attack [2]. Typically, an IDS is required           Another term that is used regularly with honeypots is
for detection of all malicious traffic that cannot be detected by       Honeynet that means a network that is formed of one or more
generally deployed tools such as firewall. IDSs are categorised         honeypots [5]. Honeypots are classified based on level of
into host-based (HIDS) – where data on individual computer              interaction and purpose. Further details regarding the same are
system is examined and network-based (NIDS) – where                     discussed in Section 3.
analysis of data packets that transit over the network is carried       This paper has been organised as follows: In Section 2, we
out. According to [1], various types of network attacks include         discuss various types of honeypots followed by Section 3
data driven attacks on applications and network attack on               where details regarding monitoring methods used by

ISBN: 978-1-902560-26-7 © 2012 PGNet
Honeypots is discussed in detail. Section 4, enumerates
advantages and shortcomings of Honeypots / Honeynet and
Section 5 presents brief discussion about research being
conducted by the author. Finally, Section 6, concludes the
paper along with discussion regarding future of Honeypots.
Honeypots can be classified based on the level of interaction
(low and high) and based on their purpose (research and
production). The level of interaction defines the extent of
activity honeypot allows an attacker.
A. Level of Interaction
   1) Low-Interaction Honeypots
A low-interaction honeypot simulates only limited services
that cannot be exploited enough to gain total control of the       Figure 1. Control panel for specter tool showing services that may be
                                                                   emulated (Source: [8])
honeypot [6]. The low level honeypot provides emulating
services and operating system to the attacker, which makes it
easier to deploy, and maintain. Example of emulated services
include FTP service, listening on port 21 (Telnet), login to
FTP server etc. The emulated services mitigate risk by
containing the attacker’s activity. The interaction between this
type of honeypot and production system is very limited. These
type of honeypots can be compared to passive IDS as network
traffic is not modified in any way and they do not interact with
the attacker thus mitigating the risk associated with this
category of honeypots[4]. Generally, low-interaction
honeypots are used to analyse spammers and can also be used
for providing countermeasures against worms.
     A well-known example of a commercial low interaction
honeypot is Honeyd [7]. Honeyd [7] is a daemon that can used
to simulate a large network on a single network host. It is a
framework for creating virtual honeypots using unused IP
addresses of a network, which simulates various operating
                                                                      Figure 2. HTTP service emulation setup using KFSensor (Source: [9])
systems and services. Other low-interaction honeypot include
Specter [8] and KFSensor [9]. Specter can monitor a total of 14
                                                                   capture extensive amounts of information by allowing the
TCP ports and of these 14 monitored ports, 7 ports are called
                                                                   attackers to interact with real systems [11]. This facilitates
traps, and the other 7 are called services. Traps are port
listeners: when the attacker makes a connection, the attempt is    capturing / logging of full extent of attacker’s behaviour that
terminated, and then logged. Services are more advanced            can be analysed at later stage. According to [11], as the
where there is interaction with the attacker, emulating the        attacker has more resources to exploit at his disposal, a high
application [8]. The level of emulation depends on each            interaction honeypot should be regularly monitored to ensure
service. For example, the HTTP service emulates a simple Web       that it does not become a security issue.
server with default static Web pages. Figure 1, shows the          Example of high interaction honeypots include Honeynets [12],
control panel for low-interaction honeypot tool – Specter.         Sebek [13], Argos [14] etc. Argos offer a full operating system
KFSensor simulates system services at the application layer        to the attacker and when the attackers tries to do something
[2]. Reference [9] explains the methods in which KFSensor can      malicious the honeypot will shut down and makes dumps of
be used to setup new firewall rules. Figure 2, shows the HTTP      memory and disk to get information about what the attacker
service emulation within low interaction honeypot tool –           was trying to do [1]. A greater detail regarding the high
KFSensor.                                                          interaction monitoring methods is discussed in Section 3.

  2) High-Interaction Honeypots                                    B. Purpose of Honeypot
High interaction honeypots are complex solutions, which               1) Research Honeypot
include deploying of a real operating systems and applications     A research honeypot is used to gain the information about the
[10]. As it involves real operating system, the level of risk is   attacker’s community and does not add any direct value to the
increased by many folds, but it is a trade-off in order to         organisation [15]. The purpose of research honeypots is to
                                                                   gather intelligence regarding general threats that an
                                                                   organisation may face and hence allow organisation to protect
                                                                   itself in a better form against those analysed threats. The
primary function is to study the method how attacker attacks,                   such as TCPDUMP [18] and Ethereal [19]. In the host-based
understand their objectives and behaviour [10]. These type of                   method, specialised sensors are deployed within the honeypot
honeypots are like high-interaction honeypots that are                          in order to monitor and record system events.
complex to deploy and difficult to maintain. They are                           It should be noted that both approaches have their strengths
generally used within research and commercial community in                      and weakness. For instance, the network-based approach
addition to military and defence organisations. According to                    though being transparent and invisible to the attacker can sniff
[4], they add tremendous value to research providing a                          packets by being deployed outside the honeypot but it cannot
platform to study cyber threats and attacks. They may also be                   capture internal system events on a vulnerable honeypot.
suitable for aiding in development of analysis and forensic                     Furthermore, it may be ineffective or perform at lower
skills. [16] provides the instance where honeypot was used as                   effectiveness, if the network data traffic is encrypted. On the
a forensic analysis for DNS attack.                                             other hand, the host-based method, if detected by the attacker
   2) Production Honeyppots                                                     can be tampered with, thus leaving it ineffective.
Production honeypots are used within the environment of a                       Data capture modules in high interaction honeypots deals with
organisation to protect the information assets of the                           collection and recording of all the activities of Honeypot. It
organisation and help in mitigation of risk [15]. Unlike                        deceives the intruder by capturing all activity within honeypot
research honeypots, they have direct values as they provide                     without attacker knowing about any monitoring i.e. with
security to organisation’s production resources. As they do not                 introduction of decoy systems.
require a large amount of functionality, they are not too
                                                                                A. Sebek
complex to deploy or maintain and consequently, they are
unable to provide a large amount of information regarding the
attackers. Their primary function is to mirror the production                   Sebek is a high interaction honeypot system that works as
network of the organisation and invite attackers to interact                    follows for the purpose of monitoring:
with them, so that vulnerabilities of the network can be                        • Sebek installs as a loadable hidden kernel module that
exposed. They are considered to add value to detection of                            would capture all host activities. As a result of
attacks rather than prevention of attacks. One the examples of                       installation, Sebek, replaces a number of sensitive system
production honeypot is Nepenthes [17].                                               calls in the original operating system. For instance, in the
                                                                                     latest Sebek development for Linux 11 system calls have
                 TABLE I.        CLASSIFICATION OF HONEYPOTS                         been replaced viz: sys_open, sys_read, sys_readv,
                                                                                     sys_pread64, sys_write, sys_writev, sys_pwrite64,
Classification                                                                       sys_fork, sys_vfork, sys_clone, sys_socketcall [20]. The
                       of         Examples          Brief Description
of Honeypot
                   Honeypot                                                          hashtable for system calls is updated / hijacked by Sebek
                                              A low-interaction honeypot             with its own system handlers as shown in Figure 3.
                      Low                     simulates only limited services
                   Interaction                that cannot be exploited
                    Honeypot                  enough to gain total control of
  Level of                                    the honeypot.
 Interaction                                  High interaction honeypots are
                                                                                    Figure 3. Instance of modified sys_read system call after loading of Sebek
                      High        Honeynet,   complex solutions, which
                   Interaction     Sebek,     include deploying of a real
                    Honeypot       Argos      operating systems and             •    Upon successful replacement of system calls by Sebek, it
                                              applications.                          would intercept any subsequent invocations of above
                                              A research honeypot is used to         mentioned system calls and capture the arguments as well
                                              gain the information about the
                                  Honeynets   attacker’s community and
                                                                                     as any context information such as PID. After capturing,
                    Honeypot                                                         Sebek invokes system call handlers and execute the
                                              does not add any direct value
 Purpose of
                                              to the organisation.                   system call together with passed arguments in order to
                                              Production honeypots are used          complete requested service call.
                                              within the environment of a
                   Production                 organisation to protect the
                                                                                • All collected information about invoked replaced system
                                  Nepenthes                                          calls would be sent to remote Sebek server so that it can
                   Honeypot                   information assets of the
                                              organisation and help in               analysed in real time or saved for later analysis.
                                              mitigation of risk.               Figure 4, shows the Sebek based approach to honeypot
                                                                                For the purpose of monitoring the malicious activity in the
                                                                                honeypot, the internal sensors like Sebek need to be
                                                                                transparent and tamper-resistant. However, as mentioned
Honeypot monitoring is a very important component of any                        before, it case of comprise, attacker may introduce anomalies
honeypot deployment. There are two methods that used for                        such as [20]:
monitoring of honeypots viz. external method (network-based)                    • modification of replaced system call table,
and internal method (host-based). In the network-based                          • inconsistency in statistics transmitted by honeypot,
method, all packets that are sent to or received from the                       • Unsebek [21] of a honeypot system.
monitored honeypot are captured and traffic sniffing tools
                                                                                 that all traffic can flow in and out of honeynet without
                                                                                 attackers detecting control activities [1].
                                                                            •    Data Capture: This part captures all activities within the
                                                                                 honeynet and the data entering and leaving the honeynet
                                                                                 without attacker knowing that they are being monitored.
 Figure 4. Sebek based approach in honeypot monitoring in context of HTTP        All the activities of the attacker are logged and the
                              (Source: [20])                                     captured data is analysed to understand vulnerabilities and
                                                                                 motives of the attacker.
                                                                            •    Data Collection: All captured data is forwarded to a
                                                                                 centralised data collection point. This facilitates captured
                                                                                 data to be collected, analysed and archived at one
                                                                                IV.   ADVANTAGES AND DISADVANTAGES OF HONEYPOTS
                                                                            Upon understanding about background and detection of
                                                                            honeypots, following distinct advantages have been realised as
                                                                            compared to other security systems [12]:
                                                                            • Small Data Sets: Honeypots are always interested in the
                                                                                traffic that arrived to them rather than the traffic overload
                                                                                that is generally observed in production systems, where it
                                                                                is difficult and complex task to differentiate between
                                                                                legitimate and illegitimate packets. Overall, it collects
                                                                                small data sets of high value.
                                                                            • Catch new attacks, false negatives: As honeypots capture
                                                                                everything arriving to them, they are capable of catching
                                                                                new tactics and attack methods which may previously be
                                                                                considered false negatives.
                                                                            • Work in encrypted or IPv6 environments: Honeypots
                                                                                have been tested to work with encrypted traffic as well as
                                                                                have scaled to IPv6 environments.
                                                                            • Minimal Resources: As only limited data is captured, a
                                                                                high-end set of resources is not required in case of
                                                                                honeypots. It is a simple concept tat requires minimal
              Figure 5. Honeywall architecture (Source: [12])
B. Honeynets                                                                Some of the disadvantages associated with honeypots as
                                                                            compared to other security system / approaches are as follows
Honeynet is a high interaction honeypot developed by The
Honeynet Project [12] in order to capture information on the
                                                                            • Limited field of View (Microscope): It is inherent to
network. The primary purpose of the honeynet is to gather
                                                                                honeypots that the only activity or data captured by them
information on security issues. It acts as a gateway called
                                                                                is when the attacker directly interacts with them. Attacks
Honeywall, by collecting data from and to the honeypots on
                                                                                happening on the other parts of honeypot network is
the network.
                                                                                unknown to a particular honeypot.
Figure 5, shows the honeywall gateway that forms the main
part of the Honeynet and work by capturing all the traffic                  • Risk (mainly high-interaction honeypots): Though
entering or leaving the honeypot network. It separates the                      unlikely in low-interaction honeypots but in case high
honeypots victims from rest of the network. According to [1],                   interaction honeypots, as the deployment of a real
it can be configured as layer 2 or layer 3 routing gateway,                     operating systems and applications is committed, in
however layer 3 configuration is preferred as in bridge mode it                 scenarios of compromise, parts of production network
is difficult to be detected by the attackers as the gateway                     may be attacked that could be a major concern for an
would not have any IP address associated with itself. A highly                  organisation.
controlled network where every packet entering or leaving is                                   V.    RESEARCH PROPOSAL
monitored, captured, and analyzed consists of data control,
data capture and data analysis.                                             Cyber forensics is a problem of great significance to
• Data Control: In a scenario where a honeypot deployed                     information infrastructure protection because computer
     within honeynet is compromised, honeynet have to                       networks are at the heart of the operational control of much of
                                                                            the mission critical operations. Analysing network activity in
     contain all the activities and ensure that production
                                                                            order to discover the source of security policy violations or
     systems are not harmed in anyway. It should be ensured
                                                                            information assurance breaches is very critical. Capturing
network activity for forensic analysis may be perceived trivial,              [6]    N. Sharma and S. S. Sran, "Detection of threats in Honeynet using
                                                                                     Honeywall," International Journal on Computer Science and
but it is relatively difficult in practice. Not all the information
                                                                                     Engineering (IJCSE), vol. 3, pp. 3332-3336, 2011.
captured or recorded will be useful for analysis. Our research                [7]    N. Provos, "Honeyd-a virtual honeypot daemon," in 10th
concerns with network forensics, offline intrusion analysis and                      DFNCERT Workshop, 2003.
the related issue of identifying important input features for                 [8]    Netsec.      (2012,      15th    March).      Specter.     Available:
computer forensics and intrusion detection. Honeypots can not
                                                                              [9]    KFSensor. (2012, 15th March). KFSensor: Advanced Windows
help in understanding the motives and behaviour of blackhat                          Honeypot System. Available:
community but also in certain cases trace back to cyber                       [10]   H. Saini, et al., "Extended Honeypot Framework to Detect old/new
criminals with evidence of process / method they use for                             cyber attacks," International Journal of Engineering Science
compromising the system in a proactive manner. We                                    (IJEST), vol. 3, pp. 2421-2426, 2011.
                                                                              [11]   A. N. Singh and R. Joshi, "A honeypot system for efficient capture
endeavour create an automated network forensic system that                           and analysis of network attack traffic," in International Conference
would use high interaction honeypots at its core.                                    on Signal Processing, Communication, Computing and Networking
                                                                                     Technologies (ICSCCN), 2011, 2011, pp. 514-519.
                         VI.    CONCLUSION                                    [12]   T. H. Project. (2012, 1st March). The Honeynet Project. Available:
In this paper we provided a concise overview of honeypots                     [13]   P. S. Huang, et al., "Design and implementation of a distributed
and their uses. We also discussed various classifications and                        early warning system combined with intrusion detection system
categories of the honeypots namely research, production, low-                        and honeypot," in Proceedings of the 2009 International
                                                                                     Conference on Hybrid Information Technology ICHIT '09 2009,
interaction and high interaction honeypots. We also looked in                        pp. 232-238.
detail into detection methods used by two different high                      [14]   G. Portokalidis, et al., "Argos: an emulator for fingerprinting zero-
interaction honeypot systems viz. Sebek and Honeynet.                                day attacks for advertised honeypots with automatic signature
Although, honeypots have been active area of research for a                          generation," ACM SIGOPS Operating Systems Review, vol. 40, pp.
                                                                                     15-27, 2006.
decade, but they are gaining popularity due to degree of                      [15]   K. Sadasivam, et al., "Design of network security projects using
analysis tools and capturing and detection techniques that are                       honeypots," Journal of Computing Sciences in Colleges, vol. 20,
becoming invaluable in the world of cyber crime and network                          pp. 282-293, 2005.
forensics.                                                                    [16]   L. Spitzner, "Know your enemy: A forensic analysis," URL:
                                                                                     http://www. securityfocus. com/focus/ih/articles/foranalysis. html,
                            REFERENCES                                               2000.
                                                                              [17]   P. Baecher, et al., "The nepenthes platform: An efficient approach
[1]      M. Meijerink and J. Spellen, "Intrusion Detection System                    to collect malware," in Recent Advances in Intrusion Detection,
         honeypots," Master Program System and Network Administration,               2006, pp. 165-184.
         University of Amsterdam, Amsterdam, 2006.                            [18]   TCPDUMP. (2012, 16th March). TCPDUMP. Available:
[2]      I. Kuwatly, et al., "A dynamic honeypot design for intrusion      
         detection," in IEEE/ACS International Conference on Pervasive        [19]   Ethereal. (2012, 1st March). Ethereal: A Network Protocol
         Services, 2004. ICPS 2004, 2004, pp. 95-104.                                Analyser. Available:
[3]      L. Spitzner, "Honeypots: simple, cost-effective detection,"          [20]   X. Jiang and X. Wang, "Out-of-the-box monitoring of VM-based
         SecurityFocus                   InFocus                   Article,          high-interaction honeypots," in Proceedings of the 10th, 2003.                            international conference on Recent advances in intrusion detection
[4]      I. Mokube and M. Adams, "Honeypots: concepts, approaches, and               RAID'07 Gold Goast, Australia, 2007, pp. 198-218.
         challenges," in Proceedings of the 45th annual southeast regional    [21]   J. Corey. (2003) Local honeypot identification. Fake Phrack
         conference ACM-SE 45, Winston-Salem, North Carolina, 2007, pp.              Magazine
[5]      P. Gupta, et al., "Securing WMN using Honeypot Technique,"
         International Journal on Computer Science and Engineering, vol.
         4, pp. 235-238, 2012.

To top