Make the Intrusion detection system by IDS-AM-Clust, honeyd, honeycomb and honeynet

Transcription

1 Make the Intrusion detection system by IDS-AM-Clust, honeyd, honeycomb and honeynet CHAIMAE SAADI*, HABIBA CHAOUI ** Systems Engineering Laboratory, Data Analysis and Security Team National School of Applied Sciences, Campus Universitaire, B.P 241, Kénitra14000, Morocco Abstract Over the last decade, and with the complexity of computer systems, information is the main informational assets to protect against theft, loss, falsification and the vulnerabilities of systems. Therefore, the challenge scientists, security researchers are to set up devices and computer systems security tools. In this work, we have tried to address the problem of security with a new architecture that combines a honeypot to weak interaction with a honeypot to high interaction called Honeynet by integrating a mobile agent-based intrusion detection system and algorithm of datamining Clust-density. Tests and results have given satisfaction through increase in detections and minimization of false positive and negative rates. To do this, we must invest in automated systems to automatically detect new attacks. Keywords:IDS, Agent mobiles, Clust-density, honeypot, honeynet, honeyd,honeycomb Introduction In the literature, various definitions are adjusted on the honeypots. Lance Spitzner defines the honeypot as follows: "a honey pot is a secure resource that is implemented and which is designed to attract hackers to be attacked or compromised" [1]. Then a honeypot is a system developed to be probed, compromise and attacked in order to study the behavior of hackers, their techniques and to evaluate the system in which it is being implemented by simulating a machine or a vulnerable network [2] The idea behind a honey pot is simple. It comes to establish a way to control the attacks and the activities of the attackers by giving them access to some services. Sometimes emulated, so they can interact with them while limiting the damage caused by these attacks that the attacker cannot access the actual production servers. However, the quantity and quality of the information collected is directly proportional to the degree of interaction offered by the honeypot. therefore, if the services are very limited, the honey pot is not very attractive to gather good information put in place in order to detect intruders [3]. Therefore, a single Honeypot cannot guarantee a highly secure system. To do this, most of the work address the concept of the collaboration of honeypots and IDS to better focus in the analysis of traffic and to generate several attack signatures and subsequently to enrich the IDS this information base. Its work is based on the qualitative distinction between the attack signatures. Furthermore, our approach is designed to present a combination of IDS based on mobile agents and Clust-density combined with a weak interaction the honeyd with the honeycomb plugin and also with the honeypot in high interaction.the proposed approach dynamic, adaptable and allows to ISBN:

2 obtain an overview the new attacks by a mobile agent-based intrusion detection system and algorithm of datamining Clustdensity implemented [4]. This paper is organized as follows: the first party the different security adopted tools in our system also the operation of each. Subsequently a second section which summarizes the tests carried out and the results obtained by our proposed system. I. Tools and methods In this section, we present the various security tools such as: 1. Intrusion detection based on mobile agents and Clust-density IDS-AM-Clust: To improve the capacity of intrusion detection systems based on mobile agents [5] or Clust-density of [6], this intrusion detection system is to fuse the two latest technologies [5] [6]: mobile agents-based detection and detection to Clust-density in a single IDS database named "IDS-AM- Clust" whose purpose is to combine two scenarios detection strategies, developed by the agent of detection by signature ADS that gave satisfaction to the level of intrusion detection known by the use of the library's signature and also by the integration of Clust-density which also gave satisfaction to the level of the anomaly detection. This was the subject of a work already realized by our team [7]. The following figure (fig.1) shows the flow of network traffic process in our mobile agents using Clust-density: Figure1: Process of detecting intrusion by IDS-AM-Clust During our first connection, interface agent listens to network traffic in order to put a filter on the packets collected. Then, the agent of detection by scenarios analysis collected and filtered traffic to detect network connections that match the attacks whose signatures are available; If the problem is resolved, the system triggers an alert detection, otherwise it passes this traffic to the behavioral detection officer who offers the combination of IDS distributed with a Clust-density-based ISBN:

3 behavioral detection technique that is divided into two phases: a learning phase is to identify the normal behaviour of the users of the network. After the learning phase, an evaluation phase comes to distinguish among new patterns identified, those who are normal and those that are abnormal. Subsequently, extraction of the Rules agent summarizes network which are identified as abnormal by the ADC connections and feeds the signature library and finally the report agent transmit messages (report, log, alert) to the system administrator. The development of this system was using Sun Java Develop Kit 7 and 3.7 platform JADE (Java Agent Development) that simplifies the implementation of multiagent systems [7].In addition, Open source library used is the JPCAP Honeypot According to Lance Spitzner A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. [8]. From this definition it is clear that Honeypot is a system set to be probed, attacked and compromised to study the behavior of hackers, their techniques and to evaluate the system in which is implemented by simulating a machine or an entire network vulnerable. Honeypots can be classified according to two criteria: production honeypot and research honeypot. Production honeypots are used in companies and businesses to detect attacks from outside and research honeypots that are used by researchers wanting to study the activities of hackers [9]. Also they can be classified according to the interaction with attackers; here we can find three types of honeypot. Low-interaction Honeypot: emulates false vulnerable services and don t interact with attackers. Medium-interaction Honeypot: emulates false vulnerable services and interact with attackers by false request High-interaction Honeypot: Unlike the previous two types, high interaction honeypots are not based on emulation services or operating systems. Instead, they rely on a real operating system or real services that attackers can interact with [10]. 3. Honeyd It is a low interaction honeypot, that mains no real operating system to allow hackers to gain access in, it just simulates services. It is configured as a production honeypot and used for detection of attacks and unauthorized activities. With this tool it is possible to install one or more virtual honeypots low interaction with different personalities (systems) and services on a single machine, combining their IP addresses that are not yet used in the real network. Another advantage is its ability to control millions of IP addresses and to declare several thousand others at the same time [8]. 4. Honeynet Honeynets represent the extreme highinteraction honeypots. It not only provides the attacker with a full operating system to attack and interact with, it can also provide several honeypots. A honeynet is a combined network of honeypots with a set of security mechanisms such as firewalls, IDS, log servers, etc. It gives the appearance of a complex production environment with faults and relevant information used to attract and trap the ISBN:

4 attackers. The network controlled captures all the activity that happens in the honeynet and decreases the risk by using mechanisms such as the limitation of output connections. Honeynet is not a product that installs a device or is deposited on our network. Honeynet is an architecture that builds a highly controlled network in which you can place any system or application you want. The heart of the honeynet network is called honeywall that monitors them [11] a. Generations of honeynet The alliance project has developed three generation architectures of Honeynet that were presented as honeynet generations. The first generation GEN I was the first architecture developed in It aims to control the data and to ensure that the attacker can t attack the non-honeypot system, but these features are limited because we accept all input packets but we ignore the output connections 5 to 10 connections to avoid risk. This limitation on outgoing connections can allow attackers to detect the existence of the Honeynet. Another limitation regarding encrypted attacks, in this generation we don t have the tools to decipher these attacks [12]. For this, the Honeynet community reflected on the second generation. In 2002 GenII Honeynets was developed to solve problems of GenI. To resolve the limitations of the first generation GenI (exactly the limitation of output connections), the second generation GenII uses a sensor <honeywall>. This sensor is a combination of a firewall and an IDS intrusion detection system. In this case, the sensor plays a role as a bridge between two or more networks. With this combination, the attacker can t perceive that is in a honeynet network because the TTL is not decremented. But the problem in this architecture is hard to deploy and maintain, also data format was incomprehensible [13]. Over the years, attempts have been made to make honeynets easier to deploy. The intention was to automate honeynet deployments by bringing all tools and requirements into one CD called ROO. This version is considered a third generation GenIII, this generation contains the core GenII Data Control and Data Capture functionality, the only difference between them is the addition Hflow that is installed in Honeywall [14] [10]. b. Objectives of a Honeynet Data Control: Snort and snort-inline is used as data control tool. Snort-Inline in combination with netfilter/iptables operates as a bridging firewall to send packets to user space for processing. Data Capture: Sebek is used as a data capturing tool. It works in client-server architecture. Sebek server is installed by default in the honeywall gateway while sebek client is installed on the honeypot. Sebek is used to monitor keystrokes, file reads, writes, socket calls and process creation calls even when session encryption is used. Data Analysis: Hflow is a data gathering tool for honeynet/network analysis. It allows gathering data from snort, p0f, sebekd into a unified cross related data structure stored in a relational database. Walleye is used too as data analysis tool. The interesting thing to note is that walleye interface is remotely accessible from any machine. The only requirement is to access the desired port on honeywall from which data is to be transferred [15]. ISBN:

5 c. Sebek The goal of Sebek is to determine information after the attacker compromises a system. To reach this goal, the most interesting information logged is Keystrokes'. The case in which the protocol does not use encryption technique, we can use a sniffer or tcpdump to listen to traffic under 'Honeywall'. But with encrypted sessions this technique is not useful. The solution proposed by Sebek is thatit listens the encrypted sessions on the compromised machine. Sebek packet These data are normalized and stored in the database. Figure 3: How Hflow works Figure 2: Sebek architecture Sebek has two components: Sebek clients and one or more servers Sebek. The client Sebek decrypt encrypted information, and it sends information to the server. The server captures this information from two resources: one Sebek daemon and the other is tcpdump. Once this information is collected it is sent to a database (in the Honeywall is mysql server) [16]. d. Hflow Hflow is a daemon that works by merging the input data that are: Pcap data Event Snort IDS From standardized data we can identify the type of OS for each stream, and IDS events combined with the stream (if it exists in the Snort signature based) and processes on each honeypot and the file descriptor concerned the stream. Edward G. Balas and his team have built a web interface to see the results. With this tool you can monitor connections in both directions combined flow of IDS events and also full of OS, the key-strokes and a lot of interesting reports [17]. II. Environnement de travail After the definition of the system honeypot of high interaction honeynet in high interaction we try in this work to test the performance in the intrusion detection. Therefore, we will work on a system presented by a model characterized by a honeywall integrating a snort IDS, while we proceeded to update the system IDS ISBN:

6 existing our IDs previously study IDS- AM-Clust 1. Test of model: our work environment will be based on the honeypot to high interaction 'honeynet" with a mix of honeypot weak interaction "honeyd" and subsequently the collaboration of these two types of honeypots with our system of intrusion detection based on mobile agent and Clustdensity in order to build our own network environment that will offer us a highquality intrusion detection and high accuracy of the security of computer systems. Figure 4 : proposed system Used equipment: our architecture is broken down into four areas: DMZ zone: where in installed web servers. Outer area: virtually internet and separate from other areas by a firewall and the honeywall that integrates our IDS-AM- Clust. Intranet zone: or was placed reviews posts Honeypot zone that contains the following facilities: client Sebek Honeyd Kali Linux These areas are separated by a honeywall horseback installed in an automatic way. It has downloaded the latest versionhoneywall - Roo 1.4 ISO image of https: //projects.honeynet.org/honeywall/ and has etched it in a CD which is bootable. ISBN:

7 There are two methods to configure the Honeywall: Menu to dialog: this interface is opened automatically when the first login as root after the installation. Either by typing the menu command on the console. Manually create honeywall conf: Honeywall Ro comes with the default configuration file, and your made your changes. Noting that IDS-AM-Clust is an update of the existing in the honeywall snort IDS. We proceeded to update Snort through the following steps: we set in motion the services found in the honeywall Then we installed and configured Snort by making the appropriate changes on the configuration (snort Conf, classification Conf, references Conf) files and file logs, subsequently we have added files matching our mobile in a single directory of snort agents, these files contain the functioning of each agent with its interconnection with snort, and another file with configuration of mobility and communication of mobile agents that the place in the snort configuration directory. These files are considered to be the increase in concrete of our honewall system. In addition, we have installed the honeyd to attract more pirates in our system to better test the functioning of the honeywall including IDS-AM-Clust. 2. Test and resultes a. Analyse of honeywall To access our Honeywall, we did used web interfae called Walleye. Walleye is a graphical user interface based on the Web that is used for the configuration, administration, and analysis of data in the Honeywall. We used this web interface to analyze inbound and outbound via a customer's Web browser by typing an IP address Figure 5: first detected traffic It switches to this interface to see is it has detected the attacks. Indeed, the dashboard displays with some details. In addition. Walleye has two main features: data analysis and system administration. Analysis of the data is used for parsing streams in real time, view all the incoming and outgoing flows, founded Sebek, flows of alert by the IDS-AM-Clust and activity summary by day. This interface also provides packet data downloading to the pcap format. As a first step, our honeywall detects traffic flowing through the network, but it does not notify when it comes to an attack. After several attempts, we have discovered that one must configure the IDS existing Snort through the application of updates of our IDS-AM-clust intrusion detection system. Once this is configured, the Honeywall will automatically download and install the new rules as well as convert the new rules for use with our system IDS. After this step, our Honeywall begins to detect intrusions and display alerts. The honeywall displays us the addresses IP of our honeypots (honeyd, Sebek client), so the attacking machineaddress. ISBN:

8 Tableau1: IP addresses of our honeypots network IP Host Connexion IDS events Kali linux Sebek Firewall Honeywall + IDS AM-Clust DMZ LAN Honeyd The present table of statistics for each host connected to our test environment with a detail of the IP addresses used, number of event IDS, and most interconnected IP ports. In addition, we can analyze a connection in detail by its particular IP address. Two tables 15 and 16 provide details about the connections in the order where they occurred, the oldest to the most recent connection at the bottom. Each line contains detailed information about each connection, including the type of IP source address initiating the connection of the operating system. All alerts related to the connection IDS are also listed. Tableau2 : source ports attacked Port sources Connexion IDS event Tableau3 : destination ports attacked Port destination Connexion IDS event ISBN:

9 Furthermore, honeywall interface also displays other types of tables that relate to the attack sources (tab), and the ports attacked destination (tab). These tables generate numbers of connections and events detected by the IDS-AM-Clust for each contested port. After analysis of the ports sources and destinations and events brought to our intrusion detection system we have come b. types of detected attacks out with results presented in the table below: Tableau4: Types of detected attacks DOS U2R R2L Prob IDS-AM-Clust 20% 9% 5% 15% Honeyd +IDS-AM-Clust 23% 9% 6% 17% Honeywal+honeyd+IDS-AM-Clust 33% 10% 7% 19% The results show that our new architecture based on the honeywall, IDS-AM-Clust and honeyd may well interact with attacks. Compared to the other systems studied previously, we are seeing an improvement in detection of types of attacks using this new system. In addition, the analysis of detection rates can be an asset to our system. c. Detection rates, false positive and negative After seeing the different types of attacks detected and filtered network traffic, the following table summarizes the results obtained at the level of intrusion detection and false positive and negative rates. Tableau5: detection rate of attacks Type d attaque Normal Anormal False positive False negative IDS-AM-Clust [7] 51% 49% 4% 3% Honeyd+honeycomb+IDS- 45% 55% 3% 2% AM-Clust[18] Honeywall+honeyd+IDS- AM-Clust 31% 69% 1% 0.5% It is important to remember that it is a qualitative assessment whose purpose is to identify and visualize the combinations of events that can lead to the robustness of the IDS. For a quantitative assessment, like illustrated in the following graph, the detection rate is still evolving by selected architectures. the last architecture shown elevated detections compared to older systems. ISBN:

10 70% 60% 50% 40% 30% 20% 10% 0% Normal Anormal Figure 6: detection rate of attacks Consequently, we note that intrusion detection in mobile agent-based and clustdensity with the honeypot (honeyd, honeywall + honeycomb) technology is more effective than detection based on honeyd and snort and also honeyd honeycomb and snort. However, the rate of false positive and negative have been reduced by the use of our IDS Agents approach mobile Clust-density. 70% 60% 50% 40% 30% 20% IDS-AM-Clust Honeyd+honeycomb+IDS-AM- Clust Honeywall+honeyd+IDS-AM-Clust 10% 0% Normal Anormal Faux positif Faux négatif figure7: positive and false negative rates ISBN:

11 Conclusion This work is a contribution to the security systems by the combination of honeypots to high and low interaction with a system of intrusion detection based on mobile agents and Clust-densty IDS-AM- Clust enhances currently deployed intrusion detection techniques. Tests and results have given satisfaction through increase in detections and minimization of false positive and negative rates. To do this, we must invest in automated systems to automatically detect new attacks in real time and automatically strengthen protection systems. luckily our system has given satisfactory results in this field. Our challenge is the compatibility of our system on other work environment. As perspective, will be faced with this challenge, by our own system migration to a Cloud Computing environment. Reference : [1]. L. Zpitzner, Honeypots: Tracking Hackers, Addison Wasley Professional, ISBN-10: , (septembre 2002). [2]. Ashish Girdhar et Al : Comparative Study of Different Honeypots System, Volume 2, Issue 10 (August 2012), PP [3]. S. S. Muhammad, S. H. Choong, A Novel Architecture for Real-time Automated Intrusion Detection Fingerprinting using Honeypot, 27th KIPS Spring Conference, Korea, pp , (mai 2007) [4]. Bill Cheswick, An Evening with Berferd: In Which a Cracker is Lured, Endured, and Studied [5]. ChaimaeSaadiand HabibaChaoui, Security Analysis Using IDs Based on Mobile Agents and Data Mining Algorithms / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 6 (1), , 2015 [6]. Chaimae Saadi, Habiba Chaoui, Hassan ErguigContribution to Abnormality Detection by Use of Clust-Density Algorithm DOI: [7]. Chaimaesaadi and HabibaChaoui, IDS based interaction on mobile agents and Clust-density algorithme IDS-AM-Clust current acceptance [8]. Cohen, Fred. Deception ToolKit. circa 2001 URL: (March 13, 2003) [9]. J. Tian, J. Wang, X. Yang, R. Li, A Study of Intrusion Signature Based on Honeypot, Sixth International Conference on Parallel and Distributed Computing Applications and Technologies (PDCAT'05), pages , (2008). [10]. C, Chi, M. Li, D. Liu, A Method to Obtain Signatures from Honeypot Data, Lecture Notes in Computer Science, Volume 3222/2004, , DOI: / _61, (2004). [11]. Ram Kumar Singh : Intrusion Detection System Using Advanced Honeypots, (IJCSIS) International Journal of Computer Science and Information Security, Vol. 2, No. 1, 2009 [12]. S. Riebach, B. Toedtmann, E. Rathgeb. Combining IDS and Honeynet Methods for Improved Detection and Automatic Isolation of Compromised Systems, Computer Networking Technology Group, Institute for Experimental Mathematics, University Duisburg-Essen, Germany, (2006). [13]. Hatem Bouzayani : Modèle quantitatif pour la détection d intrusion. Une architecture collaborative IDS- HONEYPOT (Juin 2012) [14]. G. Wicherski, Medium Interaction Honeypots, German Honeynet Project (avril 2006). [15]. Ashish Girdhar et Al : Comparative Study of Different Honeypots System, Volume 2, Issue 10 (August 2012), PP [16]. S. Riebach, B. Toedtmann, E. Rathgeb. Combining IDS and Honeynet Methods for ISBN:

12 Improved Detection and Automatic Isolation of Compromised Systems, Computer Networking Technology Group, Institute for Experimental Mathematics, University Duisburg-Essen, Germany, (2006). [17]. N. Provos. A virtual honeypot framework. In Proceedings of the 13th conference on USENIX Security Symposium - Volume 13, SSYM 04, page 1, Berkeley, CA, USA, USENIX Association [18]. Chaimaesaadi and HabibaChaoui, Security by IDS-AM-Clust, honeyd and honeycomb current acceptance ISBN: