A Modular Approach for Implementation of Honeypots in Cyber Security

Transcription

1 A Modular Approach for Implementation of Honeypots in Cyber Security Muneeb Mirza 1, Muhammad Usman 1, Robert P. Biuk-Aghai 2, Simon Fong 2 1 Department of Computing, SZABIST-Islamabad, Pakistan 2 Department of Computer and Information Science, Faculty of Science and Technology, University of Macau, Macau SAR Abstract This paper introduces a novel modular approach of implementing honeypots in cyber security. There are many other security technologies like firewalls, IDS, anti-malware and antivirus software that are part of a cyber security infrastructure. Honeypot technology is a relatively new and emerging area of research to cope with new security threats and challenges. Denial of service attacks, distributed denial of service attack, malware and zero day attacks are still a major threat to the Internet. Many proposals and models have been presented in the past but none is successful by itself. In this paper we are presenting a conceptual modular approach to help solve these issues. Each module is independent in implementation resulting in better performance and better security. In future we will implement this model and make it more efficient based on real time results and analysis. Keywords: honeypots, intrusion detection system, antimalware, signature, cyber security, network security, antivirus. Introduction Cyber security refers to the protection of the resources connected to the Internet. Malicious activities are increasing daily in the Internet space. News about some critical servers having been compromised and user s information leaked appear almost daily. Ebay, Amazon and buy.com servers were down due to heavy DDoS attacks [2]. We have also seen sophisticated malware attacks using Stuxnet on critical infrastructure. According to Cyber Attacks Statistics [1] the top attack techniques in 2013 were DDOS (23%), SQLi (19%), defacement (14%), account hijacking (9%) and targeted attacks (6%); and the top targets in 2013 were government (23%), industry (22%), finance (14%), organization (7%), news (6%), and education (5%) (for the sake of brevity we only list attack techniques and targets with 5% or more share). There is clearly a need to secure our cyber space. Different conventional and main stream security solutions are being deployed by organizations to detect and mitigate attacks. Intrusion Detection and Prevention System (IDPs), antivirus and anti-malware software, and firewalls are among the popular security solutions [3]. The limitation of these solutions is that they work only for known vulnerabilities. If antivirus and anti-malware software have signatures in their database of particular worms, Trojans or any other virus then they will be able to detect them, otherwise they fail. Manual analysis and generation of signatures is difficult and time consuming. To overcome these solutions honeypots are a new emerging technology which can be used to detect (and thus respond to) unknown attacks called zero day attacks and can be used to automate the signature generation process. Honeypots are deception traps used to monitor and log the activities of attackers. A honeypot is a computer connected to the internet that offers services and data that appear to be of value to an attacker but that is in fact set up for the purpose of monitoring the activities of hackers. There are two main categories of honeypots. One is low interaction honey pots which provide limited interaction with the system, and the second one is high interaction honeypot which provides full access to the system for attackers. Through analysis of attackers' malicious activities and logs of honeypot servers the real production servers can be secured, and security professionals can also use captured information for generation of malware and antivirus signatures [4]. The remainder of this paper is organized as follows: Section 2 summaries the methodology used for our research. Section 3 presents a literature review. Section 4 is our critical evaluation of the literature. Section 5 is our proposed model and Section 6 concludes this paper. Methodology The first part of our research was a literature review, followed by a critical evaluation of existing approaches, and finally a proposal of our own model. For the literature review we applied a systematic approach for selection of a research area, downloading of papers and paper reviewing. We selected the most widely used and comprehensive online databases for selecting relevant papers, namely IEEE Xplore and ACM Digital Library. After obtaining a general paper about honeypots for basic understanding, we set the following criteria for downloading more papers and their review: Title: must contain one of the words Honeypot, Malware, Signatures. Date Range: Keywords: Honeypots, Signature generation using Honeypots, DoS attacks detection using honeypots, malwares honeypots, zero day attacks honeypots, polymorphic worms honeypots. Abstract: Abstract of the downloaded papers must be relevant to the title and there should be clear indication of the new work contribution. Review: In the first phase only the background of the work was reviewed. Once familiar with the 5446

2 background then in the second phase the weaknesses, limitations and advantages of the authors work were studied. Authors work was critically evaluated in terms of limitations and advantages. Papers which outline a path for future work were preferred. For convenience we summarize the inclusion criteria of research papers in Table 1. Table 1: Inclusion criteria. Databases IEEE Xplore, ACM Digital Library Date Range Title Title contains one of: Honeypot, Signature, Malware Keywords Honeypots, Signature generation using honeypots, DoS attacks detection using honeypots, malwares honeypots, zero day attacks honeypots, polymorphic worms honeypots Abstract Relevant to the title and area of research Review Background of the work, weaknesses, limitations and advantages, future work Related Work In the era of IT and the internet, new security threats and cyber security have become increasingly important. There is a trend moving away from conventional warfare, and cyberwar is an alternative. Cyber-attacks are being used by most countries, and where resources are connected to the internet there is a high risk of attacks. On the basis of the need and importance of honeypots to cope with such attacks as discussed in Section 1, this section focuses on existing work for different security attacks and generation of signatures for malware. One of the very common and well known attacks is on the availability of services. This attack is launched as a Denial of Service attack (DoS attack). Since 2001 it is reportedly one of the four major types of attack and increasing daily. In 1998 DoS attacks were reported to account for 24% of all cyberattacks, but by 2001 this increased to 36% [4]. Das proposed a solution for mitigating denial of service attacks by using an Active Server (AS) and hiding the actual production server [3]. AS acts as an authentication server for legitimate clients, and for requests not from legitimate users AS acts as a honeypot and traps the attackers. This technique minimizes DoS attacks on real servers because attackers are unable to reach the real server so they cannot block the path to it. However, the limitation of this technique is that it is not effective for Distributed Denial of Service attacks (DDoS attacks). Moreover, if the AS server itself is subject to a DoS attack and goes down, legitimate users will not be able to authenticate and access the production server. Weiler proposed a solution for DDoS attacks [4]. The proposed solution is based on honeypots which fools attackers into believing that they successfully launched an attack and compromised the targeted system. But the limitation of this system is that honeypots are at fixed addresses. Attackers can detect and bypass the honeypot using sophisticated attacks [5]. The solution of this problem is provided by the Khattab et al. [5] who proposed roaming honeypots for mitigating DoS attacks. This technique is also applicable for DDoS attacks. By using roaming instead of fixed honeypots, the risk of detection is avoided and thereby that of the honeypots being bypassed using sophisticated attacks. Moving on from DoS and DDoS attacks there are other attacks which use botnets, worms, or Trojans. These all come under the umbrella of malwares. The detection of these malwares is strongly based on their unique definition data. These definitions are used by antivirus and anti-malware software to detect and remove these malwares. Vendors of such software solutions update their signature databases periodically. But the actual problem remains how to discover new malwares and generate matching signatures. Potentially such attacks can have a great impact. Using malwares attackers may gain access to users computers and perform illegal activities, usually called zombie approach. Military setups can be compromised using sophisticated malwares. A solution based on honeypots provided by Alberdim and Owezarski allows the monitoring of all malicious activities by worms, bots, Trojans and viruses [6]. He proposed a special redirection kit which basically redirects outgoing traffic used to coordinate with other bots to attack. This traffic is redirected towards honeypots hence saving the real production server. In this scenario an illusion is created for the attacker that he is communicating with the real server but in fact he is communicating with the honeypot server in the same network. The analysis of such attacks by security professionals results in signature generation. These signatures can subsequently be used to update the malware signature database and antimalware software can easily detect such types of attacks on real servers in the future. The limitation of this approach is that this is not effective with polymorphic worms. These are special worms which change their properties at run time to remain undetectable by any solution. Kreibich and Crowcroft presented a honeypot which can automatically generate the signatures of IDPs [7]. Their solution is based on tracking of connections and a signature generation algorithm. Analysis is performed on every protocol level and application level suspicious traffic. This results in new signatures of malware based on its activity. The limitation of this approach is that it is only effective for pattern based analysis. Zhuge et al. [8] proposed a solution based on honeypots for collection of malwares. The proposed solution is named HoneyBow toolkit and it has three different tools for collection of malwares. All of these tools use their best features for collecting malwares. The limitation of this toolkit is that it is easily detectable by malware, thus it can be bypassed. Scalability and polymorphic worms are among the other limitations of this toolkit. To overcome these, Newsome et al. presented a set of algorithms for generating polymorphic worms signatures [9]. In a first step, tokens are discovered. These substrings have to appear in a specific order. They evaluated their algorithms against different types of worms. The result is satisfactory but 5447

3 the limitation of this approach is that it is not effective for zero day polymorphic worms. Zero day attacks using polymorphic worms are a big challenge to cyber security. Mohammed et al. proposed a solution [10] to detect zero day polymorphic worms using Principal Component Analysis (PCA) technique. Using PCA the most significant string is determined which is then used for signature creation. The system is actually based on double honeypots to detect worms automatically with low false negatives and low false positives. The limitation of this system is that it has not been implemented but only validated mathematically. Portokalidis et al. designed a system based on honeypots to slow down the spread of zero day worms [11]. Their honeypot is named Argos and can automatically monitor, detect and generate new signatures of zero day worms for IDPs. This was designed to improve on the weaknesses of already existing systems like Minos and Vigilante [12]. Chen et al. developed dynamic forensics using honeypots by integrating intrusion tolerance into network security [13]. This solution ensures the data used for forensic analysis is reliable even if the data was modified because of an attack. The key component of this dynamic forensic is an intrusion detection system which monitors the threats. The forensic system is dynamically activated when a threat is detected and malicious traffic is automatically redirected to the honeypots. Raynal et al. also describe a procedure for information assurance forensics using honeypots [14]. They suggest a forensic procedure for investigation of server side intrusion. The procedure involves system and file analysis, network traffic analysis and evidence collection [15]. The forensic analysis results in a signature of that particular attack. Tang and Chen proposed a double honeypot [16] to extract signatures for polymorphic worms efficiently. Inbound and outbound honeypots are used in the proposed mechanism. The key behind this approach is that a worm opens an outgoing connection. By analysis and monitoring these connections worms can be easily recognized. Thonnard and Dacier developed an efficient framework for detecting zero day attack patterns from raw honeypot data [17]. They applied data clustering technique to solve the tradeoff problem. Table 2 shows the gap analysis already done in Honeypots. Table 2: Summary of Related Work. Author Name Dos Don ts Das [3] Minimize DoS attack No solution to the DDoS attack, AS server can also be under DoS attack, not scalable Weiler [4] Scalable, provide solution of DDoS attack Fixed honeypot, sophisticated attacks can bypass honeypots, attack must be detectable Khattab et al. [5] Roaming honeypots difficult to detect No evaluation for logically roaming honeypots, performance degradation Alberdim & Owezarski [6] Applied command and conquer channel, efficient for DDoS attack Manual identification, easily detectable, low quality of infiltration Kreibich & Crowcroft [7] Automate signature generation process, pattern based analysis Not effective for polymorphic worms, zero day attacks Zhuge et al. [8] Three tools used for collecting malwares, each tool have its own advantages and mechanism to collect malwares Detectable, not scalable, no solution for polymorphic worms, no solution of zero day attacks Newsome et al. [9] Polymorphic worm signature, low false negatives and low Not effective for zero day polymorphic worms false positives Mohammed et al. [10] Solution for zero day polymorphic worms, low false negatives and low false positives Mathematically validated, but not implemented in real time Portokalidis et al. [11] Slow down the spreading of zero day worms, auto monitoring, detecting and creation of new signatures No advance automated analysis of attack, no selfcertifying alerts in case of false positive Crandall et al. [12] Automatic detection of zero day worms Does not generate signature of IDPs, does not protect OS kernel Chen et al. [13] Dynamic forensic, Evidence Collection Agent Not for polymorphic worms Raynal et al. [14] Information Assurance No solution for polymorphic worms Raynal et al. [15] Information analysis using dynamic forensic Not efficient against polymorphic worms, and zero day attacks Tang & Chen [16] Efficient zero day polymorphic worms Not scalable, No solution for DDoS Thonnard & Dacier [17] Data Clustering, similarity distance Detectable, not effective for DDoS 5448

4 Critical Evaluation Table 3 is a critical analysis of some of the related work done. We have chosen some of the key parameters of honeypot systems. Based on these parameters we critically analyzed the related work done with our proposed model. Following Table 4 presents an ideal scenario. Table 4: Ideal Scenario Parameters. Roaming Fixed Detectable Low Interaction High Interaction Virtual Physical Client Side Server Side Pattern Based Polymorphic Scalable Performance Shortcoming Automatic Manual Zero day Proposed Model Figure 1 shows our proposed model. This model is novel in integrating the advantages of other models, and by using a layered modular structure. Each module is a separate subsystem that contributes to the security of the overall system. SECURE ZONE Secure Web Server Secure Server Secure Database Server Local DNS Server Web Server Honeypot Internal Firewall Server Honeypot Authentication System Database Server Honeypot Anomaly Detection System Anti-Malware Anti-Virus WAN Signature Generation System Figure 1: Proposed Cyber Security Model. 5449

5 Any incoming traffic, both from normal users and attackers, first passes through the anomaly detection system. The rationale behind this approach is to make breaking into the network more challenging, even for honeypots. A system that is openly accessible for attackers will be suspected to be a honeypot system and be bypassed. If the anomaly detection system determines traffic to be anomalous, such as a hacking attempt or a new malware, then related information is sent to the signature generation system, which generates signature data for use by anti-malware or anti-virus software. All traffic is then passed to the authentication module. Traffic that fails the authentication, such as from an attacker, is rerouted to the honeypot system using the customized port forwarding technique. This will create the illusion to any attackers that they have somehow compromised the IDPs and authentication system and obtained access to the actual secure servers. The honeypot system consists of a set of server resources, including web, and database servers. These are high interaction honeypots, so attackers can interact with these servers and thereby reveal details of their attack method. These details are then captured and retained by the signature generation system. After the analysis of attack behavior the signature generation system then generates an attack signature which is used to update the anti-malware, antivirus and anomaly detection system depending upon the nature of the attack. By updating the signature database, the actual production servers can be protected from these types of attack in future. Table 3: Critical Analysis of Related Work. Authors Parameters Das Weiler Khattab Alberdi Kreibichi Zhuge Newsome Mohammed Portokalidis Crandall Proposed Model Roaming No No Yes No No No No No No No No Fixed Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Detectable Yes Yes No Yes Yes Yes Yes Yes Yes Yes No Low Interaction No Yes No Yes No No No No Yes Yes No High Interaction Yes No Yes No Yes Yes Yes Yes No No Yes Virtual No Yes No Yes No No No No Yes Yes No Physical Yes No Yes No Yes Yes Yes Yes No No Yes Client Side No No No No No On No No No No No Server Side Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Pattern Based No No Yes Yes Yes No No No Yes Yes Yes Polymorphic No No No No No No Yes Yes No No Yes Scalable Yes Yes No No No No Yes Yes No Yes Yes Performance Yes Yes Yes Yes Yes No Yes Yes Yes Yes No shortcoming Automatic No No Yes No Yes Yes Yes No Yes Yes Yes Manual Yes Yes No Yes No No No Yes No No No Zero day No No No No Yes Yes No Yes No No Yes Legitimate traffic that passes authentication is redirected through an internal firewall to the local DNS server, again using a customized port forwarding technique, and from there to the secure zone which contains the production web, and database servers. Conclusions and Future Work This paper has given an overview of different existing honeypot technology being used in the cyber security area nowadays. There are many other security technologies like firewalls, IDS, anti-malware and antivirus software that are part of a cyber security infrastructure. Honeypot technology is a relatively new and emerging area of research to cope with today s new security threats and challenges. Denial of Service attack, Distributed Denial of Service attack, Malware and Zero Day attacks are still major threats to the Internet. Many proposals and models have been presented in the past but none is successful alone. Following a gap analysis we have proposed a novel system which can overcome some of the previous existing flaws. This area of research in cyber security is still relatively new and many open research challenges remain. In future we will implement and test our proposed model in a real world case and work to improve it using real time results and analysis. References [1] 2013 Cyber Attacks Statistics (Summary). Available from: cyber-attacks-statistics-summary/. [2] Symantec Internet Security Threat Report [3] Das, V.V. Honeypot Scheme for Distributed Denialof-Service. in Advanced Computer Control, ICACC '09. International Conference on [4] Weiler, N., Honeypots for Distributed Denial of Service Attacks, in Proceedings of the 11th IEEE International Workshops on Enabling Technologies: nfrastructure for Collaborative Enterprises. 2002, IEEE Computer Society. p

6 [5] Khattab, S.M., et al. Roaming honeypots for mitigating service-level denial-of-service attacks. in Distributed Computing Systems, Proceedings. 24th International Conference on [6] Ion Alberdim, E.P., Owezarski, Shark: Spy Honeypot with Advanced Redirection Kit. Proceeding of the IEEE, [7] Kreibich, C. and J. Crowcroft, Honeycomb: creating intrusion detection signatures using honeypots. SIGCOMM Comput. Commun. Rev., (1): p [8] Zhuge, J., et al., Collecting autonomous spreading malware using high-interaction honeypots, in Proceedings of the 9th international conference on Information and communications security. 2007, Springer-Verlag: Zhengzhou, China. p [9] Newsome, J., B. Karp, and D. Song. Polygraph: automatically generating signatures for polymorphic worms. in Security and Privacy, 2005 IEEE Symposium on [10] Mohammed, M.M.Z.E., et al., Detection of Zero-Day Polymorphic Worms Using Principal Component Analysis, in Proceedings of the 2010 Sixth International Conference on Networking and Services. 2010, IEEE Computer Society. p [11] Portokalidis, G., A. Slowinska, and H. Bos, Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. SIGOPS Oper. Syst. Rev., (4): p [12] Crandall, J.R., S.F. Wu, and F.T. Chong, Experiences using minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities, in Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 2005, Springer-Verlag: Vienna, Austria. p [13] Chen, L., et al. Dynamic Forensics Based on Intrusion Tolerance. in Parallel and Distributed Processing with Applications, 2009 IEEE International Symposium on [14] Raynal, F., et al., Honeypot forensics part 1: analyzing the network. Security & Privacy, IEEE, (4): p [15] Raynal, F., et al., Honeypot forensics, part II: analyzing the compromised host. Security & Privacy, IEEE, (5): p [16] Tang, Y. and S. Chen. Defending against Internet worms: a signature-based approach. in INFOCOM th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE [17] Thonnard, O. and M. Dacier, A framework for attack patterns' discovery in honeynet data. Digit. Investig., : p. S128-S