Honeypots are decoys used attract network attackers. Read pages 10 through 12 in this article to understand how honeypots are used to protect networks. When would you prefer to use a honeypot instead of an intrusion detection system (IDS)?


In recent times, there has been a growing interest in security and information protection for network systems. Network systems contain valuable data and resources that must be protected from attackers. Security experts often use honeypots and honeynets to protect network systems. Honeypot is an outstanding technology that security experts use to tap new hacking techniques from attackers and intruders.

According to Spitzner (2002), founder of the Honeynet Project, "a honeypot is security resource whose value lies in being probed, attacked, or compromised" (p. 58). It can also be defined as "an information system resource whose value lies in unauthorized or illicit use of that resource". In other words, a honeypot is a decoy, put out on a network as bait to lure attackers. Honeypots are typically virtual machines, designed to emulate real machines, act or create the appearance of running full services and applications, with open ports that might be found on a typical system or server on a network.

In this research, a centralized system management called Puppet was used to automate the configuration of four servers. A VMware Virtual Machine was used to implement automated honeypot solutions. The study provided targets with interesting services such as Apache Webserver, MYSQL server. File Transfer Protocol (FTP) server and Simple Mail Transfer Protocol (SMTP) server. A centralized Logstash server was used to process and index logs. Elasticsearch was used to store logs. Kibana was used to search and visualize the logs.


Problem Statement 

Attempts by attackers to breach security systems are rising every day. Intruders use tools like SubScven, Nmap and LoftCrack to scan, identify, probe and penetrate Enterprise systems.

Firewalls are put in place to prevent such unauthorized access to the Enterprise Networks. However, Firewalls cannot prevent attacks coming from Intranet.

An Intrusion Detection System (IDS) reviews network traffic and identify exploits and vulnerabilities; it is able to display alert, log event, and e-mail administrators of possible attacks. An Intrusion Prevention System on the other hand makes attempts to prevent known intrusion signatures and some unknown attacks due to the knowledge of attack behaviors in its database. However, an IDS can generate thousands of intrusion alerts every day, some of which are false positives. This makes it difficult for an IDS to detect and identify the actual threats and to protect assets. Thus, human intervention is required to investigate the attacks detected and reported by an IDS (Kaur, Malhotra, & Singh, 2014).


Nature and Significance of the Problem

Honeypots can dramatically reduce false positives. Honeypots are designed to track illegal activities. This makes it extremely efficient to use honeypots for detecting attacks. Honeypots only collect data from human or processes interactions. Organizations that may log thousands of alerts a day with traditional technologies will only log a hundred alerts with honeypots. Honeypots, on the other hand, can easily be used to identify and capture new attacks. New attacks can easily be detected by a honeypot because any illegal activity is an anomaly. Thus honeypots can be used to collect, manage and analyze more attack data.

Objective of the Study

The objectives of this experiment arc: (1) to use free and open-source technologies and methods to reduce the amount of manual intervention needed to add to or modify a high- interaction honeypot system suitable for academic research, and (2) to detect attack patterns on services and come out with a solution to mitigate the attacks.


Research Questions

How should open-source technologies be used to dynamically add or modify hacking incidences in a high-interaction honeynet system?

How should honeypots be made more attractive for hackers to spend more time to provide hacking evidence?


Definition of Terms

Honeypot: Honey Pot Systems are decoy servers or systems setup to gather information about attackers who intrude into a system.

Puppet: a unique approach to IT automation for discovering, configuring, and managing network infrastructure

Virtual Machines: a virtual machine is a type of computer application used to create a virtual environment, which is referred to as "virtualization." Some types of virtualization let a user run multiple operating systems on one computer at the same time.


HonSSH: a great tool for high-level honeypot interaction


Source: Farouk Samu, https://repository.stcloudstate.edu/msia_etds/9/
Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.

Last modified: Friday, November 20, 2020, 12:15 AM