Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Slides:



Advertisements
Similar presentations
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Advertisements

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Guide to Network Defense and Countermeasures Second Edition
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Introduction to Honeypot, Botnet, and Security Measurement
Intrusion Detection Chapter 12.
Speaker : Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
HONEYPOT.  Introduction to Honeypot  Honeytoken  Types of Honeypots  Honeypot Implementation  Advantages and Disadvantages  Role of Honeypot in.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Honeypot and Intrusion Detection System
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
KFSensor Vs Honeyd Honeypot System Sunil Gurung
1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:
HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’™s in his book “The Cuckoo’s Egg” and by Bill Cheswick’€™s.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Security with Honeyd By Ryan Olsen. What is Honeyd? ➲ Open source program design to create honeypot networks. ➲ What is a honeypot? ● Closely monitored.
DTRAB Combating Against Attacks on Encrypted Protocols through Traffic- Feature Analysis.
Cryptography and Network Security Sixth Edition by William Stallings.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Some Great Open Source Intrusion Detection Systems (IDSs)
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
IDS Intrusion Detection Systems
Intrusion Prevention Systems
12/6/2018 Honeypot ICT Infrastructure Sashan
Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.
Chapter 4: Protecting the Organization
Security Overview: Honeypots
Intrusion Detection system
Presentation transcript:

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior Dec 21, 2009

2 Content  Introduction  Defence-in-Depth Protection Strategy  Network Monitoring Methods  Honeypots  Honeypot Technologies  Existing Honeypot Soultions  Honeypot Deployment Challenges  Conclusion

Introduction  Number of attacks and number of new vulnerabilities are on the rise: increased financial/other incentives high prevalence of exploitable vulnerabilities availability of vulnerability information and attack tools Lack/long delay of patches from vendors 3

Introduction  Source of vulnerabilities can be attributed to many factors: the design of the protocols and services themselves the flawed implementation of these protocols and services  To counter this advance in threats: security managers need to implement multiple layers of security defence 4

Defence-in-Depth Protection Strategy  Awareness  Policy  Patching  Firewalls  Anti-virus  Encryption  Intrusion Detection Systems  Monitoring 5

Network Monitoring Methods  Two methods of monitoring network traffic for malicious activities are commonly used: live network monitoring such as firewalls, network intrusion detection systems, and NetFlow unsolicited traffic monitoring, such as darknets and honeypots. 6

Firewalls  Comprises software and hardware that protects one network from another network  Make decisions at layer 3 (IP address) and layer 4 (port) and might incorporate IPS functionality, layer 7  Can not see local traffic and are vulnerable to mis-configuration 7

Intrusion Detection System (IDS)  An IDS is a security system that monitors computer systems and network traffic for attacks and anomalous activity  Intrusion prevention system (IPS) is an access control device, like a firewall  IDSs are classified based on the information source into: network-based host-based 8

Intrusion Detection System (IDS)  IDSs can be classified further based on their detection methodologies into: Anomaly based IDSs, which measure any deviation from normality and raise alarms whenever the predefined threshold level is exceeded Signature based IDSs, which rely on a knowledge base of predefined patterns of attack or signatures 9

Anomaly detection  Mainly based on statistical techniques  The basic concept of the statistical technique, in detecting anomalies, is: to build a profile of normal behaviours measure large deviations from the profile test them against a predefined threshold value anomalous behaviours are flagged when these deviations exceed the threshold 10

Network-based IDSs (NIDS) detect attacks by analysing network packets do not interfere with the normal operation of a network easy to deploy and manage operating systems independent are not able to analyse encrypted traffic are not able to cope with high traffic in large or busy networks 11

Host-based IDSs (HIDS): are installed locally on host machines operate on information collected from within the host system being protected Are more accurate generate fewer false positives alarms handle encryption Are harder to manage Are operating system dependent affect the performance of the host system 12

Honeypots  First use of Honeypot concept: Cliff Stoll in his book “The Cuckoo's Egg” in 1986 Bill Cheswick in his paper “An Evening with Berferd: In Which a Cracker is Lured” in 1990  The term Honeypot was first introduced by Lance Spitzner in 1999  Honeypot definition: a honeypot as a security resource whose value lies in being probed, attacked, or compromised (Spitzner) a closely monitored computing resource that we want to be probed, attacked, or compromised (Provos) 13

Honeypot..  These definitions of a honeypot implies that: it can be of any computer resource type, such as a firewall, a web server, or even an entire site it runs no real production services any contact with it is considered potentially malicious traffic sent to or from a honeypot is considered either an attack or a result of the honeypot being compromised 14

Honeypots….  An example of a virtual honeypot setup that emulates two operating systems: Windows Server with open ports TCP: 80,445 UDP:37 Unix Server with open ports, TCP: 21, 25, 80 15

Honeypots….  Notable features of honeypots include: collect small volumes of higher value traffic are capable of observing previously unknown attacks detect and capture all attackers’ activities including encrypted traffic and commands, and require minimal resources 16

17 Honeypots Technologies  Divided based on their level of interactions into: low, response only to connections medium, are connected to scripts to emulate basic protocol behaviors high, run real operating systems with real services  Divided based on their intended use into: production honeypots (Honeynets) research honeypots (Leurre.com)

Honeypots Technologies..  Divided based on their hardware deployment into: physical honeypots (Honeynets) virtual honeypots (Argos)  Divided based on their attack role into: server side honeypots ( Honeyd) client side honeypots (HoneyMonkey) 18

Some of the Existing Honeypot Solutions  Automatic generation of IDS signature: Honeycomb  Worm detection systems Honeystat SweetBait  Malware Collection: Nepenthes Honeytrap IBM Billy Goat 19

Honeypot Deployment Challenges  Approaches for analysing data collected from honeypots are presently immature  Current analysis techniques are manual and focus mainly on identifying existing attacks  Honeypots will introduce medium to high level risk to networks  Requires continuous monitoring 20

21 Conclusion  Honeypots are essential tools for gathering useful information on a variety of malicious activities  Analysis of anomalous activities in honeypot traffic present a good research area  deploying honeypots would improve security of networks through: providing less and clean traffic data that are not mixed with real production traffic

Conclusion... provide an early alerts of newly and unseen attacks enable organizations to conduct forensics investigations of incidents without the need of stoping production networks  Our ongoing research focuses on utilizing honeypots in improving the security of web servers, which are the most attacked targets 22

23 Thank You Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.