Honeypot and Intrusion Detection System

Slides:

Advertisements

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

Advertisements

By Hiranmayi Pai Neeraj Jain

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Enterprise Network Security Accessing the WAN Lecture week 4.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Lecture 11 Intrusion Detection (cont)

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Introduction to Honeypot, Botnet, and Security Measurement

Intranet, Extranet, Firewall. Intranet and Extranet.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

HONEYPOT.  Introduction to Honeypot  Honeytoken  Types of Honeypots  Honeypot Implementation  Advantages and Disadvantages  Role of Honeypot in.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Shadow Security Scanner Li,Guorui. Introduction Remote computer vulnerabilities scanner Runs on Windows Operating Systems SSS also scans servers built.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

KFSensor Vs Honeyd Honeypot System Sunil Gurung

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Security at NCAR David Mitchell February 20th, 2007.

1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch

HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’s in his book “The Cuckoo’s Egg” and by Bill Cheswick’s.

Linux Networking Security Sunil Manhapra & Ling Wang Project Report for CS691X July 15, 1998.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/17- OfficeServ 7400 Enterprise IP Solutions Quick Install Guide.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

1.1 1 Purpose of firewall : –Control access to or from a protected network; –Implements network access policy connections pass through firewall and are.

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

Retina Network Security Scanner

DoS/DDoS attack and defense

Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.

Role Of Network IDS in Network Perimeter Defense.

Lab #2 NET332 By Asma AlOsaimi. "Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,

UNDER THE GUIDENCE OF: Mr.M.JAYANTHI RAO,M.Tech HOD OF IT. BY: I.ADITHYA(09511A1212) HONEYPOTS.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Digital Pacman: Firewall Edition

Intrusion Detection Systems (IDS)

12/6/2018 Honeypot ICT Infrastructure Sashan

Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.

Firewalls Jiang Long Spring 2002.

Presentation transcript:

Honeypot and Intrusion Detection System Sunil Gurung [60-475] Security and Privacy on the Internet KFSensor Honeypot and Intrusion Detection System

Agenda Introduction Honeypot Technology KFSensor Components of KFSensor Features Tests Conclusion

Introduction Increasing security threats with proliferation of internet Network security – Firewall, IDS, antivirus. Traditional approach – defensive Today – offensive approach Honeypot

Honeypot Technology “A honeypot is security resource whose value lies in being probed, attacked, or compromised.” - Lance Spitzner we want attackers to probe and exploit the virtual system running emulated services. System no production value, no traffic, most connection probe, attack or compromised. Complements the traditional security tools.

Fig: The basic setup up of the honeypot system. In the figure two KFSensor are configured production honeypots. Figure taken from “ User Manual of KFSensor – Help “

Advantages and Disadvantages Collects small set of data New techniques and tools (A) Minimal resources (A) Information (A) Simplicity (A) Limited View: Can’t capture attacks against other system (D) Risk : taken over by the bad guys (D)

Types of Honeypot Low Interaction High Interaction Interaction: level of activity Honeypot allows with attacker Low Interaction Emulated services, easy to deploy and maintain, less risk. Designed to capture only known attack High Interaction Setup real services and provides interaction with OS More information, no assumption made give full open environments. Can use the real honeypot to attack others.

Commercial low interaction honeypot solution Windows OS KFSensor Commercial low interaction honeypot solution Windows OS Preconfigured services: ssh, http, ftp etc Easy configuration and flexible Product detail: Software: KFSensor Version: 2.2.1 License: Evaluation (14 days trial) Vendor: Key Focus Downloaded Site: http://www.keyfocus.net/kfsensor/

Installations Download the application from the website Initial wizard setup: Naming the domain, Email, Alerts To install login as ADMINISTRATOR C:\kfsensor\logs – XML files Running the KFSensor server – as daemon – windows service. [kfsnserve.exe] Open up the KFSensor monitor - GUI

Components of KFSensor KFSensor Server Performs core functionality, outsider interact with The server, doesn’t have the GUI. KFSensor Monitor Interprets all the data and alerts captured by server in graphical form.

Features File Menu Export [HTML, XML, TSV or CSV ], Service View Menu Ports View, Visitors View Editing Scenarios Editing Listens, Edit Rules, Sim Server

Editing Scenario

Editing Listens Listen On: Name : Identifies the listen when connection is made to the particular specification Protocol: Choice between UDP or TCP Port Bind Address: Should specify the IP address it binds too. Action: Action Type: The action to performed once the connection is made by the outsider Severity: define the level of severity generated by the event to alert the admin. Time out : value in second for server to wait until it closes the connection Sim Name: To specify the Sim Server.

Edit Rule

Sim Server Sim Banner Sim Standard Server

DOS attack configuration Other FEATURES Email Alerts Log Database

Test Environment Inside the router Outside of router 1) University network [IP address: 137.207.238.113 – Sunil.uwindsor.ca] 2) Home network: putting the honeypot system inside the router [192.168.0.102] 3) Direct connection to internet through [24.57.84.215] 4) Tested on local machine [127.0.0.1] Various test performed:

Test 1: FTP emulation

Test 2: SMTP

Test 3: Other Test (Threats and Viruses) Sasser worm: TCP port 5554 Attacks from: IP 1: 218.253.9.215 – cm218-253-9-215.hkcable.com.hk Toronto-HSE ppp3864532.sympatico.ca

Test 3 -Cont IIS, Dameware, MyDoom attacks IIS – Web Server, the KFSensor can emulate highly interactive service. Dameware – is a remote control application similar to VNC. Recently hackers use found its vulnerability in buffer overflow and have access to put their code. This threat uses port 6129. MyDoom – It’s a DDOS attack listen on port TCP 3127 and install a back door on the infected system.

Test 3 - Cont LoveGate Worm LoveGate worm infects the system through port 20168 Port Scanning

Conclusion Good user interface. Easy to configure emulation services Flexible Minimal risk Limited to only minimal transactions Honeypot Can not replace the existing system. Work better along with it.