Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honeypot and Intrusion Detection System

Published byAllen Brooks Modified over 9 years ago

Similar presentations

Presentation on theme: "Honeypot and Intrusion Detection System"— Presentation transcript:

1 Honeypot and Intrusion Detection System
Sunil Gurung [60-475] Security and Privacy on the Internet KFSensor Honeypot and Intrusion Detection System

2 Agenda Introduction Honeypot Technology KFSensor Components of KFSensor Features Tests Conclusion

3 Introduction Increasing security threats with proliferation of internet Network security – Firewall, IDS, antivirus. Traditional approach – defensive Today – offensive approach Honeypot

4 Honeypot Technology “A honeypot is security resource whose value lies in being probed, attacked, or compromised.” - Lance Spitzner we want attackers to probe and exploit the virtual system running emulated services. System no production value, no traffic, most connection probe, attack or compromised. Complements the traditional security tools.

5 Fig: The basic setup up of the honeypot system. In the figure two KFSensor are configured production honeypots. Figure taken from “ User Manual of KFSensor – Help “

6 Advantages and Disadvantages
Collects small set of data New techniques and tools (A) Minimal resources (A) Information (A) Simplicity (A) Limited View: Can’t capture attacks against other system (D) Risk : taken over by the bad guys (D)

7 Types of Honeypot Low Interaction High Interaction
Interaction: level of activity Honeypot allows with attacker Low Interaction Emulated services, easy to deploy and maintain, less risk. Designed to capture only known attack High Interaction Setup real services and provides interaction with OS More information, no assumption made give full open environments. Can use the real honeypot to attack others.

8 Commercial low interaction honeypot solution Windows OS
KFSensor Commercial low interaction honeypot solution Windows OS Preconfigured services: ssh, http, ftp etc Easy configuration and flexible Product detail: Software: KFSensor Version: 2.2.1 License: Evaluation (14 days trial) Vendor: Key Focus Downloaded Site:

9 Installations Download the application from the website
Initial wizard setup: Naming the domain, , Alerts To install login as ADMINISTRATOR C:\kfsensor\logs – XML files Running the KFSensor server – as daemon – windows service. [kfsnserve.exe] Open up the KFSensor monitor - GUI

10 Components of KFSensor KFSensor Server
Performs core functionality, outsider interact with The server, doesn’t have the GUI. KFSensor Monitor Interprets all the data and alerts captured by server in graphical form.

11

12 Features File Menu Export [HTML, XML, TSV or CSV ], Service View Menu Ports View, Visitors View Editing Scenarios Editing Listens, Edit Rules, Sim Server

13 Editing Scenario

14 Editing Listens Listen On:
Name : Identifies the listen when connection is made to the particular specification Protocol: Choice between UDP or TCP Port Bind Address: Should specify the IP address it binds too. Action: Action Type: The action to performed once the connection is made by the outsider Severity: define the level of severity generated by the event to alert the admin. Time out : value in second for server to wait until it closes the connection Sim Name: To specify the Sim Server.

15 Edit Rule

16 Sim Server Sim Banner Sim Standard Server

17 DOS attack configuration
Other FEATURES Alerts Log Database

18 Test Environment Inside the router Outside of router
1) University network [IP address: – Sunil.uwindsor.ca] 2) Home network: putting the honeypot system inside the router [ ] 3) Direct connection to internet through [ ] 4) Tested on local machine [ ] Various test performed:

19 Test 1: FTP emulation

20 Test 2: SMTP

21 Test 3: Other Test (Threats and Viruses)
Sasser worm: TCP port 5554 Attacks from: IP 1: – cm hkcable.com.hk Toronto-HSE ppp sympatico.ca

22 Test 3 -Cont IIS, Dameware, MyDoom attacks
IIS – Web Server, the KFSensor can emulate highly interactive service. Dameware – is a remote control application similar to VNC. Recently hackers use found its vulnerability in buffer overflow and have access to put their code. This threat uses port 6129. MyDoom – It’s a DDOS attack listen on port TCP 3127 and install a back door on the infected system.

23 Test 3 - Cont LoveGate Worm
LoveGate worm infects the system through port 20168 Port Scanning

24 Conclusion Good user interface. Easy to configure emulation services Flexible Minimal risk Limited to only minimal transactions Honeypot Can not replace the existing system. Work better along with it.

Download ppt "Honeypot and Intrusion Detection System"

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Similar presentations

Ads by Google