An Agent Based Intrusion Detection

Published on February 2017 | Categories: Documents | Downloads: 31 | Comments: 0 | Views: 324
of 6
Download PDF   Embed   Report

Comments

Content

 

An Agent based Intrusion Detection, Response and Blocking using Signature Methods in Active Networks Shiva Azadegan Towson University [email protected]

 Abstract  Honeynets have been proven to be valuable research and teaching tool in the area of computer security and information assurance. At Towson University, since Fall 2002, an undergraduate track in computer security has been made available to the Computer Science majors. The main objective of the track is to build upon the core courses in the computer science  program and to provide students with hands-on experience with security tools commonly used used in industry. This paper explores educational use of honeynets in several courses required by this track.

 Keywords:  Security Honeypots

Computer Security, Education, Honeynets,

 Introduction At Towson University, an undergraduate security track for the Computer Science majors [1] was developed and made available to the students in Fall 2002. The main objective of the track is to build upon the core courses the computer science  program and to provide students with hands-on experience with security tools commonly used in industry. The students in this track are required to take the following 7 courses: 1. Computer ethics (a required course for CS majors)

Vanessa McKenna Towson University [email protected]

2. 3. 4. 5. 6. 7.

Intro to Information Security Cryptography Network Security Application Software Security Operating Systems Security Computer Security Case studies

Current research [2,3] indicates that honeynets can be safely deployed in academic environments and universities and be used as a valuable teaching and research tool. Honeynets provide information on most current security threats and challenges, and techniques and tools tools used by hackers. In Georgia Institute of Technology [4] the honeynets were also used to increase the level of network security across Georgia Tech Campus Enterprise network and to assist the system administrators in identifying malicious malicious traffic. This paper explores the use of honeynets in several courses required in this track.

 Definition of Honeynets A Honeynet is a series of computers with known and unknown vulnerabilities with the express purpose of being compromised by an intruder. An intruder can be an unknown entity from the Internet, or an internal threat. As stated in [5] the goal of a honeynet is to create an environment where the tools and behavior of black hats can be captured and analyzed in the wild. Each computer within the Honeynet whose  purpose is to be compromised is known as a Honeypot. Within the Honeynet,

Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05)

 

there can be several more computers that also serve specific functions, and are shored up against attacks as securely as current knowledge permits. One of these computers is an Intrusion Detection System (IDS). The IDS receives all packets that are sent throughout the network, including those that are intended for Honeypots. These  packets are filtered through a rule set and dumped into a binary file or a database. Depending on overall security design, the computer used to analyze the acquired data can be on the IDS computer, or a separate entity altogether.

 Advantages and Disadvantages of a  Honeynet  One[6,7]major of hita Honeynet is the advantage fact that every on the system is suspect, by the very nature of a Honeynet. Honeypots within within the Honeynet are not production machines, which means that they are not used to produce any kind of real data and do not serve any function that is relevant to normal operations within the home network. Therefore, any activity activity on the Honeypot is suspect, indicating that an attack is occurring on the system. This results in the emergence of several smaller, but equally important advantages. First, the data collected from the Honeynet is of a reasonable size for analysis. No extraneous information, such as broadcast calls from the router, is kept, and no users are authorized on the system. All data collected are significant with respect to an attack, or pre-attack patterns.   These next two advantages are stro strong ngly ly re rela late ted: d: th thee Hon Honey eyne net, t, fo forr reasons similar to the ones stated above, reduces false positives and negatives.

The most important aspect of the Honeynet is this: All activity on a Honeypot is the activity of an intruder, or a potential intruder. These are not  production machines, so any and all activity is suspect. A second major advantage of a Honeynet is that they require minimal resources, and can generally be built using machines that are “just lying around.” Any computer that is not currently being used can become a Honeypot.   A third major advantage of a Honeynet is the fact that any protocols currently being used can be monitored  by the IDS, just by altering the configuration of the IDS. This means that Honeynets are highly flexible entities (Know Your Enemy book, 2004), and can be customized to capture specific data, or generalized to capture every kind of attack, known and unknown.   There are two major disadvantages of a Honeynet as well. The first disadvantage is that the Honeypots can only see the interactions occurring directly with them. Any interaction with production systems is not captured since by the(depending IDS for the Honeynet, on architecture) these are two separate entities. Honeynets tend to be isolated entities, largely because of the second major disadvantage: the risk of operating a Honeynet. There is always the possibility that the Honeynet could  be compromised and used in  perpetuating the illegal behaviors of the intruder. This poses serious legal ramifications for businesses and university settings, and the risk changes with the type of Honeypot used.

Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05)

 

Types of Honeypots One way to categorize honeynets is based on their level of interaction. Using this criterion, we can divide honeynets into three major categories [5]: low-interaction, medium-interaction and high-interaction. The interaction level of a honeypot is directly related to the amount of data that can be collected from intrusions. High-interaction honeypots, as the name suggests, can collect a great amount of data since the intruder has a great deal of interaction with the honeypot. However, the more flexibility the intruder has, the more risk that is involved with having that system operational. Low-interaction Honeypots limit what the intruder is able to do, and therefore are less of a risk. However, these Honeypots tend who to generate less data, as an also intruder cannot accomplish anything is likely to leave. Medium-interaction honeypots offers more ability to interact than do lowinteraction honeypots but less functionality than high-interaction honeypots.

 Projects   In the remainder of this paper we  briefly describe several honeynet-related  projects that can be incorporated into our ou r security track courses. Currently at Towson University, several graduate students are working on these projects and we are planning to incorporate these  projects into our undergraduate security courses in the near future. All the  projects are intended to be conducted as team projects. Due to the nature of these  projects we do not need high  performance and sophisticated hardware rather the honeynets can be easily configured on the used and surplus machines, which are available at most departments and universities. The

software used in these projects are all free solutions or Open Source software.  It is imperative before starting the projects to establish a close relationship with the University Information Technology Office and keep them informed about all your activities and have their permission.

 Project1: Honeynets Legal and ethical issues Students must be educated about the concerns of legality, security and  privacy of honeynets. We are planning to include modules on these topics in the computer ethics course and introduction to information information security course. The goal of these projects is to familiarize students with the legal aspects of the use of honeynets is laws. and isSince not allowed under and the what current introduction to information security is the prerequisite to all the other courses in the track, it would be the best place for the coverage of these materials.

 Project 2: Deployment of a simple  Honeypot  This project provides students with the opportunity to work with a simple lowinteraction honeynet. There is a wide spectrum of honeynets available in the market. We chose BackOfficer Friendly [8], or BOF, for this purpose. In this project students configure the BOF to emulate the specific vulnerability known as Back Orifice. BOF carefully tracks the activities of the attackers in the honeypot to see how they exploit the vulnerability. BOF is extremely simple to install and configure and provide an excellent starting place. We are planning to discuss this project in the introduction to information security course.

Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05)

 

 Project 3:  Building a Honeynet

This project provides students with a valuable experience to actually set up their own honeynet. To make this  project practical and safe, we do not  place the honeynet “live” on the University network, rather it will be isolated in a lab. After setting up the honeynet, students themselves can either simulate attacks or download data from the honeynet project Web site. This setting prevents new tools and attacks attacks from from being discovered. discovered. The only attacks generated are known attacks, and the behavior of the IDS is known as well. This limits limits the ability to maintain an objective view of the attack. However, one major benefit of this approach is that the alerts generated by the IDS were very understandable – any alert generated was generated by the one attack performed at that instant in time. Thus, it prepares students to work with “live” honeynets. This project is currently being completed by the Co-author Vanessa McKenna, a graduate student at Towson University. She allocated four computers, all previously used, for this  project. One computer was designated as the firewall, another was designated as the intrusion detection and analysis console, the third was designated the target or victim computer, and the fourth computer was designated the attacker. Each computer’s hard drive was formatted and a version of Red Hat Linux was installed. She is also working on an implementation of a honeynet on a Windows System, which is much easier in comparison to setting up a Linux  based Honeynet. For this project the following four components are necessary

to begin collecting and analyzing data: 1) WinPcap 2.3; 2) Ethereal 10.9; 3) Snort 2.3; and 4) an analysis and alert console. WinPcap and Ethereal can both  be downloaded from the Ethereal website (http://www.ethereal.com/distribution/wi n32/). Snort can be downloaded from the Snort website (http://www.snort.org/dl/binaries/win32/ ). The analysis and alert console is a handy tool for real-time monitoring of intrusions. A final optional item for downloading is a database such as MySQL. A database program is not necessary for running snort and review data collected, but can make things easier in the long term. Installation of the tools mentioned above is quick and easy and  provides students with invaluable experience using these tools. We are  planning to incorporate this project into the Network Security course. At the  present, we offer the security track courses once every year. Students usually take the Network Security course in the Fall semester and Operating System Security in Spring. The following project will be conducted in the Operating Security Course, which can be considered as the continuation of this project andcaptured basically deals with the analysis of the data.

 Project 4: Analysis of Captured Data The analysis of the captured data is the most challenging and interesting aspect of running a honeynet. Captured data analysis can provide information on trends of attacker behavior, potential trends of future attacks, and show the methodologies of attackers. Moreover, shows the vulnerabilities that exit in the system. For example, a case study done  by the member of the Honeynet Alliance

Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05)

 

demonstrates how the Honeynet can be used to analyze attacker behavior. The system in this particular case study was a default server installation of Red Hat 6.0. The attack was discovered through an alert generated by Snort indicating that a ‘noop’ attack had occurred on one of the Honeypots available in the Honeynet (a collection of Honeypots.) Two minutes after the attack was initiated, the attacker initiated a connection and logs in to the box. Twenty seconds later, the intruder had elevated his privileges to super user and is now in complete control of the box.   In this project students analyze the log files generated by tracing the attackers footsteps and try to figure out the vulnerabilities. For this project we use older version of the operating systems with know vulnerabilities. In our security lab we use WMWare, which  basically allows us to create a box with any operating system.

 Project 5: Developing Signatures  for the new attacks   The Computer Security Case Studies is the capstone course for the track. The class is conducted in the security lab and consists of 10-12 handson projects. We are currently evaluating several medium to high interaction honeynet solutions to be deployed and configured for the use in this class. Students then can apply the knowledge and experience that gained in the  previous courses and apply them analyzing collected data and help to develop signature for the new attacks. For this project we need to work closely with the University Information Technology Office.

 Advanced Research Projects Honeynets provide a fertile ground for a very broad range of research topics that can be either incorporated into graduate security courses or can be conducted as graduate  projects. Some of these topics include: distributed honeynets, design and implementation of a wireless honeynets, virtual honeynets, data mining and distributed agents.

Conclusion   To better prepare educate our students in the area of information assurance we are working on several  projects using honeynet technology techn ology to be incorporated into our computer security track courses. We firmly believe that honeynets provide a valuable teaching tool and provide students with most upto-date security challenges and threats. Moreover, our graduates in computer security field must have the knowledge and skills necessary to work with these tools.

 References: [1] Azadegan, O’leary, Lavine, Wijesinha, Zimand, “An undergraduate Track in Computer Security,” Procedding of ACM ITICSE 2003, Thessaloniki, Greece, July 2003. [2] Jones, Romney, “Honeynets: An Educational Resource for IT Security”, Proceedings of ACM SIGITE 2004, Salt Lake City, Utah. [3] Levine, LaBella, Owen, Contis, Culver, “The use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks”, Proceedings of IEEE Workshop on Information Assurnance, West Point New York, June 2003.

Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05)

 

[4] “Know Your Enemy: Honeynets in Unniversities”, Hneynet Project, www.honynet.org. [5] Lance Spitzner, Honeynets tracking Hackers, Addison Wesley, 2003. [6] Know Your Enemy: Learning about Security Threats (2nd Edition), Honeynet Alliance, 2004 [7] Know Your Enemy: Honeynets, www.honeynet.org/papers/honeynet/ index.html [8]Back Orifice, www.cultdeadcow.com/tools/bo_plugins .html

Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05) 0-7695-2296-3/05 $20.00 © 2005 IEEE

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close