IDS_MIS

8/8/2019 IDS_MIS

http://slidepdf.com/reader/full/idsmis 1/13

DECEPTION SYSTEMS –A Field of Intrusion Detection Systems

Their Business Applications

Author:

Venkata Deepthi Bhavaraju

10BM60095

Vinod Gupta School of Management

IIT Kharagpur

1

8/8/2019 IDS_MIS


ABSTRACT

We have all heard about the recent news where a new breed of cyber terrorists have had the capability of

breaking into a plane’s sophisticated onboard computer systems which had the capability to force the

plane to crash. We have also heard about cases of intruders forcing into e-commerce websites and

playing havoc.

The dependency on Internet is increasing very rapidly both in the personal and the commercial front. This

is making intrusion detection even more challenging. The intrusion detectors that the applications use

should not only detect the intrusions but also react differently to different intrusions.

Till date we have had firewalls, Network Intrusion detection systems (NIDS),Log files checkers etc. A new

innovation in this domain is the Deception systems.As the name suggests, these systems typically

deceive the intruder. These systems aid in learning the methods that intruders use and distract the

intruders from real systems and services. HONEYPOT TECHNOLOGIES is one such example of a

deception system.

In this paper I would like to delve more about how these systems will be more useful to the field of

network security and the improvements possible in the future.

1. WHY INTRUSION DETECTION SYSTEMS?

Attacks on industrial systems are fast increasing.

Early this year in Washington experts have discovered a malicious code called “worm” which could take

over systems that control the inner working of industrial plants. Power plants and many critical operations

around the world are at a great risk.

We are also aware of the recent allegation on Chinese hackers intruding into systems in India and Indian

missions stealing sensitive data about the Indian missile systems.

Attacks on systems and data have become a reality. Detecting and responding to these attacks has

become a norm. Gone are the days when just strong passwords and firewalls are sufficient to protect the

systems and the data. To protect such sensitive information as shown in the above examples we need a

more active approach. An effective Intrusion Detection system can be one solution.

“An intruder is anything that is attempting to break into a system.”

An intrusion detection system keeps a tab on the network traffic and in cases of suspicious activity either

notifies the network administrator or takes defensive actions like blocking the user or the source IP

address from accessing the network.

2

8/8/2019 IDS_MIS


Figure: General Model

The above figure shows the General model of an Intrusion detection system.

According to Sriram Rajan Intrusions can happen in any of the following forms

• Software bugs

• Information gathering

• Unsafe passwords

• Protocol vulnerabilities

• Denial of Service

2. EXISTING IDS

Till date we have been working with the following types of intrusion detection systems.

• Network intrusion detection systems

In these systems, sensors are placed at a few locations. These sensors monitor the network

traffic and identify if there are any intrusions. They generate an alert when an intrusion is found.

NIDS usually identifies threats in any one of the following two ways

3

8/8/2019 IDS_MIS


o Signature based Intrusion detection systems

This IDS will keep a tab on the network traffic and detect threats based on specific

signatures of known threats.

o Anomaly based Intrusion detection systems

This IDS will compare the network traffic with a priorly established baseline. Any packet

which is distantly apart from the baseline bandwidth or the baseline protocols used an

alert is sent to the administrator.

Figure: An illustration of a Network Intrusion detection system

• Host intrusion detection systems

In these systems, agents are present on each of the host in the network. These agents analyze

the activities of these hosts and in cases of malicious activities report them to the centralized

console. Here the details about the malicious processes can be found out in much more detail.

3. DISADVANTAGES OF NIDS and HIDS

In large networks, when the network traffic is very high NIDS may not efficiently monitor and analyze all

the attacks and some attacks may get overlooked. Network-based IDSs may not be able to monitor high

speed networks effectively, either.

4

8/8/2019 IDS_MIS


Typically, network-based IDSs cannot analyze encrypted data, nor do they report whether or not

attempted attacks succeed or fail.

In a Rule based NIDS the database has to be updated with new rules whenever new attacks are

detected. This will help identify further attacks. In Anomaly based NIDS defining the baseline is a

challenge.The challenge to anomaly-based detection is defining what is normal. Chat programs, peer-to-

peer networks, new implementations of existing protocols, the dynamic nature of IP communications, all

of this makes it extremely difficult to establish a metric by which to establish normal network behavior.

NIDS can often generate false alerts.Similarly they can also fail to alert, especially for new attacks. This

leaves organizations vulnerable to new intrusions.

Most of the NIDS technologies find it difficult to comprehend IPv6 packets.

To protect the data sent it is usually encrypted by methods like SSH,SSL or IPSec. This encryption may

also blind the NIDS from detecting the attack.

To cater to large networks and huge network traffic NIDS has to rely on resources. As the network speed

and data increases the size has to increase to keep up with it. It will also require disk space to store the

large databases. This is becoming more of a problem as networks migrate from 10/100 Megabit to Gigabit

networks.

In HIDS data collection occurs on a per-host basis. A HIDS consume the processing time, storage,

memory and other resources of the host which it is protecting. Reporting the detections by writing to logs

can decrease network performance. Host-based IDSs can be foiled by DoS attacks since they may

prevent any traffic from reaching the host where they’re running or prevent reporting on such attacks to a

console elsewhere on a network.

4. EMERGING IDS-DECEPTION SYSTEMS

The Deception systems is one type of an intrusion detection system that has been gaining importance in

the recent years. Honeypot technology is a Deception system that protects the network from intrusions by

“detecting , deflecting and counteracting the attempts at unauthorized use of information systems”.

As the name suggests a Honeypot appears to be an attractive target to the intruder. Real systems could

be set up as honeypots or some type of an emulator which appears as a server or a network device could

be used. The attacker is lured to the Honeypot which then records all the attacker’s actions. Depending

on the customization done to the Honeypot it does automatic alerting, triggered responses, data analysis

or summary reporting.

How is it different from the rest of the Intrusion Detection systems

5

8/8/2019 IDS_MIS


One major advantage of this system is it wastes the attacker’s time. When the attacker spends large

times exploring the honeypot, the honeypot tries to assess the means and the motives of the attacker

more precisely . This information is then reported which can be used to make other machines immune to

the tools being used by the intruder. It also gives the attacker wrong impression of the security measures

of the system. Thus the attacker spends time finding tools to exploit the Honeypot, which will not work on

the real system. Unlike other intrusion detectors , A honeypot has no false positives. This way it can

detect more attacks than other IDS measures. They not only eliminate false positives but are also good at

catching False Negatives. Honeypots can easily identify any new intrusions.

When attackers target large organizations they look for vulnerable systems to gain entry into. If honeypots

are used the probability of a valuable machine being targeted is reduced. It will detect and record the

initial scan as well as any subsequent attack.

New vulnerabilities can be detected and new attack tools can be developed. Another advantage with

Honeypots is even new or unknown attacks which exhibit no signature or anomalous characteristics can

be detected.A Honeypot can also detect and record incidents that may last for months which otherwise

cannot be detected by a NIDS or a HIDS since the time involved makes them very difficult to differentiate

from normal traffic without being false positive prone.

According to Lance Spitzner “Since a honeypot has no production activity, no authorized, legitimate

interactions will take place on it. Anytime anything or anyone is interacting with the honeypot, it is most

likely indicative of unauthorized or malicious activity. This concept is extremely simple, but extremely

effective.”

Honeypots only collect data when someone or something is interacting with them. Organizations that may

log thousands of alerts a day may only log a hundred alerts with honeypots. This makes the data

honeypots collect much easier to manage and analyze.

However large the networks are Honeypots require minimal resources, even on the largest of networks.

According to Lance Spitzner “A simple Pentium computer can monitor literally millions of IP addresses on

an OC-12 network.” A Honeypot will detect an intrusion even if the attack is encrypted unlike NIDS.

A Honeypot will detect an intrusion irrespective of the IP protocol the attacker uses. According to Lance

Spitzner “In one documented case, a Solaris honeypot detected and captured an attack where attackers

attempted to hide their communications using IPv6 tunneling within IPv4. On the other hand, there are

almost no NIDS technologies that can decode IPv6 or IPv6-tunneled traffic.”

One major advantage is. Unlike NIDS Honeypots do not have to update any rules nor do they require any

advanced algorithms to monitor the network traffic.

A few examples of Honeypot installations

6

8/8/2019 IDS_MIS


• Installing a machine on the network with no particular purpose other than to log all attempted

access.

• Special softwares can be installed for these purposes.We have to create an impression of

accomplishment to the intruders without really allowing them access.

• Any existing system can be "honeypot-ized".

Honeypot Objectives

An organization should have a clear picture of the working of the honeypot before deploying it. “It can

serve as a decoy to deflect the hacker from breaking into the real system, as a research tool for systems

administrators merely to observe and learn how hackers operate and about weaknesses in their systems,

or as a tool to monitor and document evidence for criminal prosecution.” The operating system, thewebserver should be decided beforehand. Eventhough the honeypot is being compromised it should not

prove to be a threat to the rest of the network. The traffic coming out of the honeypot should therefore be

carefully monitored.

• The honeypot system should appear generic.

• The honeypot should not act as a launch point for further attacks against the network.

• The honeypot should be able to lure the attackers.

• Honeypots may be set up in front of a firewall, in the DMZ, or behind a firewall.The closer the

honeypot is to the actual servers it is more likely to tempt users. Therefore it is preferable to set it

up behind a firewall.

5.DEPLOYING HONEYPOTS

Honeypots are deployed in networks called Honeynets. “A honeynet can be defined as a collection of high

interaction honeypots configured in a secured and monitored environment”. The following figure illustrates

a Honeynet. We have one computer configured as a Windows Honeypot, one as a Linux Honeypot , one

as a gateway and one to collect all the log information.

The Gateway helps filter out the traffic. It is therefore making it easy to manage the network activity within

the honeynet.It also provides better security by providing with good logging system.

Each of the Honeypot are configured to run a few services. The idea behind this is to make the system

look like a regular system, though nothing is done extensively.

7

8/8/2019 IDS_MIS


The following figure shows the deployment of Honeypots by the Honeypot Project.

Figure: Deploying Honeypots in networks called Honeynets

Currently there are a few Honeypot technologies available. Four of them are

• Mantrap

It is one of the leading deception system in the industry. It is primarily concerned about internal

security. ”ManTrap can create a virtual minefield that an internal attacker must successfully

navigate in order to reach his target. One step in the wrong direction and the attacker is

exposed.The main concept behind ManTrap is so-called cages (decoys)”. In the following figure

we get a brief overview of the working of Mantrap cages.

8

8/8/2019 IDS_MIS


Figure: Mantrap cages

• Honeyd

It is an open source computer program. “It can set up and run multiple virtual hosts on a network

and can mimic several different types of servers”.

• Deception toolkit

It is a set of fake services. It uses Deception to counterattack.

• BOF-BackOfficerFriendly

It is a “common man’s” honeypot. It is very user friendly and can be deployed in every computer.

6. IMPROVEMENTS IN HONEYPOT TECHNOLOGIES

There has been a rise in the use of honeypots and related technologies. Its use in organization as a

security tool will also increase as the awareness increases. There is scope for development of honeypot

tools. Logging, tracing back to the source can still be facilitated. According to Sriram rajan “System

modules for sophisticated keystroke logging, better filtering tools and utilities to capture encrypted traffic

are a few things that could be worked on. One can even consider an out-of-the-box honeypot distribution

with a modified kernel to make it easy for system administrators to deploy honeypots.”

7. DISADVANTAGES OF HONEYPOTS

9

8/8/2019 IDS_MIS


A major disadvantage is its limited field of view. They only deal with intrusions that are directed against

them. Attacks on other systems will be missed..

If a honeypot system is successfully attacked, it can be used further compromise the network or other

networks. This is perhaps the biggest danger in setting up such a system. One solution to this problem

would be to place the honeypot behind a firewall. This way it may make it more difficult for a potential

attacker to reach the honeypot but it minimizes outbound traffic.

8. APPLICATIONS OF DECEPTION SYSTEMS

Governments and businesses are on a look out for effective tools to prevent and detect attacks in their

critical information systems. The innovative technique of Honeypots can be used not only to deflect the

hackers from the real systems but also help in finding forensic information about the hackers.

An intruder might be trying to gain access into the system for some criminal activity which can be a

terrorist activity, or to illegally transact money. He can also try to launch a “denial-of-service”attack against

other systems. Honeypots serve a better purpose in each of the following areas.

There have been instances of intrusions causing losses in each of the following areas. Honeypots can be

a better solution in each of the cases.

Banking:

There have been many instances when hackers could gain financially by intruding into electronic bank

accounts. They could steal the credit card information or could just resell the data.

Power plants and smart grids

A recent area where intrusions are possible is in Power plants and in smart grids. A smart grid is one

which supplies electricity based on digital technology.

Defense

Flight Hijacking is a recent case where intrusions are playing havoc. By adopting Honeypots ,these

catastrophes could be avoided.

Other Business Applications

Sometimes competitors would intrude into a business’ systems to access the company’s secrets , data

and customer information.

9. ECONOMIC VIABILITY

10

8/8/2019 IDS_MIS


The returns that we get by implementing the Honeypots can be calculated by deducting the

implementation costs from the money saved or the costs avoided by implementation.

Honeypots are very cost effective solutions. Since they require less resources, maintenance is less the

costs can be greatly reduced. A lot of money need not be spent on infrastructure. “A simple Pentium

computer with the 10/100 network interface card will do fine on a OC-12 network”. There is also great

saving possible due to the less man hours required.

One disadvantage with Honeypots is the costs occurred if they run into legal issues.

Another issue would be when the number of honeypots increases, even under low or no attack

conditions, the average response time increases because the number of active servers which could have

otherwise furnished client requests take up the role of honeypots when there are no attacks.

10. FUTURE SCOPE

How Future Technologies adapt to Honeypots

IPV6, Wireless Technologies are the future technologies. How IPV6 would affect the existing intrusion

detection measures and Honeypots is yet to be researched upon. Wireless technologies are the rage of

the future. With laptops, palmtops and new innovations coming up every day, Wireless Honeypots could

be the next big thing in intrusion detection systems.

11. CONCLUSION

Honeypots are a powerful solution for detection. Instead of replacing the existing technologies with

honeypots, they should be deployed to work with the existing technologies. This way the security levels

will be higher and many of the disadvantages of the current technologies will also be overcome.

Though the advantages of Honeypots are numerous, many of the industrial nations are skeptical about

the legal risks associated with the operation of a Honeypot. This issue is acting as a hindrance in

honeypots being used as a tool to fight against the criminal and the terrorist attacks against critical

information systems.

11

8/8/2019 IDS_MIS


REFERENCES

1. Intrusion detection systems and the Use of Deception systems – Sriram Ranjan

2. Symantec Deception Server Experience with a Commercial Deception System - Brian Hernacki,

Jeremy Bennett, and Thomas Lofgren, Symantec Corporation.

3. http://www.symantec.com/connect/articles/honeypots-simple-cost-effective-detection

4. http://books.google.co.in/books?id=Su2k_CQCj-

oC&pg=PA53&lpg=PA53&dq=costs+of+honeypots&source=bl&ots=kt7oQJvZQZ&sig=T07

2enMn79H5uiMR2WExV1jo-

Yk&hl=en&ei=EavXTPr5IIbsuAPTs9yWCQ&sa=X&oi=book_result&ct=result&resnum=8&sq

i=2&ved=0CDYQ6AEwBw#v=onepage&q&f=false

5. http://www.all-nettools.com/articles/importance-of-using-intrusion-detection-tools.htm

6. http://technology.ezinemark.com/importance-of-intrusion-detection-for-an-enterprise-

16cf4f0e14d.html

7. http://www.symantec.com/connect/articles/honeypots-simple-cost-effective-detection

8. http://www.tracking-hackers.com/

12

http://books.google.co.in/books?id=Su2k_CQCj-oC&pg=PA53&lpg=PA53&dq=costs+of+honeypots&source=bl&ots=kt7oQJvZQZ&sig=T072enMn79H5uiMR2WExV1jo-Yk&hl=en&ei=EavXTPr5IIbsuAPTs9yWCQ&sa=X&oi=book_result&ct=result&resnum=8&sqi=2&ved=0CDYQ6AEwBw#v=onepage&q&f=false





http://www.all-nettools.com/articles/importance-of-using-intrusion-detection-tools.htm

http://technology.ezinemark.com/importance-of-intrusion-detection-for-an-enterprise-16cf4f0e14d.html


http://www.symantec.com/connect/articles/honeypots-simple-cost-effective-detection

http://www.tracking-hackers.com/





http://www.all-nettools.com/articles/importance-of-using-intrusion-detection-tools.htm



http://www.symantec.com/connect/articles/honeypots-simple-cost-effective-detection


8/8/2019 IDS_MIS


13

Documents

IDS_MIS