HONEYPOTS Joseph John Gabriel

Student, Department of Dual Degree Master of Computer Application

SCMS School of Management and Technology
imca-34@scmsgroup.org
Guide: Mr. Praveen Kammath.Guide Name/s per 2nd A

thor) li1 (of Affiliatiione y, Cuny

Abstract. A honeypot is a security system designed
to detect and counteract unauthorized access or use
of a computer system. The name "honeypot" is used
in reference to the way the system traps
unauthorized users, such as hackers or spammers
so they can be identified and prevented from
causing further problems. Honeypots are different
than typical security solutions because they
intentionally lure in hackers or users with malicious
intent. For example, a company may purposely
create a security hole in their network that hackers
could exploit to gain access to a computer system.
The system might contain fake data that would be of
interest to hackers. By gaining access to the data,
the hacker might reveal identifying information,
such as an IP address, geographical location,
computer platform and other data. This information
can be used to increase security against the hacker
and similar users.
Keywords: Intrusion detection system, honeypots,
attacker, security.
I.
INTRODUCTION
A honeypot is used in computer and network
security fields. It can be considered as a service or a
resource which is intended to be attacked and
compromised to gain more information about the
attacker and their methods and tools used for the
breach. It can also be deployed to attract the
attacker and divert his action away from real
targets[1].
The idea of honeypots was mainly circulated by
Lance Spitzner through his honeynets project.
According to Lance Spitzner, a honeypot is a
system designed to learn how “black-hats” probe
for and exploit weaknesses in an IT system.
Compared to an intrusion detection system,
honeypots have the upper hand that they do not
generate false alerts as each observed traffic is
suspicious, because there is no productive
components running on the system under scanner.
This easily enables the system to log every byte that
flows through the network to and from the
honeypot, and to compare and check this
information from other known sources to get a
picture of an attack and the attacker.
In system security, honeypots are used to gain
knowledge of the assailants, their methods from
their assaults and after that change and reorganize
the framework to strengthen up the security. The
escape clauses of the system security can be secured
with the assistance of data given by honeypots.
Honeypot can be figured as a framework used on a
system for finding out the vulnerabilities of a PC or
the entire system. The escape clauses can be
checked as a whole or separately of any framework,
as it is a selective system to learn about the
assailants and their assault methods used on the
system[2].
II.
CLASSIFICATION OF HONEYPOTS
Honeypots are regarded as virtual machines
which acts like a genuine PC or network
framework. Honeypots can be classified into taking
after classes on their utilization:
 Research honeypots: These honeypots are
used mainly for observing and are utilized to
obtain data and watch the black-hat society.
The information picked up by the specialists
are utilized for the early notices, judgment
 of assaults, improve the interruption
discovery frameworks and outlining better
devices for security.
 Production honeypots: These honeypots
are deployed by the enterprises as an
addition to system security’s frame. These
honeypots fill in as early alerting
frameworks. The purpose of these honeypots
is to expel the dangers in enterprises. It
gives the data to the administrator in charge
before the genuine assault[2].
Honeypots can be again grouped on the basis of
level of contribution or collaboration as:
o Low level interaction: Honeypots that give
just some fake service alike works, they are
positioned as an emulator of the working
framework. They are easy to be built but
also are easy for the attackers to find out. In
a basic form, these services can be
monitored by having a listener on specific
port. Aggressor can simply utilize a
straightforward charge to recognize it that a
low interaction honeypot does not bolster. A
case of this kind of honeypot is Honeyd.
 Honeyd: Honeyd, also known as
honey daemon, is an open source III.
honeypot which was primarily used
in Linux but now has windows
capability too. It is easy to be
implemented. Listener ports doesn’t
need to be created manually as
honeyd has built in capabilities for
this. It can listen to TCP and UDP
port hence becomes a low-level
interaction honeypot that simulates
TCP and UDP services.
o High level interaction: These honeypots
offer real services from a real like operating SleuthKit[4].
system. These are machines that have a real
system with a real network interface and
positioned inside a network. These permit
the catching of data of the attacker and
observe and log their methods and activities.
A case of this kind of honeypot is Honeynet.
 Honeynets: Honeynets can be described
to be a collection of at least two
honeypots. A honeynet is used when
there is a need to observe a bigger or
potentially more complicated system in
which one honeypot won’t be successful.
Honeynets and honeypots are normally
executed as parts of bigger system
interruption recognition frameworks. A
honeyfarm is a concentrated collection
of honeypots and similar investigation
apparatuses.
Figure 1: Taxonomy of Honeypot
BUILDING A HONEYPOT
For building a honeypot, several virtual
machines are created. They are then setup on a
private network with the host operating system. To
facilitate data control, a stateful firewall such as IP
tables can be used to log connections. This firewall
would typically be configured in Layer 2 bridging
mode, rendering it transparent to attacker. The final
step is data capture, for which tools such as Sebek
and Term Log can be used. Once data has been
captured, analysis on the data can be performed
using tools such as Honey Inspector, PrivMsg and
Honeypot technology under development will
eventually allow for a large-scale honeypot
deployment that redirects suspected attack traffic to
honeypot
 o Penetrates demilitarized zone and scans
network IP addresses.
o The redirection appliance.
o Monitors all unused addresses and uses layer
2 VPN technologies to enable firewall.
o TO redirect the intruder to honeypot.
o This may have honeypot computers
monitoring all types of real network devices.
o Scanning the network for vulnerable
systems is redirected[4].
IV.
OBJECTIVE
The main objective of using honeypots is to
find the attacker by the connection tracking or the
pattern flow detection technique. After then confuse
the attacker that the attacker is spoofing the
information from the legitimate user, but actually
that was not the legitimate user, originally that was
the duplicate or the false computer where the
attacker attack the information. So objective of
honeypot to confuse the attackers.
Here the production honeypots are used to
help reduce risk and diverting hackers from
attacking the production systems whereas a
research honeypot is used to collect as much
information and evidence as possible about the
blackhat community.[1] Research honeypots might
be valued lesser than production honeypots to the
organization but they help the organization to
understand the techniques used for attacks and
secure the network even more. Data that is collected
from the honeypot is of high value and can
definitely lead to clearer comprehension to increase
the security of an organization’s IT environment.
Honeypots can either monitor all the traffic in a
network and collect vast amount of information,
more security can be gained but most of it will be
redundant and useless to the organization, and on
the other hand, it collects very little data, but can be
of very high value. Sometimes, the probability of
finding a honeypot in the network can be quite low
as it does not have any production activity, thus
does not generate high noise level. Depending on
the honeypot tools used, useful information can be
understood by the administrator from the easy-to-
use graphical user interface. Data, especially those
of malicious activity, can be used for statistical
modelling, trend analysis, detecting attacks, or even
researching attackers. Depending on the placement
of the honeypot, and if they collect little data and
monitor little activity, they will not have problems
of resource exhaustion. [4]
Now the some of the other main objectives of
using the honeypot for the Intrusion Detection
environment so that the computer network become
secure from the intruder or the hacker attack
described as below[4,5]:-
 Network decoys: Honeypots are useful for
monitoring networks. For monitoring,
honeypots are deployed in such parts of a
network that are not used for production.
When an attacker probes the network, some
traffic should eventually hit one of the
honeypots. As normal traffic should not
arrive at honeypots, warnings are rather
reliable. However, honeypots are useless if
the attacker is aware of them. Neither can
they detect the absence of attacks. Besides
of network monitoring, honeypots can be
used for confusing attackers by
implementing decoy systems. The attacker
might not be able to tell which systems have
real value and which do not. Because of this,
the attacker may have to work harder and
use more time targeting the system. This
makes detection easier. Nevertheless, the
setup of decoys can be rather tedious, and
they involve risk, as well. So this about the
network decoy to protect the system from
the intruder or the unauthorized user means
hacker.
 Prevention of spam: Spammers abuse open
mail relays and open proxies to hide their
identity. An open mail relay accepts any
sender without authentication to send mail
further. Open proxies accept any client in the
network to make connections through it.
Honeypots masquerading as open mail
relays or open proxies can be used to capture
spam and reveal its sources. Captured spam
makes it possible to improve filtering.
Knowing a source of spam might allow
switching off the spammer from the
 network. Alternatively, a honeypot can
collect source addresses of attempted mail
deliveries. The addresses are temporarily
added into the actual mail server’s blacklist.
This helps to filter out sources that almost
certainly try to send spam. Honeypots seem
to have been effective to some extent since
spammers have developed methods to detect
false open proxies. A simple test is to try to
send mail back to itself by the proxy. The
proxy is very likely a honeypot if it claims a
success, but in reality the message has not
come back. The test is relatively simple to
counter, however. The honeypot has only to
compare the source and destination
addresses and let the connection through if
they are the same. A more complicated test
would place the sender and receiver on
different hosts. In a general setting, this is
much more difficult to cope without being
detected as the honeypot should not be a real
open proxy. Unfortunately, honeypots are
probably less effective against spam sent
using botnets than by open mail relays and
open proxies. A botnet’s controller is
presumably carefully hidden and can not be
figured out from spam delivery attempts. In
addition, blacklisting attempts are not very
useful either, since there are so many
potential senders.
 Collecting malware: A suitable honeypot
can automatically collect samples of
malware that spread autonomously. This
allows large-scale capture of currently active
malware. This in turn allows, for example,
research on live data and constant
refinement of intrusion detection and
antivirus software. Manual capture of
malware would be just too slow. The
objective of a malware-collecting honeypot
is essentially to download the actual
malware and record the details of that event.
When a network connection might lead to an
exploit, the honeypot captures the
connection’s payload. It is then analysed
whether the payload contains machine
executable code or network addresses. If
enough information is found, the honeypot
downloads the possible malware. Low-
interaction honeypots can, at least in
principle, capture only malware that exploit
known vulnerabilities since they rely on
emulation. More comprehensive capture
requires a high-interaction honeypot which
runs a real operating system.
 Detection of malicious Web content:
Vulnerabilities in Web browsers might allow
malicious Web pages to install malware into
the system. Exploited pages are rather
common nowadays, and thus their manual
detection and analysis is not practical. Client
honeypots can automate detection at least
partially and help out in analysis.
HoneyMonkey is a high-interaction client
honeypot for detecting exploits. The system
consists of a set of Windows XP instances
with different levels of patches running in
virtual machines. The system is given a list
of URLs that a modified Web browser
within a virtual machine visits one by one.
Between the URL visits, the state of the
system, files and registry, is checked. If
there were any modifications outside the
browser’s working area, the URL would be
reported as an exploit and marked for further
analysis. In that case, the exploited virtual
machine instance is discarded and a clean
one is started.
V.
WORKING TECHNOLOGY
 Data Capture: The purpose of data capture
is to log all the activities of an attacker. The
Honeypot does exactly this that it collects
information. The HoneyAnalyzer System
has two sources of data: Honeypot log and
network traffic log from Tcpdump. The
Honeyd framework supports several ways of
logging network activity. It can create
connections logs that reports attempted and
computed connections for all protocols. But
to analyze the complete attack scenario, the
system need full payload of the packet
entering and leaving the honeypot. This task
is performed by the second element that is
 Tcpdump which captures every packet full
payload. Tcpdump is a tool for network
monitoring and one of the well known
sniffers for Linux. It then dumps packets
header information in the log file.
 Data Analysis: In order to extract the more
precise attack signature, a data analyzer has
been developed as shown:-
 The web interface gives a graphical
output using which security
administrator can easily find out most
attacked port, So these are the IP address
to detect the location of the attacker or
hacker. The proposed method of
realization of the HoneyAnalyzer for
extracting more precise attack signature
is described below:-
i) Configure honeyd to simulate
network.
ii) Run Tcpdump for traffic analysis.
iii) Invoke the auto run shell script that
will run in a particular time interval
and execute the parser utility that
will parse the data from the honeyd
log file and insert into the database.
iv) Execute the auto-run shell-script to
push the honeyd logs data into the
database. This will invoked by the
cron.
v) Login to the web interface to view
the attack patterns and analyse the
data for extraction of good quality
signature. [4]
 To enable the Security Administrator to
select the suspicious data, the web GUI
has the following features: -
i) Ability to display packet information
from the database.
ii) Ability to display real time network
traffic from data stored in database, as
well as historical traffic statistics.
iii) Display the ports, which were
attacked within a certain time range.
iv) Now here the main scenario which
remote IP-addresses were "visited" by
Honeypot in a certain time range. Here
it's possible to specify a port number to
show activity on a specific port.
v) A textual hit statistic over a certain
time range. By specifying an IP or a port
number it is possible to focus on specific
events. [3]
 Signature Extraction: The graphical
interface has support for application of LCS
algorithm the data of interest while present
system apply LCS algorithm on whole data.
The process of finding attack signatures not
fully automated rather it also depends upon
security administrator’s (SA) wisdom and
experience. The SA can choose the traffic on
which the LCS algorithm is to be applied.
The Resulting precise signature will give
less number of false positive and false
negatives. The steps followed for finding the
good quality attack signature are as follows:-
 Identify the data of interest from the
database by looking at the web GUI.
This is the all about description
about the signature extraction
technique by detecting the intruder
from the Graphic websites.
 Analyze combined data from
different data sources that is
Honeypot and Tcpdump For each
received packet initiate the following
sequence of activities:-
i) Identify data of interest (i.e. of
significance) from the database
by looking at the web GUI.
ii) Analyse data from sources i.e.
honeypot and Tcpdump.
VI.
ADVANTAGES / DISADVANTAGES
There are various advantages and the disadvantages
for using the honeypot so that the network system
becomes secure and protected from the outsider
attacker or hacker. Now some of advantages and
disadvantages as below:
 Advantages of honeypots:
 Alerts about attacks: Honeypots detect
attacks and take records about the
attack and methods used for the same.
Security administrator is alerted.
  Helps in improving the efficiency:
When a system is attacked in a new
manner, new defence mechanisms can be
generated by considering the new mode
if attacks. It gives insights into more
attacks that may happen.
 Minimal resources: Only those traffic
which are of malicious nature are
monitored and recorded. Hence, only
less resources are needed.
 Reduced time complexity: As only
malicious contents are monitored,
investigating them is easier and time
saving than monitoring every content in
the framework.
 No hidden costs: Any PC can be used
as a honeypot. So, it doesn’t demand any
extra budget for its implementation and
working.
 Flexible: They are simple to
understand, configure and to implement
and doesn’t have complex algorithms.
 Provides insight: It gives more idea of technologies; they see honeypots as complementary
the subject and enables to discover
different point of views and apply them
for improving security.
 Disadvantages of honeypots: There are VIII.
also some disadvantages of honeypots as
well.
 Can’t monitor everything: Records
about malicious traffic can only be
captured as it is tiresome and useless, to
an extent, of monitoring every
connection. If the hacker doesn’t attack
the system with the honeypot, it is not
possible to catch information.
 Risk on data: High level interaction
honeypots work on real systems. This
can cause in damage to the actual data
in the system. Also in other systems,
attacks not towards the honeypot system
may damage other systems and cause
big problems.
 Leaves fingerprints: It is easy for a
professional hacker to differentiate
between a honeypot system or a real
system. This is done by fingerprinting.
It is a major drawback.
 Purpose can be reversed: An
experienced hacker can use the
honeypot as a shortcut to reach other
systems in the framework and
compromise them. This is also a major
drawback.
VII.
CONCLUSION
Honeypot technology controls the security threat
in network, computing environments in a daily
basis. Once honeypots are implemented, it monitors
the system and gives detailed records of malicious
contents, about how attacks happened, methods
used, tools used, etc. It also provides better network
security also give reliable effect and makes network
more secure and safe environment to use[3].
Honeypots have gained a significant place in the
overall intrusion protection strategy of enterprise.
Security experts do not recommend that these
systems replace existing intrusion detection security
technology to network-and host – based intrusion
protection
REFERENCES
[1] Honeypots The Future, Lance Spitzner
[2] Web Based Honeypots Networks, Srivathsa
S Rao, Vinay Hegde, Boruthalupula
Maneesh, Jyothi Prasad N M, Suhas Suresh.
International Journal of Scientific and
Research Publications, Volume 3, Issue 8,
August 2016. ISSN 2250-3153
[3] Honeypots In Network Security, Abhishek
Sharma. International Journal of Technical
Research and Applications e-ISSN: 2320-
8163, www.ijtra.com Volume 1, Issue 5
(Nov-Dec 2013), PP. 07-12.
[4] HONEYPOTS FOR INFORMATION
SECURITY IN NETWORKS, S.Subanitha
[5] Akshay A. Somwanshi, “Implementation of [6] Navnveet Kambow , Lavleen Kaur Passi ,
Honeypots for Server Security” , IRJET “Honeypots: The Need of Network
Vol.03,Issue: 03, March 2016. Security”, Vol.5(5), 6098-6101, 2014