A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks
Introduction
Computer networks are vulnerable to a variety of exploits that can compromise their intended operations. The challenges of securing networks in the face of intruders have become overwhelming and are still growing. To improve network security, organizations have sought solutions such as firewalls, Virtual Private Networks (VPNs), and intruder detection variants. These solutions, however, continue to leave proprietary data accessible to determined intruders, and follow blunt approaches while facing new attacks. In this context, intrusion detection systems (IDSs) are used to monitor computers or networks for unauthorized entrance or activities, thereby detecting if a system is being targeted by an attack (Innella and McMillan, 2001, Kreibich and Crowcroft, 2004, Levine et al., 2004). Preventing, detecting, and reacting to intrusions without disturbing the operations of existing systems represent a big challenge for networks that provide round the clock services such as web servers (Zhang et al., 2003). In such networks, even if an intrusion is detected, the system cannot be shut down to check it fully since it may be serving users who are making deals or completing transactions.
The honeypot technology is an attempt to overcome the shortcomings of traditional intrusion detection systems (Yeldi et al., 2003). It can be used to gather information that identifies the collaborator and to answer questions such as how to defend against and defeat the intruder when his identity is not known and no a priori knowledge is available about how he operates and his motives (Raynal et al., 2004a, Raynal et al., 2004b). Honeypots provide mechanisms for answering these questions by luring hackers to a controlled environment and then analyzing their activities.
In this paper, we make use of the developed honeypot technology to propose a hybrid approach that improves the currently deployed IDSs for protecting networks from intruders. The paper is organized as follows. Section 2 provides coverage of previous work in the domain of honeypot technology and intrusion detection systems. Section 3 presents the proposed hybrid honeypot framework and describes its main components, operation, and design. Section 4 evaluates the performance of the proposed approach while Section 5 discusses the features of the proposed system with respect to other existing state-of-the-art approaches. Finally, Section 6 terminates the paper with a conclusion and suggestions for future work.
Section snippets
Background and related work
This section presents a coverage of previous work on intrusion detection systems (IDS), a background on honeypots, and a survey of honeypot-related work.
Proposed hybrid honeypot framework
The need for the development of a hybrid honeypot system was recognized by researchers to provide a framework that represents a complete honeypot-based solution for intrusion monitoring and detection (Budiarto et al., 2004). In this section, we introduce the design and implementation of a hybrid honeypot approach and describe its basic concepts, components, and operation.
The proposed approach introduces an adaptable honeypot-based intrusion detection system that adjusts to changes in the
Case study
The hybrid honeypot system was integrated into the network of the Faculty of Engineering and Architecture (FEA) at the American University of Beirut (AUB), which comprises at least 400 computers. The network includes undergraduate as well as graduate labs in addition to computers belonging to faculty, staff, and graduate students. The Hybrid Honeypot server was installed on a 2.0 GHz Pentium 4 computer with 256 MB RAM.
After an initial scan of the machines on the network, the server produced
Discussion
Having described the design of the system and its implementation, we now compare it to a representative sample of IDS systems that were discussed in Section 2. The purpose is to demonstrate the novelty of the approach and contrast its characteristics to recent state-of-the-art systems. The comparison, which is summarized in Table 1, shows four broad categories: architecture, type, properties, and features.
Starting with the architecture, it is obvious that the proposed hybrid honeypot system is
Conclusion and future work
In this paper, an intrusion detection framework that is based on the technology of honeypots was described. The framework employs already developed technologies and provides an integrated approach that is meant to enhance currently deployed intrusion detection techniques. The proposed approach is dynamic and adaptable, and allows for gaining insights into new attacks. It depends on the availability of free IP addresses to implement fake systems on the network with redirection capabilities. The
Hassan Artail worked as a system development supervisor at the Scientific Labs of DaimlerChrysler, Michigan before joining AUB in 2001. At DaimlerChrysler, he worked for 11 years in the field of software and system development for vehicle testing applications, covering the areas of instrument control, computer networking, distributed computing, data acquisition, and data processing. He obtained a B.S. and M.S. in Electrical Engineering from the University of Detroit in 1985 and 1986,
References (36)
- et al.
CIDS: an agent-based intrusion detection system
Computers and Security
(2005) - et al.
Lightweight agents for intrusion detection
Journal of Systems and Software
(2003) - et al.
Real-time intrusion detection for high-speed networks
Computers and Security
(2005) - et al.
Use of K-nearest neighbor classifier for intrusion detection
Computers and Security
(2002) - et al.
A denial-of-service resistant intrusion detection architecture
Computer Networks
(2000) - et al.
Application of online-training SVMs for real-time intrusion detection with different considerations
Computer Communications
(2005) Computer security threat monitoring and surveillance
(April 1980)- et al.
An architecture for intrusion detection using autonomous agents
- et al.
NIDX: an expert system for real-time network intrusion detection
- et al.
Implementation of an intrusion detection system based on mobile agents
Honeypots: why we need a dynamic honeypot?
Honeypots: practical means to validate malicious fault assumptions
An intrusion-detection model
Anomaly detection over noisy data using learned probability distributions
MADIDS: a novel distributed IDS based on mobile agent
ACM SIGOPS Operating Systems Review
Intrusion detection using sequences of system calls
Journal of Computer Security
An introduction to intrusion detection systems
Roaming honeypots for mitigating service-level denial-of-service attacks
Cited by (68)
Using rootkits hiding techniques to conceal honeypot functionality
2023, Journal of Network and Computer ApplicationsBoosting Cyber-Threat Intelligence via Collaborative Intrusion Detection
2022, Future Generation Computer SystemsCitation Excerpt :A different approach to improve the accuracy of TDSs consists in integrating information from honeypots. In [25], a hybrid and adaptable honeypot-based approach is proposed that improves the IDSs for protecting networks from intruders. The main idea consists in recording and analyzing the intruder’s activities and using the results to take administrative actions for protecting the network.
Forecasting network events to estimate attack risk: Integration of wavelet transform and vector auto regression with exogenous variables
2022, Journal of Network and Computer ApplicationsCitation Excerpt :Honeypot system is a commonly used deceptive technique (Dongxia and Yongbo, 2012; Suo et al., 2014; Kuwatly et al., 2004; John et al., 2020; Prasad et al., 2020; Niakanlahiji et al., 2020) in network security. As a decoy computing environment, it lures attackers to collect their attack patterns, methods, and used tools (Artail et al., 2006). There are numerous studies that used deception technology to monitor network events and forecast possible future attacks.
Expert system assessing threat level of attacks on a hybrid SSH honeynet
2020, Computers and SecurityCitation Excerpt :Snort signatures were often (Chawda and Patel, 2015; Fan et al., 2016; Fan and Fernandez, 2017; Fan et al., 2015; Qiao et al., 2013; Wang and Wu, 2019) used in the decision-making process, but none of the analysed articles provides details on the specifics. Some solutions (Artail et al., 2006; Innab et al., 2018; Qiao et al., 2013) redirect all connections going through the ports covered by the HIH to it, and they redirect certain other ports to some available HIH ports. The papers (Chovancova et al., 2017; Kumar et al., 2012; Mansoori et al., 2012) do not explain the decision-making mechanism at all.
A new dynamic security defense system based on TCP_REPAIR and deep learning
2023, Journal of Cloud Computing
Hassan Artail worked as a system development supervisor at the Scientific Labs of DaimlerChrysler, Michigan before joining AUB in 2001. At DaimlerChrysler, he worked for 11 years in the field of software and system development for vehicle testing applications, covering the areas of instrument control, computer networking, distributed computing, data acquisition, and data processing. He obtained a B.S. and M.S. in Electrical Engineering from the University of Detroit in 1985 and 1986, respectively and a Ph.D. in Electrical and Computer Engineering from Wayne State University in 1999. His research is in the areas of Internet and Mobile Computing, Distributed Computing and Systems, and computer plus network security.
Haidar Safa received a B.Sc. in Computer Science in 1991 from Lebanese University, Lebanon, M.Sc. in Computer Science in 1996 from University of Quebec at Montreal (UQAM), and a Ph.D. in Electrical and Computer Engineering in 2001 from Ecole Polytechnique de Montreal. He joined ADC Telecommunications and SS8 Networks in 2001 where he worked on designing and developing networking and system software. In 2003, he joined AUB where he is currently teaching and doing research in Networking. Dr. Safa's research interests include mobility management in wireless networks, Quality of Service, plus routing and network security.
Malek Sraj finished the Bachelor degree in Computer and Communication Engineering from the American University of Beirut in 2004. He is currently pursuing his graduate studies at the KTH University in Sweden. His research interests are in computer networking and signal processing.
Iyad Kuwatly finished the Bachelor degree in Computer and Communication Engineering from the American University of Beirut in 2004. His interests are in the area of computer network security and Web development.
Zaid Al-Masri finished the Bachelor degree in Computer and Communication Engineering from the American University of Beirut in 2004. His interests are in application software development and Web development.