Elsevier

Computers & Security

Volume 25, Issue 4, June 2006, Pages 274-288
Computers & Security

A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks

https://doi.org/10.1016/j.cose.2006.02.009Get rights and content

Abstract

This paper proposes a hybrid and adaptable honeypot-based approach that improves the currently deployed IDSs for protecting networks from intruders. The main idea is to deploy low-interaction honeypots that act as emulators of services and operating systems and have them direct malicious traffic to high-interaction honeypots, where hackers engage with real services. The setup permits for recording and analyzing the intruder's activities and using the results to take administrative actions toward protecting the network. The paper describes the basic components, design, operation, implementation and deployment of the proposed approach, and presents several performance and load testing scenarios. Implementation and performance plus load testing show the adaptability of the proposed approach and its effectiveness in reducing the probability of attacks on production computers.

Introduction

Computer networks are vulnerable to a variety of exploits that can compromise their intended operations. The challenges of securing networks in the face of intruders have become overwhelming and are still growing. To improve network security, organizations have sought solutions such as firewalls, Virtual Private Networks (VPNs), and intruder detection variants. These solutions, however, continue to leave proprietary data accessible to determined intruders, and follow blunt approaches while facing new attacks. In this context, intrusion detection systems (IDSs) are used to monitor computers or networks for unauthorized entrance or activities, thereby detecting if a system is being targeted by an attack (Innella and McMillan, 2001, Kreibich and Crowcroft, 2004, Levine et al., 2004). Preventing, detecting, and reacting to intrusions without disturbing the operations of existing systems represent a big challenge for networks that provide round the clock services such as web servers (Zhang et al., 2003). In such networks, even if an intrusion is detected, the system cannot be shut down to check it fully since it may be serving users who are making deals or completing transactions.

The honeypot technology is an attempt to overcome the shortcomings of traditional intrusion detection systems (Yeldi et al., 2003). It can be used to gather information that identifies the collaborator and to answer questions such as how to defend against and defeat the intruder when his identity is not known and no a priori knowledge is available about how he operates and his motives (Raynal et al., 2004a, Raynal et al., 2004b). Honeypots provide mechanisms for answering these questions by luring hackers to a controlled environment and then analyzing their activities.

In this paper, we make use of the developed honeypot technology to propose a hybrid approach that improves the currently deployed IDSs for protecting networks from intruders. The paper is organized as follows. Section 2 provides coverage of previous work in the domain of honeypot technology and intrusion detection systems. Section 3 presents the proposed hybrid honeypot framework and describes its main components, operation, and design. Section 4 evaluates the performance of the proposed approach while Section 5 discusses the features of the proposed system with respect to other existing state-of-the-art approaches. Finally, Section 6 terminates the paper with a conclusion and suggestions for future work.

Section snippets

Background and related work

This section presents a coverage of previous work on intrusion detection systems (IDS), a background on honeypots, and a survey of honeypot-related work.

Proposed hybrid honeypot framework

The need for the development of a hybrid honeypot system was recognized by researchers to provide a framework that represents a complete honeypot-based solution for intrusion monitoring and detection (Budiarto et al., 2004). In this section, we introduce the design and implementation of a hybrid honeypot approach and describe its basic concepts, components, and operation.

The proposed approach introduces an adaptable honeypot-based intrusion detection system that adjusts to changes in the

Case study

The hybrid honeypot system was integrated into the network of the Faculty of Engineering and Architecture (FEA) at the American University of Beirut (AUB), which comprises at least 400 computers. The network includes undergraduate as well as graduate labs in addition to computers belonging to faculty, staff, and graduate students. The Hybrid Honeypot server was installed on a 2.0 GHz Pentium 4 computer with 256 MB RAM.

After an initial scan of the machines on the network, the server produced

Discussion

Having described the design of the system and its implementation, we now compare it to a representative sample of IDS systems that were discussed in Section 2. The purpose is to demonstrate the novelty of the approach and contrast its characteristics to recent state-of-the-art systems. The comparison, which is summarized in Table 1, shows four broad categories: architecture, type, properties, and features.

Starting with the architecture, it is obvious that the proposed hybrid honeypot system is

Conclusion and future work

In this paper, an intrusion detection framework that is based on the technology of honeypots was described. The framework employs already developed technologies and provides an integrated approach that is meant to enhance currently deployed intrusion detection techniques. The proposed approach is dynamic and adaptable, and allows for gaining insights into new attacks. It depends on the availability of free IP addresses to implement fake systems on the network with redirection capabilities. The

Hassan Artail worked as a system development supervisor at the Scientific Labs of DaimlerChrysler, Michigan before joining AUB in 2001. At DaimlerChrysler, he worked for 11 years in the field of software and system development for vehicle testing applications, covering the areas of instrument control, computer networking, distributed computing, data acquisition, and data processing. He obtained a B.S. and M.S. in Electrical Engineering from the University of Detroit in 1985 and 1986,

References (36)

  • R. Budiarto et al.

    Honeypots: why we need a dynamic honeypot?

  • M. Dacier et al.

    Honeypots: practical means to validate malicious fault assumptions

  • D. Denning

    An intrusion-detection model

  • E. Eskin

    Anomaly detection over noisy data using learned probability distributions

  • L. Guangchun et al.

    MADIDS: a novel distributed IDS based on mobile agent

    ACM SIGOPS Operating Systems Review

    (January 2003)
  • S. Hofmeyr et al.

    Intrusion detection using sequences of system calls

    Journal of Computer Security

    (1998)
  • P. Innella et al.

    An introduction to intrusion detection systems

  • M. Khattab et al.

    Roaming honeypots for mitigating service-level denial-of-service attacks

  • Cited by (68)

    • Using rootkits hiding techniques to conceal honeypot functionality

      2023, Journal of Network and Computer Applications
    • Boosting Cyber-Threat Intelligence via Collaborative Intrusion Detection

      2022, Future Generation Computer Systems
      Citation Excerpt :

      A different approach to improve the accuracy of TDSs consists in integrating information from honeypots. In [25], a hybrid and adaptable honeypot-based approach is proposed that improves the IDSs for protecting networks from intruders. The main idea consists in recording and analyzing the intruder’s activities and using the results to take administrative actions for protecting the network.

    • Forecasting network events to estimate attack risk: Integration of wavelet transform and vector auto regression with exogenous variables

      2022, Journal of Network and Computer Applications
      Citation Excerpt :

      Honeypot system is a commonly used deceptive technique (Dongxia and Yongbo, 2012; Suo et al., 2014; Kuwatly et al., 2004; John et al., 2020; Prasad et al., 2020; Niakanlahiji et al., 2020) in network security. As a decoy computing environment, it lures attackers to collect their attack patterns, methods, and used tools (Artail et al., 2006). There are numerous studies that used deception technology to monitor network events and forecast possible future attacks.

    • Expert system assessing threat level of attacks on a hybrid SSH honeynet

      2020, Computers and Security
      Citation Excerpt :

      Snort signatures were often (Chawda and Patel, 2015; Fan et al., 2016; Fan and Fernandez, 2017; Fan et al., 2015; Qiao et al., 2013; Wang and Wu, 2019) used in the decision-making process, but none of the analysed articles provides details on the specifics. Some solutions (Artail et al., 2006; Innab et al., 2018; Qiao et al., 2013) redirect all connections going through the ports covered by the HIH to it, and they redirect certain other ports to some available HIH ports. The papers (Chovancova et al., 2017; Kumar et al., 2012; Mansoori et al., 2012) do not explain the decision-making mechanism at all.

    View all citing articles on Scopus

    Hassan Artail worked as a system development supervisor at the Scientific Labs of DaimlerChrysler, Michigan before joining AUB in 2001. At DaimlerChrysler, he worked for 11 years in the field of software and system development for vehicle testing applications, covering the areas of instrument control, computer networking, distributed computing, data acquisition, and data processing. He obtained a B.S. and M.S. in Electrical Engineering from the University of Detroit in 1985 and 1986, respectively and a Ph.D. in Electrical and Computer Engineering from Wayne State University in 1999. His research is in the areas of Internet and Mobile Computing, Distributed Computing and Systems, and computer plus network security.

    Haidar Safa received a B.Sc. in Computer Science in 1991 from Lebanese University, Lebanon, M.Sc. in Computer Science in 1996 from University of Quebec at Montreal (UQAM), and a Ph.D. in Electrical and Computer Engineering in 2001 from Ecole Polytechnique de Montreal. He joined ADC Telecommunications and SS8 Networks in 2001 where he worked on designing and developing networking and system software. In 2003, he joined AUB where he is currently teaching and doing research in Networking. Dr. Safa's research interests include mobility management in wireless networks, Quality of Service, plus routing and network security.

    Malek Sraj finished the Bachelor degree in Computer and Communication Engineering from the American University of Beirut in 2004. He is currently pursuing his graduate studies at the KTH University in Sweden. His research interests are in computer networking and signal processing.

    Iyad Kuwatly finished the Bachelor degree in Computer and Communication Engineering from the American University of Beirut in 2004. His interests are in the area of computer network security and Web development.

    Zaid Al-Masri finished the Bachelor degree in Computer and Communication Engineering from the American University of Beirut in 2004. His interests are in application software development and Web development.

    View full text