The Use of Honeynets to Detect Exploited Systems Across the Wireless Networks

Any to internet is target of hackers and intruders. Every organization/institution system connected uses some kind of network security software to protect its data from unauthorized use. Software’s used by organization/institution are antivirus firewall etc. There are many types of services that are run on organization/institution networks and it is important to detect intrusion. Due to large bandwidth, monitoring is very hard and impossible. In developing, where the cyber-crimes are very easy to commit and there are not very strong lows Honeynet scheme, is use to help system administrator in detecting intrusion or malicious content. Honey net is so proposed solution because it helps in understanding the intention and ways attacker use to compromise security systems. In this paper a basic honeynet framework is proposed.


Introduction
Honeynet is not tool used for offence or defense. It allows us to measure flaws or vulnerabilities in our system. Honeynet provide an information gathering approach to security; there sole purpose is to gather Information about threats in the network. A Honeynet is an interactive type of honeypot which provides real systems and application for attackers to attack and thus capture real information on a real attack [1]. Technically the Honeynet is only deception. They deceive the attacker that he is conquering the real systems or applications. But there every activity is closely watched and monitored. this information is used to improved the system security and avoid such attacks in future. Honeypot can be used as another security layer to the network as the firewalls and network intrusion detection systems (NIDS) but they have some limitations. Limitations are that firewalls are placed on the edges of network [2]. Which receives the data traffic from internet to internal network and vice visa, they have the capability to monitor the information which is coming from internet but they are not able to monitor the traffic which is generated within the organization. Some attacker can also bypass the firewall by simply doing encryption due to which data analysis becomes useless. if there is problem of encrypted data then we have to improve the IDS to collect the encrypted data and use security measures to decrypt the data for analysis Keeping in view honeynet is best possible solution, which is not only reliable but also inexpensive.
Honey net is a better solution because it is set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security [3,4]. secondly the value of this solution is an easy and cost effective Honeynet for research and development [5].

Related Work
Honeynet are classified on the basis of how attacker is allowed to penetrate in our system. In literature honeynet are classified into two types (Table 1).

Low interaction honeynet
In this scenario a false environment is provided to attacker nothing to do with our actual environment. This approach is also very careful approach in which we are not very sure that up to what extent we would be able to protect our system from attacker. By playing safe we are able to collect data from given set of environment variables. but this is not as effective as it should be because we are using false system not actual environment. A low-interaction honeynet uses emulated systems and applications for the attacker and the system usually uses some scripts to respond to the hacker's activities. They are easy to deploy and most of their output is data or log files, which can be used to study attack pattern. This is used for future design of IDS. There is very low risk involved in deploying the Low-interaction honeynet. Drawback can be full extent of damage on real system can be assumed only [6].

High interaction honeynet
This is aggressive approach which allows the attacker to penetrate in a system. The attacker is allowed to attack on real time environment which actually exist in our organization. The attacker is allowed to have actual servers and applications to play with but he is monitored very carefully. Log file are created for future use and for crating pattern or signature based IDS. The benefit of using High interaction honeynet is collection of real time data [7,8]. Give the detail of a low-interaction honeynet, developed by Niels Provos, Honeyd which is designed to run primarily on unix systems, Honeyd works on the concept of monitoring unused IP space. Anytime it sees a connection attempt to an unused IP, it intercepts the connection and then interacts with the attacker, pretending to be the victim. By default, Honeyd detects and logs any connection to any UDP or TCP port. In addition, you can configure emulated services to monitor specific ports, such as an emulated FTP server monitoring TCP port 21. When an attacker connects to the emulated service, not only does the honeynet detect and log the activity, but it captures all of the attacker's interaction with the emulated service.
In the case of the emulated FTP server, we can potentially capture the attacker's login and password, the commands they issue, and perhaps even learn what they are looking for or their identity. It all depends on the level of emulation by the honeynet [9]. Most emulated services work the same way. They expect a specific type of behavior, and then are programmed to react in a predetermined way. If attack A does this, then react this way. If attack B does this, then respond this way. The limitation is if the attacker does something that the emulation does not expect, then it does not know how to respond. Most low-interaction honeynet, including Honeyd, simply generate an error message [10][11][12].
A high-interaction honeynet is a conventional computer system, such as a commercial off-the-shelf (COTS) computer, a router, or a switch. This system has no conventional task in the network and no regularly active users. Thus, it should neither have any unusual processes nor generate any network traffic besides the regular daemons or services running on the system. These assumptions aid in attack detection. Every interaction with one of our honeynets is suspicious and could point to a possibly malicious action. This absence of false positives is one of the key advantages of high-interaction honeynet compared to intrusion detection systems (IDS). To quote Rutherford D. Roger, "We are drowning in information and starving for knowledge. " This may be a common phenomenon for IDS, but not for honeynet [13].
Further says that High interaction honey pot can be used to collect in-depth information about the procedures of an attacker. We can observe the "Reconnaissance phase" that is, how he searches for targets and with which techniques he tries to find out more about a given system. Afterward, we can watch how he attacks this system and which exploits he uses to compromise a machine. And finally, we can also follow his tracks on the honeynet itself. We monitor which tools he uses to escalate his privileges, how he communicates with other people, or the steps he takes to cover his tracks. Altogether, we learn more about the activities of an attacker his tools, tactics, and motives. This is an interesting field, and this methodology has proven to be successful in the past. For example, we were able to learn more about the typical procedures of phishing attacks and similar identity theft technique since we observed several of these attacks with the help of high-interaction honeynet.

Proposed Honeynet Framework
Honeynet work step by step using following techniques.

Data control
This very important function when implementing Honeynet, It is required that attacker feels that he is free to launch an attack. It is important to implement different data control layers (Figures 1 and 2) [13].

Data capture
There should be process of data collection which collects data of attack on Honeynet by attacker. The data is monitored and analyzed log file should be maintained for future use these log files can also be used as proof of his attacks. Many tools can be used to captured the data examples can be Wireshark, sebek etc here W3af is used to collect the data about iqra website. Result indicate uninterrupted data capture from Iqra university for 12 minutes 30 seconds.

An intrusion detection system
Very important part of Honeynet is IDS software called snort is used which is between the internet and Honeynet l. It generates alerts and reports the data traffic ( Figure 3).

Firewall logging
Firewall is used to log all data traffic coming in and out of Honeynet. Also maintains log files for connections denied or refused (Figure 4).

Data analysis
The final part of Honeynet is data analysis which is very important and final part in making a complete report of attacks and there pattern. Based upon the input data log attacker is blocked (Figures 5 and 6) [13].