Enhancing network intrusion detection system with honeynet

1. Enhancing network intrusion detection system with honeynet Author: Xiali Hei， Kwok-yan Lam， Yiyuan Huang Date: 10/8/2004

2. Introduction • False negative and false positive are two choke points that cumber the development of intrusion detection system. • Efficient mechanism is necessary for enhancing detection performance of network intrusion detection system. • Honeypot is a kind of new technology and it can be used to enhance IDS’s detection performance • Design and implement new honeynet to make it suitable for detection in NIDS

3. Disadvantage of NIDS • False positive • False negative • Data overload: large data leads to false negative • Resources: bandwidth cannot meet needs • Encryption: NIDS can’t detect encrypted (such as ssh.) attacks

4. The requirements to enhance IDS’s detection performance • Update rule sets in time before new attacks’ prevailing • Precisely discriminate abnormal traffics from normal traffics • Judge attack phases: discriminate fingerprinting, scanning, penetrating • Decrease traffics To satisfy the upper requirements,we choose honeypot. And honeypot can meet most of them .Next, let us discuss it in detail.

5. Overview of honeypot • Honeypot • A secure resource. • A web site with imitated contents to lure hackers. • To research and explore hackers’ behaviors. • Honeynet • one type of high-interaction honeypot • designed to capture extensive information on threats. • a network that contains one or plenty of honeypots. • provides real systems, applications, and services for attackers. In this design, we exploit honeynet’s detection function.

6. Advantages of honeypotover IDS • It has less false positives than network intrusion detection system. • honeypot captures only upon perceived hostile activities, while network intrusion detection system monitors all normal traffics and hostile traffics. • It can alert you before the real system are attacked. • Once the hacker has an access to the honeypot, he will be found and logged by honeypot even though he hasn’t finished attack. • On the contrary, network intrusion detection system finds the hacker only after the attack has being finished.

7. It can detect encrypted attacks with some software such as Sebek. • It can detect new attack to reduce false negative. • It only produces little data but those data are of high value. Disadvantage of honeypot • It can’t detect passive attacks or direct to server attacks • It is possibly fingerprinted and used as a launch platform to attack real network.

8. It is evident that IDS and honeypot are complementary in detecting attacks. So we enhance IDS’s detection performance by applying honeypot in this design.

9. Network design

10. Network design(cont.) • It employs honeynet, and the key element of honeynet is the gateway with the name honeywall using Linux host. • The honeywall separates the honeynet victims from the rest of the world and it is our control center. • The external interface of our gateway (eth0) is connected to the production systems' network. • The internal interface of our gateway (eth1) is connected to the honeynet systems' network. • Both internal and external systems are on the same IP network. • The third interface (eth2) is for remote administration of the gateway. • Center monitor interacts with intrusion detection system (network intrusion detection system management console) by honeynet software.

11. Honeynet Software • It is designed to mine new attack patterns and provide new attack patterns or attack information about hackers to network intrusion detection system. • It is composed of Pattern Protection module, Information Communication module and Data Analysis module. • It accesses to and asks for data from network intrusion detection system pattern database and honeypot logs.

12. Data flow diagram

13. Data flow diagram(cont.) • Data Analysis module mines attack patterns according to audit data on center monitor of honeynet and then compares them with network intrusion detection system pattern database on center monitor. • If network intrusion detection system pattern database has the pattern then it filters the pattern, or the new patterns will be sent to network intrusion detection system management console and stored in network intrusion detection system pattern database on center monitor. • Network intrusion detection system will update its pattern database periodically.

14. Results • This system had been running for one month. • Case one: inline-snort sensor detects and generats an alert to a known FTP attack against the honeynet. [Classification: Attempted User Privilege Gain] [Priority: 1] 05/16-17:55:52.235847 202.24.220.143:2243 -> 192.168.1.102:21 TCP TTL:48 TOS:0x0 ID:16648 IpLen:20 DgmLen:76 DF ***AP*** Seq: 0xCF7869CC Ack: 0xEBCD7EC0 Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237391678 29673183 When the center monitor receives this alert, Honeynet Software reports this attack (FTP EXPLOIT format string, from 202.24.220.143:2243) to network intrusion detection system management console in advance. Four hours later, network intrusion detection system detects this attack and blocks it.

15. Advantage: • From the above case, it is clear that this design can lower false negative and false positive in some degree. • Compared with existing methods, it has no problem of base-rate fallacy and pattern incompletion. What’s more, it can directly face the ongoing attack environments other than analysis the successful attack audits trail. In some extension, it can predict possible attack. • Disadvantage : The combination of honeynet and IDS in total network will slower network rate.

16. Possible future extension • How to identify the same hacker on two machines • Protect the rules on honeypot • The amount of communication traffic will lower reaction time of the system • Delay time : honeynet must offer the information about hackers before the hacker compromised system. • Protect the communication links: this traffic must be protected against eavesdropping

17. Thank you!

18. Q & A