Creative Problem 4

To develop a Honey Pots a Security System for Identifying Black Hat

Community in the Networks

Abstract:-
Honeypot is used in the area of computer and Internet security. It is a resource, which is intended to be
attacked and computerized to gain more information about the attacker, and used tools. One goal of
this paper is to show the possibilities of honeypots and their use in research as well as productive
environment. Compared to an intrusion detection system, honeypots have the big advantage that they
do not generate false alerts. Honeypots provide a platform for studying the methodsand tools used by
the intruders (blackhat community),thus deriving their value from the unauthorized use oftheir
resources. This paper would first give a brief introduction to honeypots-the types and its uses. We will
then look at the other components of honeypots and the way to put them together. Finally we shall
conclude by looking at what the future holds for honeypots.’ Honeypot is used in the area of computer
and Internet security. It is a resource, which is intended to be attacked and computerized to gain more
information about the attacker, and used tools. One goal of this paper is to show the possibilities of
honeypots and their use in research as well as productive environment. Compared to an intrusion
detection system, honeypots have the big advantage that they do not generate false alerts. Honeypots
provide a platform for studying the methodsand tools used by the intruders (blackhat community),thus
deriving their value from the unauthorized use of their resources. This paper would first give a brief
introduction to honeypots-the types and its uses. We will then look at the other components of
honeypots and the way to put them together. Finally we shall conclude by looking at what the future
holds for honeypots.’ In the past several years there has been extensive research into honeypot
technologies, primarily for detection and information gathering against external threats. However, little
research has been done for one of the most dangerous threats, the advance insider, the trusted
individual who knows your internal organization. These individuals are not after your systems, they are
after your information. This presentation discusses how honeypot technologies can be used to detect,
identify, and gather information on these specific threats.

INTRODUCTION:-
Global communication is getting more significant every day. At the same time, computer crimes
are growing rapidly. Counter measures are developed to detect or prevent attacks - most of these
measures are based on known facts, known attack patterns. As in the military, it is important to
know, who your enemy is, what kind of strategy and plan he uses, what tools he utilizes and what
he is aiming for. Gathering this kind of information is arduous but important. By knowing attack
strategies, countermeasures can be improved and anomalies can be fixed. To gather as much
information as possible is one main target of honeypot. Generally, such information gathering
should be done without the attacker’s knowledge. All the gathered information provides an
advantage to the defending side and can therefore be used on productive systems to prevent
attacks. Honey pots are an exciting new technology. A honeypot is a resource whose value is in
being attacked or compromised. This means, that a honeypot is expected to get probed, attacked
and potentially exploited. resources. Security is broke down into three categories as follows [1].
Prevention: We want to stop the bad guys. If you were to secure your house, prevention would be
 similar to placing dead bolt locks on your doors, locking your window, and perhaps installing a
chain link fence around your yard. You are doing everything possible to keep the threat out.

ALGORITHM:-
RME (Registry management entry)
In this algorithm we edit the value of windows registry. Technique Used:
a) ADO.net
b) Registry Programming
c) Data programming
 Detection:
We want to detect the bad guys when they get through. Sooner or later, prevention will fail. You
want to be sure you detect when such failures happen. Once again using the house analogy, this
would be similar to putting a burglar alarm and motion sensors in the house. These alarms go off
when someone breaks in. If prevention fails, you want to be alerted to that as soon as possible. 
Reaction: We want to react to the bad guys once we detect them. Detecting the failure has little
value if you do not have the ability to respond. What good does it to be alerted to a burglar if
nothing is done? If someone breaks into your house and triggers.
I. Another risk is false negatives, when IDS systems fail to detect a valid attack. Many IDS
systems, whether they are signature based, protocol verification, etc, can potentially miss
new or unknown attacks. It is likely that a new attack will go undetected by currently IDS
methodologies. Also, new IDS evasion methods are constantly being developed and
distributed. It is possible to launch a known attack that may not be detected, such as with
K2s ADM Mutate. Honeypots address false negatives as they are not easily evaded or
defeated by new exploits. In fact, one of their primary benefits is that they can most likely
detect when a compromise occurs via a new or unknown attack by virtue of system
activity, not signatures. Administrators also do not have to worry about updating a
signature database or patching anomaly detection engines. Honeypots happily capture
any attacks thrown their way. As discussed earlier though, this only works if the honeypot
itself is attacked. Honeypots can simplify the detection process. Since honeypots have no
production activity, all connections to and from the honeypot are suspect by nature. By
definition, anytime a connection is made to your honeypot, this is most likely an
unauthorized probe, scan, or attack. Anytime the honeypot initiates a connection, this
most likely means the system was successfully compromised. This helps reduce both false
positives and false negatives greatly simplifying the detection process. By no means
should honeypots replace your IDS systems or be your sole method of detection.

Reaction:-
Though not commonly considered, honeypots also add value to reaction. Often when a system
within an organization is compromised, so much production activity has occurred after the fact that
the data has become polluted. Incident response team cannot determine what happened when
users and system activity have polluted the collected data. For example, I have often come onto
sites to assist in incident response, only to discover that hundreds of users had continued to use the
compromised system. Evidence is far more difficult to gather in such an environment. The second
challenge many organizations face after an incident is that compromised systems frequently cannot
be taken off-line. The production services they offer cannot be eliminated. As such, incident
response teams cannot conduct a proper or full forensic analysis. Honeypots can add value by
reducing or eliminating both problems. They offer a system with reduced data pollution, and an
expendable system that can be taken off-line. For example, let’s say an organization had three web
servers, all of which were compromised by an attacker. However, management has only allowed us
to go in and clean up specific holes. As such, we can never learn in detail what failed, what damage
was done, is there attacker still had internal access, and if we were truly successful in cleanup.
However, if one of those three systems was a honeypot, we would now have a system we could take
off-line and conduct a full forensic analysis. Based on that analysis, we could learn not only how the
bad guy got in, but what he did once he was in there. These lessons could then be applied to the
remaining web servers, allowing us to better identify and recover from the attack.
Honeypot Solutions:-
The more a honeypot can do and the more an attacker can do to a honeypot, the more information
can be derived from it. However, by the same token, the more an attacker can do to the honeypot,
the more potential damage an attacker can do. For example, a low interaction honeypot would be
one that is easy to install and simply emulates a few services. Attackers can merely scan, and
potentially connect to several ports. Here the information is limited (mainly who connected to what
ports when) however there is little that the attacker can exploit. On the other extreme would be
high interaction honeypots. These would be actual systems. We can learn far much more, as there is
an actual operating system for the attacker to compromise and interact with, however there is also
a far greater level of risk, as the attacker has an actual operating system to work with. Neither
solution is a better honeypot. It all depends on what you are attempting to achieve. Remember,
honeypots are not a solution. Instead, they are a tool. Their value depends on what your goal is,
from early warning and detection to research. Based on 'level of interaction', let’s compare some
possible honeypot solutions. For this paper, we will discuss six honeypots. There are a variety of
other possible honeypots; however this selection covers a range of options. We will cover Back
Officer Friendly, Specter, Honeyed, homemade honeypots, Mantrap, and Honeynets. This paper is
not meant to be a comprehensive review of these products. I only highlight some of their features.
Instead, I hope to cover the different types of honeypots, how they work, and demonstrate the
value they add and the risks involved.

CONCLUSION:-
Security is a very difficult topic. The key for building a secure network is to define what security
means to your organization. A honeypot is just a tool. We have categorized two types of honeypots,
production and research. Productions honeypots help reduce risk in an organization. Regardless of
what type of honeypot you use, keep in mind the level of interaction. This means that the more your
honeypot can do and the more you can learn from it, the more risk that potentially exists.
Honeypots will not solve organizations security problems. Only best practices can do that. However,
honeypots may be a tool to help contribute to those best practices.