Академический Документы
Профессиональный Документы
Культура Документы
discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/301325633
CITATIONS READS
2 433
1 author:
A. Sagala
Institut Teknologi Del
16 PUBLICATIONS 10 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by A. Sagala on 05 July 2016.
Abstract— The main objective of this research is to integrate In this study, we did honeypot and IDS systems
honeypot and IDS, which can generate and activate snort rule integration. Rule on IDS will be generated based on the logs
automatically based on the data sending by honeypot server. The new that captured by the honeypot. The automatically rule
technic is present in this paper, honeypot will collect the data, send generated will enhance the security on the IDS server. So
the data to IDS, and then IDS will evaluate and generate the rules those, this new approach can mitigate the new attack pattern.
automatically. Rule that has been made will be active to filter packets
sent by the user on the network. We compare rule generated Our contribution in this research is the automation of rule
automatically with default rule in snort system for the same pattern. generated on IDS server. This automation will give beneficial
The performance of the proposed technique was evaluated by effect, so that IDS server instantly can mitigate the attacker;
measuring the effectiveness of IDS server from the attacking. stop the attacker access the production server.
Keywords—SNORT, HONEYPOT, IDS, IDPS, Network The rest of this paper will be explained as below: Section 2
Security will give explanation about related work, snort and honeyd
technology, Section 3 will describe the design and
I. INTRODUCTION implementation; Section 4 is result and discussion, and the last
The growing world of technology has enable people to is Section 5 will make a conclusion and further research.
exchange information over a local network or the Internet. II. RELATED WORK
Information sent over the network can be either public or
private. For information that is private, with hacking Snort rule generation based on honeypot log has been
technology, an intruder can infiltrate and take over systems developed at various university and national labs research
that illegally obtained confidential. Infiltration attempt made cyber security concerns. Department of Computer
for a specific purpose, such as to modify the information in the Engineering, King Saud University [1] develops a web based
server, damaging the network, stealing the critical information honeypot to generate SNORT intrusion detection system
and others. signature (Rules) for HTTP traffic automatically. These new
rules are integrated into the IDS signatures database.
Intrusion detection is an attempt to monitor and detect
illegal data stream. This is one way that can be used to reduce Collaboration research also conducted between
the illegal actions enters the network. The data flow to be Northwestern University (USA) and Tsinghua University
detected is divided into two categories, namely Signature (China) [2], the research was to detect zero-day polymorphic
Based intrusion and Anomaly Based intrusions. The model worms, it generate the rules to the edge network gateways or
systems which have function to detect and prevent illegal honeynet so that they can prevent the worms from
traffic are called IDPS system. IDS itself has database of rule, propagating at their early phase.
rule on the IDS functions to determine what services will be NISlab-Norwegian Information Security Laboratory [3]
provided if an incoming request to the server. To cut off the develop a research focus on seeing how much user inter-
flow of data that strange, it will be integrated with the IPS action is needed to generate new signature rules for new
(Intrusion Prevention System). IPS serves to prevent actions attacks, and what type of honeypot is best suited for obtaining
which disrupt the system. One very popular IDS and quite useful data. This will be based on data collected by a network
powerful in IT security is Snort. Snort was widely used intrusion detection system named SNORT, honeyd and
because these powerful tools and distributed as open-source.
tcpdump.
Honeypot is a server that is installed to be the target of the
attackers. In our research, we implement low interaction A. Intrusion Detecting System Using Snort
honeypot using honeyd so that the attack would not harm the An intrusion detection system (IDS) is a device or software
original/production server. Any data that is entered into the application that monitors network or system activities for
honeypot system will be recorded for further analysis. Usually malicious activities or policy violations and produces reports
to a management station. IDS come in a variety of “flavors”
and approach the goal of detecting suspicious traffic in seems to contain information or a resource of value to
different ways. attackers. This is similar to the police baiting a criminal and
then conducting undercover surveillance.
Honeypots can be classified based on their deployment
(use/action) and based on their level of involvement. Based on
deployment, honeypots may be classified as production
honeypots or research honeypots
Production honeypots are easy to use, capture only limited
information, and are used primarily by companies or
corporations. Production honeypots are placed inside the
Figure 1 IDS System Block Diagram production network with other production servers by an
organization to improve their overall state of security.
Intrusion detection systems are of two main types, network Normally, production honeypots are low-interaction
based (NIDS) and host based (HIDS) intrusion detection honeypots, which are easier to deploy. They give less
systems. Host intrusion detection systems are installed locally information about the attacks or attackers than research
on host machines making it a very versatile system compared honeypots do.
to NIDS. HIDS can be installed on many different types of Research honeypots are run to gather information about
machines namely servers, workstations and notebook the motives and tactics of the Blackhat community targeting
computers. Doing so gives you the edge that NIDS does not different networks [7], [8]. These honeypots do not add direct
have especially if you have a segment that you NDIS cannot value to a specific organization; instead, they are used to
reach beyond. Traffic transmitted to the host is analyzed and research the threats that organizations face and to learn how to
passed onto the host if there are not potentially malicious better protect against those threats. Research honeypots are
packets within the data transmission. HIDS are more focused complex to deploy and maintain, capture extensive
on the local machines changing aspect compared to the NIDS. information, and are used primarily by research, military, or
NIDS focus more greatly on the network those specific hosts government organizations.
themselves. HIDS is also more platforms specific and caters
strongly in the windows market of the computing world Based on design criteria, honeypots can be classified as:
however there are products available that function in the (1) pure honeypots, (2) high-interaction honeypots and (3)
UNIX and other OS topology environments. low-interaction honeypots.
Snort's open source network-based intrusion detection In our research, we focus on low-interaction honeypots
system (NIDS) has the ability to perform real-time traffic using Honeyd. Low-interaction honeypots simulate only the
analysis and packet logging on Internet Protocol (IP) services frequently requested by attackers. Since they
networks. Snort performs protocol analysis, content searching consume relatively few resources, multiple virtual machines
and matching [4], [5]. These basic services have many can easily be hosted on one physical system, the virtual
purposes including application-aware triggered quality of systems have a short response time, and less code is required,
service, to de-prioritize bulk traffic when latency-sensitive reducing the complexity of the virtual system's security.
applications are in use.
III. DESIGN AND IMPLEMENTATION
The program can also be used to detect probes or attacks,
including, but not limited to, operating system fingerprinting The network topology as shown on Figure 2 consists of
attempts, common gateway interface, buffer overflows, server three important factors. We assume that our honeypot work
message block probes, and stealth port scans. well, so that the attacker got trapped. Attacker will do
anything that they want; all the activity will be logged and
Snort can be configured in three main modes: sniffer, saved. Then the saved log will be sent to the IDPS server, in
packet logger, and network intrusion detection. In sniffer our experiment we use snort. After that, information or logs
mode, the program will read network packets and display that have been saved will be taken some specific information.
them on the console. In packet logger mode, the program will Information taken in the form of source IP, destination IP,
log packets to the disk. In intrusion detection mode, the destination port, and protocol used by the number of requests
program will monitor network traffic and analyze it against a that are sent. The number of requests in question is a request
rule set defined by the user. The program will then perform a that comes from the same source IP address to the same
specific action based on what has been identified. The destination IP address with the same port. In the design of the
popularity and many feature of SNORT [6], so that we choose system is developed, created a script that is able to retrieve the
it as IDS tools in our research. needed information from existing logs on Honeyd.
B. Honeypot
A honeypot is a trap set to detect, deflect, or, in some
manner, counteract attempts at unauthorized use of
information systems. Generally, a honeypot consists of a
computer, data, or a network site that appears to be part of a
network, but is actually isolated and monitored, and which
B. Implementation
To implement the design, we need hardware and software as
shown on TABLE 1
Referrences
Figure 5 Rule Generated
On figure 5, there are three rules gennerated, they are [1] H.Altwaijry, K.Shahbar,"(WHA ASG) Automatic SNORT Signatures
TA_rule_1.rules; TA_rule_2.rules and TA_ruule_3.rules. Generation by Using Honeypot"", Journal of Computers, Vol.8 No.12,
The rules that are generated are as follows: December 2013.
[2] Zhichun Li, Lanjia Wang, Yaan Chen and Zhi,"Network-based and
attack-resilent Length Signature Generation for Zero-day Polymorphic
Worms", http://www.cs.northwesstern.edu.
[3] V.Ajaxon,"Building IDS rules by means of a honeypot", NISlab-
Norwegian Information Security Laboratory,2005.
Figure 6 Example: Rule Generrated [4] Writing Snort Rules | How to write
w Snort rules and keep your sanity
We carried out tests on the generated ruule. The following Current as of version 1.3.1.2 By martin
m Roesch.
image is a display in the form of alerts to inncoming attacks in [5] Ur Rehman Rafeeq. 2003. Advvanced IDS Techniques Using Snort,
accordance with the new rule that has happenned generate. Apache, MySQL, and ACID.
[6] J. Patel Hemangini(May 2014). A Survey on Intrusion Detection System
in Cloud. In Internationl Jouurnal of Engineering and Technical
Research(IJETR) Volume-2, Issuue-5, 2321-0869.
[7] Prof. Jawale Smita,et al,"Intrussion Detection System Using Virtual
Honeypots", International Jouurnal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622, 30 March 2012
[8] Jacob Benoit (December 2011).. Automatic XSS Detection and Snort
Signatures/ ACLs Generation byy the Means of a Cloud-Based Honeypot
System.