International Journal of Trend in Scientific Research and Development (IJTSRD)

Volume 5 Issue 1, November-December 2020 Available Online: www.ijtsrd.com e-ISSN: 2456 – 6470

Honeypot Methods and Applications

Anoop V Kanavi1, Feon Jaison2
1Student, 2Assistant
Professor,
1,2Master of Computer Application, Jain (Deemeed-to-be University), Bangalore, Karnataka, India

ABSTRACT How to cite this paper: Anoop V Kanavi |

Day by day the internet is becoming an essential part of everyone’s life. In Feon Jaison "Honeypot Methods and
India from 2015 – 2020, there is an increase in internet users by 400 million Applications"
users. As technology and innovation are increasing rapidly. Security is a key Published in
point to keep things in order. Security and privacy are the biggest concern in International Journal
the world let it be in any field or domain. There is no big difference in of Trend in Scientific
cybersecurity, the security is the biggest concern worrying about attacks Research and
which could happen anytime. So, in this paper, we are going to talk about Development (ijtsrd),
honeypot comprehensively. The aim is to track hacker to analyze and ISSN: 2456-6470, IJTSRD38071
understand hacker/attacker behavior to create a secure system which is Volume-5 | Issue-1,
sustainable and efficient. December 2020, pp.717-724, URL:
www.ijtsrd.com/papers/ijtsrd38071.pdf
KEYWORDS: Honeypot, hacking, network security, forensic
Copyright © 2020 by author(s) and
International Journal of Trend in Scientific
Research and Development Journal. This
is an Open Access article distributed
under the terms of
the Creative
Commons Attribution
License (CC BY 4.0)
(http://creativecommons.org/licenses/by/4.0)

1. INTRODUCTION 2. Classification of Honeypot

Due to the increase in the growth of internet usage, people Honeypot are broadly classified into two parts. One is
can easily access their information or transfer data to others according to their usage and other is according to their level
on the internet. due to such a rapid growth of the internet, if of involvement. According to usage they are classified into
we do not know the value of basic network security, which two types
will lead hackers to take over the network by exploiting a A. Research honeypot
vulnerability in the network by using malicious code. The B. production honeypot
attack may lead to stealing, tampering of information that
leads to damages, and loss of data. We Traditionally use IDS According to their level of involvement they are classified
(Intrusion Detection System) and Firewall in a network to into three types
prevent attacks and avoid damages that provide defense A. low interaction honeypot
against the attackers. Firewall or IDS, you collect and analyze B. mid interaction honeypot
logs on your network, identifying malicious signatures or C. high interaction honeypot
anomaly in a sea of legitimate activity can be both time
consuming and difficult. Since it is hard to identify false 2.1. Research Honeypot
positive and false negative. As the name suggests, research honeypots are mainly used
for research purposes. They are meant to gather maximum
A honeypot is a device that is built to monitor the network information about hackers or intruders by giving full access
and analyze the attacker's behavior. A honeypot is a system to the system. By allowing access it is easy to understand the
that attracts attackers/hackers into it, by luring them into behavior of the attacker and monitor which tools and
the system and make them run exploits and they fall into the methodology are implemented. The aim is to understand
trap. Honeypot lets you monitor the processes that are how attackers develop and progress to learn how to improve
started and running on the system by the attacker. A and secure our system. Research honeypots don’t add any
honeypot is a trap machine that looks identical to the real security to the organization, but they are used to help in
system to attract the attacker/hacker. This device can also understanding the hacker's community and their motives.
be used as a forensic device in a crime scene to identify
hackers trying to steal the data. Honeypot won't completely 2.2. Production Honeypot
screen off the hackers but rather notify us by telling there is Production honeypots are placed inside the enterprise
an attack happening or attack which may happen. The main network along with the production servers. This type of
purpose of the device is to watching, analyze, understand, honeypot is mainly used to protect the organization from
and tracking hacker’s behavior so we can create a better and any malicious attacks done by hackers. The honeypot plays
secure system. as a decoy but it is designed to look and appear as real and
contains information that attracts the hackers to spend time

@ IJTSRD | Unique Paper ID – IJTSRD38045 | Volume – 5 | Issue – 1 | November-December 2020 Page 725
 International Journal of Trend in Scientific Research and Development (IJTSRD) @ www.ijtsrd.com eISSN: 2456-6470
and resources, ultimately giving system/network admin to services the production network/system would run. This
assess and mitigate any vulnerability in their actual system. type of honeypot is given a real operating system to attack. It
Production honeypot is used to reduce the risk to provide a allows the organization to see hacker's behavior and
better and secure business environment. Hence, they are methods, the main aim is to get maximum information about
largely used in organizations the hackers by allowing access to the whole system. This
type of honeypot consumes a lot of resources and have to be
maintained constantly, but is worth the findings.

3. Application and Deployment of Honeypot

Here we discuss its application in educational areas, with IDS
and its implementation

3.1. Honeypots in Educational Resource

A lab has been set up at Brigham Young University for
network security reasons for undergraduate and graduate
studies called ITSecLab. They utilize this lab for following the
analyzing traffic in the organization. This lab was planned
exclusively with the end goal of examinations on network
security by undergraduates. In this lab, they have actualized
a honeypot in their lab to connect with hackers and
investigate its uses as an instructive apparatus. The lab is
Fig1. Honeypot According to Usage planned as a separate Sandbox to fend off the noxious
exercises from the lab. The honeypot is executed at Brigham
Young University remembering the specific advantages, for
example, it informs about the new dangers, making sure
about the lab at a more significant level, learning the
organization and security rudiments, and intently recognizes
the blemishes. One more viewpoint becomes an integral
factor while executing the honeypot, the legitimate issues
that are the most significant part in usage since, supposing
that the honeypot gets compromised and is utilized as
zombie then the proprietor needs to endure the misfortune.

3.2. Honeypot with IDS

An Intrusion Detection System (IDS) separates between the
traffic coming from different hosts and the hackers, at the
Fig 2 Honeypot According to level of Involvement same time facilitate the issues of throughput, inactivity, and
security of the organization. From that point onward, we can
2.3. Low Interaction Honeypot introduce the consequences of a grouping of burden and
Low interaction honeypots are commonly used in the their reaction time in the terms of execution and adaptability
production network. It runs a handful of services and the tests and propose different sorts of expected uses for such a
freedom given to the attacker is minimum. It serves as an framework. In IDS we may utilize two regular sort location
early warning mechanism. low interaction honeypot is levels known as Misuse detection and Anomaly detection. In
passive in nature which limits the hacker from using the misuse detection, the IDS investigate all the different sorts of
system to attack other systems. This type of honeypot is data that have been gathered and coordinates it to a huge
deployed keeping in mind to protect/secure ourselves from information base of signatures. In anomaly detection, the
the attackers. In exchange, we get very little information admin makes a standard, or we may state a typical
about the hacker. so, this approach is widely used in organization traffic load, breakdown, protocol, and packet
organizations where their priority is to protect the system information. It screens the organization and looks at it to
from any external attack. those baselines. IDS can be additionally classified into
Network-based and Host-based. In network-based IDS, the
2.4. Mid Interaction Honeypot individual traffic is investigated though in host-based IDS all
Mid interaction honeypot provides more services which the exercises of the host are analyzed. Honeypots can either
offer hacker more ability to interact compared to low be a host and additionally network-based, however, for the
interaction honeypot. It emulates certain aspects of the most part, they are not network-based as all interface
application layer but doesn't provide any real operating activities are commonly performed over an organization. Its
system. The level of emulation provided to the attacker key utility is that it rearranges the Intrusion Detection issue
increases the risk also. The organization can expect certain of isolating anomalous from ordinary. Subsequently, any
activity and give a certain response. They work to stall the movement on a Honeypot can be quickly characterized as
attacker to get more time to figure out how to properly react anomalous. Every part assumes a particular function in the
to an attack. usage of honeypot with IDS inside an organization. At first,
the heap balancer gets the virtual IP address and checks
2.5. High Interaction Honeypot whether the packet containing the packet has been
High Interaction Honeypot is not meant to imitate the whole fragmented, and afterward, it is reassembled. At that point,
production network/system, but they do run most of the the load balancer opens a TCP connection with the IDS

@ IJTSRD | Unique Paper ID – IJTSRD38045 | Volume – 5 | Issue – 1 | November-December 2020 Page 726
 International Journal of Trend in Scientific Research and Development (IJTSRD) @ www.ijtsrd.com eISSN: 2456-6470
Process and sends the data of the packet (less the headers) that necessities itemized information on every product work
over that connection. IDS check the data of the packet that should be kept. Oversimplified signatures will in general
against its database and returns the Boolean value of that to produce huge quantities of false positives, too explicit ones
load balancer through a similar TCP connection. In the wake reason false negatives. For a similar explanation, the idea of
of accepting the outcome, the load balancer shuts the TCP Honeycomb a system that generates a signature for
connection. On the off chance that the outcome from the IDS malicious traffic consequently is utilized. Here pattern
was valid (Indicating an attack) the packet is sent to the detection methods and packet header are utilized for
Honeypot. otherwise, a server is chosen from the dynamic conformance tests on traffic caught by honeypots. The
server pool in a cooperative design and the bundle is sent to reason examined the attack signatures is to clarify the
the server. trademark components of attacks. At this moment we don't
have any such norm for characterizing these signatures. As
an outcome, various systems offer signature languages of
changing expressiveness. A decent signature must be limited
enough to keep decisively the characteristic parts of
exploiting it attempts to address; simultaneously, it should
be adaptable enough to catch varieties of the attacks.
Disappointment in one manner or different prompts either a
lot of false positives or false negatives. In this manner, the
system underpins signatures just for the Snort NIDS. Snort's
signature language is right now not as open. So, we
incorporate Snort here due to its current standing and
Fig3 Flow of packets through IDS in Honeypot colossal signature stockroom. the system utilized here is an
augmentation of honey a popular low-level interaction open-
3.3. Network Security Through Hybrid Honeypot source honeypot. Honeyd mimics has with personage
A honeypot is a security asset whose worth lies in being networking characters. It interferes with traffic shipped off
examined, assaulted, or compromised. A honeypot is a non-existent has and utilizes the imitated frameworks to
framework that is made and set up to be hacked. It tends to react to this traffic. Each host's characteristics can be
be utilized in an alternate situation as an IDS, safeguard, or designed as far as OS type and running organization
response component. Moreover, it can be sent to devour the administrations.
assets of the attacker or divert them from the valuable
targets and moderate them down that they waste their 4. Conculsion
energy and time on the honeypot as opposed to assaulting We have additionally examined different sorts of honeypots
production frameworks or servers. Here again, we partition and their utilization with various usefulness perspectives.
the honeypots into two classifications as indicated by their our objective was to comprehend their technique and how
degree of interaction, low-level interaction, and high-level they are functioning to draw attackers towards the system.
interactions. The degree of interaction can be characterized We found their security flaws to support specialists and
as the greatest scope of assault prospects that a honeypot organizations. A few organizations are utilizing honeypot
permits an attacker to have. In high-level interaction frameworks to ensure the entire organization's security, and
honeypot, hacker associates with working operating analysts are making experiments on their home network. As
systems, all the programs and services and this sort of we know network security is exceptionally huge for all
connection can be utilized to notice the hacker's behavior, systems because any unprotected machine in an
their tools used, motive, and investigate vulnerability. This organization can be undermined at any time. We have
kind of high-level interaction honeypot can be set up in a additionally examined different sorts of honeypots and their
virtual machine utilizing different virtualization utilization with various usefulness perspectives.
programming, for example, VMware, Qemu, and Xen. An
example of this honeypot is honeynet. It is a network of 5. Reference
different frameworks. Honeynet can gather profound data [1] Spitzner, L. 2002. Honeypots: Tracking Hackers. 1st
about hackers, for example, their keystrokes when they ed. Boston, MA, USA: Addison Wesley.
exploit the system, their interaction with other hackers, or [2] Mokube, I. & Adams M., 2007. Honeypots: Concepts,
the different tools they use to investigate and create a Approaches, and Challenges. ACMSE 2007, March 23-
defenseless system. On a low-level interaction honeypot, 24, 2007, Winston-Salem, North Carolina, USA, pp.321
there is no working operating system that an attacker can 325.
work on. All the tools are set up to mimic OS and different
services. Furthermore, they all work along with the attacker [3] Know Your Enemy: Honeywall CDROM Roo 3rd
and malicious code. This will decrease the danger drastically. Generation Technology, Honeynet Project & Research
This kind of honeypot has a couple of possibilities of being Alliance, http://www.honeynet.org
undermined. These are production honeypots. Regular [4] Ram Kumar Singh & Prof. T. Ramanujam. Intrusion
utilization of low-level interaction honeypot incorporates; Detection System Using Advanced Honeypots, 2009
port scan recognizable proof, age of assault signature,
pattern examination, and malware collection. [5] The Honeynet Project. Know Your Enemy: Honeynets
(May 2005)
3.4. Deployment of Intrusion Detection Signatures http://www.honeynet.org/papers/honeynet/.
using Honeycomb [6] Honeynet Research Alliance. Project Honeynet
This generally deals with the generation of signatures. As of Website. http://project.honey.org
now, generating signature is tedious work, a manual process

@ IJTSRD | Unique Paper ID – IJTSRD38045 | Volume – 5 | Issue – 1 | November-December 2020 Page 727
 International Journal of Trend in Scientific Research and Development (IJTSRD) @ www.ijtsrd.com eISSN: 2456-6470
[7] The Honeynet Project, Know Your Enemy: Honeynets, [11] Honeynet project. Know your enemy: Honeynets.
April 2001. http;//www.Honeynet.org/papers/honeynet/index.h
tml
[8] The Honeypot Project, Know Your Enemy: Revealing
the Security tools, tactic, and motives of Blackhats [12] Research infrastructures action, Sixth framework
community.2002. programme, D1.1: Honeypot Node Architecture, page
7-24.
[9] Hybrid Honeypot System for Network Security by Kyi
Lin Lin Kyaw, 2008. [13] Honeycomb. Creating Intrusion Detection Signatures
Using Honeypots Christian Kreibich, Jon Crowcroft.
[10] Spitzer, Lance. Honeypots, Tracking Hackers. Pdf
version. Addison Wesely, 2002. [14] M. Roesch, Snort: Lightweight Intrusion Detection for
Networks. In Proceedings of the 13th Conference on
Systems Administration.

@ IJTSRD | Unique Paper ID – IJTSRD38045 | Volume – 5 | Issue – 1 | November-December 2020 Page 728