Experiment No.

3(NSL)

-By Inthiyaz Ahmad Khan (TEIT 50)

Aim: To study the usage of Honeypot in security closely.

Theory: -
Introduction: -
1)A honeypot is a computer security mechanism set to detect, deflect,
or counteract attempts at unauthorized use of information systems.
Generally, a honeypot consists of data (for example, in a network site)
that appears to be a legitimate part of the site that seems to contain
information or a resource of value to attackers, but actually, is isolated
and monitored and, enables blocking or analyzing the attackers.
2) Honeypots are mostly used by large companies and organizations
involved in It helps cybersecurity researchers to learn about the
different type of attacks used by attackers. It is suspected that even the
cybercriminals use these honeypots to decoy researchers and spread
wrong information.
3) The cost of a honeypot is generally high because it requires
specialized skills and resources to implement a system such that it
appears to provide an organization’s resources still preventing attacks
at the backend and access to any production system.
4)A honeynet is a combination of two or more honeypots on a network.
Requirement of Honeypot:
1) A honeypot provides increased visibility and allow IT security teams
to defend against attacks that the firewall fails to prevent.
2) A honeypot is an additional security protection that can be used
alongside a firewall and other security solutions to help protect a
network from hackers.

Types of Honeypots:
Honeypots can be classified based on their deployment (use/action)
and based on their level of involvement. Based on deployment,
honeypots may be classified as
Production honeypots
Research honeypots
• Production honeypots are low-interaction honeypots, which are
easier to deploy. They give less information about the attacks or
attackers than research honeypots.
• Research honeypots do not add direct value to a specific
organization; instead, they are used to research the threats that
organizations face and to learn how to better protect against
those threats.[2] Research honeypots are complex to deploy and
maintain, capture extensive information, and are used primarily
by research, military, or government organizations.[3]
Based on design classification, honeypots are divided as:
pure honeypots
high-interaction honeypots
Low-interaction honeypots
Pure honeypots are full-fledged production systems. The activities of
the attacker are monitored by using a bug tap that has been installed
on the honeypot's link to the network.
In High-interaction honeypots, by employing virtual machines, multiple
honeypots can be hosted on a single physical machine. Therefore, even
if the honeypot is compromised, it can be restored more quickly. In
general, high-interaction honeypots provide more security by being
difficult to detect, but they are expensive to maintain. If virtual
machines are not available, one physical computer must be maintained
for each honeypot, which can be exorbitantly expensive. Example:
Honeynet.
Low-interaction honeypots consume relatively fewer resources,
multiple virtual machines can easily be hosted on one physical system,
the virtual systems have a short response time, and less code is
required, reducing the complexity of the virtual system's security.
Example: Honeyd.

The main benefits of honeypots are:

• Observe hackers in action and learn about their behavior
• Gather intelligence on attack vectors, malware, and exploits. Use
that intel to train your IT staff
• Create profiles of hackers who are trying to gain access to your
systems
• Improve your security posture
• Waste hackers’ time and resources
• They show you that you are being attacked and that data is
valuable when attempting to get budget increases for security.
Disadvantages of honeypots:
One of the main problems is the system is designed to be attacked, so
attacks will likely take place. Once the honeypot is accessed it could be
used as a launchpad for further attacks. Those attacks could be
conducted on an internal system or on another company. Honeypots
therefore introduce risk.
Honeypots add complexity to a network, and the more complex a
network is, the harder it is to secure.
the honeypot can only tell you about an attack in progress if the
honeypot is directly attacked. If an attack involves other systems and
they honeypot is untouched.
The cost may be prohibitively expensive for some businesses.

Future Scope:
• Honeypot as IDS can predict the action of the intruders on the
basis of inputs searched by the attacker on the Honeypot and
proactively improves the response the action. This can be done by
the help of neural networks and fuzzy logic.
• Further, the analysis of the signatures can be done using genetic
algorithm and extraction of new signatures can be done to update
the database of signatures.
• Honey Tokens, Wireless Honeypots, SPAM Honeypots will be in
use.

Conclusion:
Hence, we have successfully studied the use of Honeypots in network
security.