AU2021103735A4 - A honeypot based network security system - Google Patents
A honeypot based network security system Download PDFInfo
- Publication number
- AU2021103735A4 AU2021103735A4 AU2021103735A AU2021103735A AU2021103735A4 AU 2021103735 A4 AU2021103735 A4 AU 2021103735A4 AU 2021103735 A AU2021103735 A AU 2021103735A AU 2021103735 A AU2021103735 A AU 2021103735A AU 2021103735 A4 AU2021103735 A4 AU 2021103735A4
- Authority
- AU
- Australia
- Prior art keywords
- honeypot
- security system
- tcp
- network security
- based network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
- 238000000034 method Methods 0.000 claims abstract description 29
- 238000012545 processing Methods 0.000 claims abstract description 9
- 230000005540 biological transmission Effects 0.000 claims abstract description 6
- 238000010586 diagram Methods 0.000 claims abstract description 6
- 238000003672 processing method Methods 0.000 claims abstract description 6
- 238000004458 analytical method Methods 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002062 proliferating effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
A HONEYPOT BASED NETWORK SECURITY SYSTEM
Aspects of the present disclosure relate to a honeypot based network security system (100)
and a data processing method (200) thereof. In an aspect, the honeypot-based network
5 security system (100) comprises of: an attacking terminal (102) which sends a source data
to the honeypot (104), and a honeypot (104) for acquiring the source data sent by the
attacking terminal and comprising of bogus data. The method (200) of data processing on a
honeypot-based network security system method comprises of: acquiring (202) a plurality
of transmission control protocol (TCP) type source data set that are sent by the attack
10 terminal, simulating (204) a TCP protocol for constructing a TCP feedback data packet
which meets the pre-set requirement, and sending (206) the TCP feedback data packet to the
attack terminal.
(FIG. 1 will be the reference figure)
15
- 13 -
Attacking Honeypot
102 Terminal 104
Hopeypot Database layer
____ ___ ____ ___ ___106
Firewall
_____ ____ ____ ____108
Original Database layer
____ ____ ____ ____110
Basic Information Database
100 layer 112
5
Fig. 1 Block diagram of a honeypot based network security system.
- 14 -
Description
Attacking Honeypot 102 Terminal 104 Hopeypot Database layer ____ ____ ___ ___ ___106
Firewall _____ ____ ____ ____108
Original Database layer ____ ____ ____ ____110
Basic Information Database 100 layer 112
Fig. 1 Block diagram of a honeypot based network security system.
[0001] The present disclosure relates to a network security system and in particular to a honeypot based network security system.
[0002] With the growing trend in the technological world, every aspect of the human world is developing. The foremost and unopposed area of interest of human civilisation has become the internet world. The internet world is growing at a very much faster rate. In addition, so is the dependence of our daily needs on that. Right from the individual level to the organisational level, every corner is highly dependent on internet usage. Therefore, in that sense, alternatively, security is of utmost concern with the emerging sophistication of the internet.
[0003] Based on the types of attacks, each countermeasure has its own way of tackling things. One of those ways includes detecting the intruder when it apparently tries to enter into a network. This leads to the use of honeypot's because honeypot's are used as a tempting tool that is, an attacker is attracted towards it by presenting the attacker some sort of bogus information. This bogus information attracts the attacker in attacking the system. The attacker thinks that the information after which he is coming is vital.
[0004] By definition, honeypot is a resource tool to analyse intrusions and study the intruder's activities in a very simple and efficient manner. The most enthralling thing about the honeypot is its simplicity. It is very convenient to handle it by the administrator. Honeypot needs to be analysed regularly for detecting any incoming move of the attacker.
[0005] Efforts have been made in the related prior art to provide different solutions for network security based on honeypot concept. For example, A Chinese Patent no. CNl11541670A provides a novel dynamic honeypot system. The system comprises a network information processing module, a decision analysis module, an operating system fingerprint database, an operating system fingerprint identification module, a virtual honeypot processing template and a honeypot template; the system organically combines the passive fingerprint identification technology and the virtual honeypot technology.
[0006] Efforts have been made in the related prior art to provide different solutions for network security based on the honeypot concept. For example, United States patent no. US8156556B2 provides a method and apparatus for detecting an originator of the traffic of interest. One or more honeypots are established. Mobility is then provided to one or more honeypots. In one embodiment, mobility is provided by communicating information associated with one or more dark prefixes.
[0007] However, honeypot may not be useful in preventing attacks, but it can be a useful tool to understand the attacking methodologies implied by the blackhats (attackers). In many applications, rather than understanding the attacking methods of the blackhats, two other things are more crucial: recognising the origin of the attacker on the honeypot (Origin refers to the current location of the system or the server from where the attacker is attempting attacks on the military database server.), and Location of the attacker comprises of IP address of the system, ISP, Geographical location or possible state or country.
[0008] Therefore, the present disclosure overcomes the above-mentioned problem associated with the traditionally available method or system, any of the above-mentioned inventions can be used with the presented disclosed technique with or without modification.
[0009] All publications herein are incorporated by reference to the same extent as if each individual publication or patent application were specifically and individually indicated to be incorporated by reference. Where a definition or use of a term in an incorporated reference is inconsistent or contrary to the definition of that term provided herein, the definition of that term provided herein applies and the definition of that term in the reference does not apply.
[0010] It is an object of the present disclosure, which provides a system for network security based on honeypot.
[0011] It is an object of the present disclosure, which provides a data processing method for network security based on honeypot.
[0012] It is an object of the present disclosure, which provides a method to locate origin of a network attacker and its location.
[0013] The present concept of the present invention is directed towards the honeypot based network security system and a data processing method thereof.
[0014] In an aspect, the present invention further discloses that the honeypot-based network security system comprises of: an attacking terminal that sends a source data to the honeypot, and a honeypot for acquiring the source data sent by the attacking terminal, wherein the honeypot comprises of a set of internet protocol (IP) address which are not in use but is used to track the attacking terminal.
[0015] In another aspect, the method of data processing on a honeypot-based network security system method comprises of: acquiring a plurality of transmission control protocol (TCP) type source data set that are sent by the attack terminal, simulating a TCP protocol for constructing a TCP feedback data packet which meets the pre-set requirement, and sending the TCP feedback data packet to the attack terminal.
[00161 In yet another aspect, the TCP protocol generates the TCP feedback data packet by using the TCP packet header and analysing it against the preset response rules. The analysis to construct TCP feedback data packet is performed in three modules: SCANPORT, ATTACK ANALYSER, and FIND BLACKLISTED IP. After analysing the TCP packet header, feedback data corresponding to the source data is generated based on the predetermined honeypot rules. The feedback data packet comprises of the TCP packet header and the feedback data.
[00171 One should appreciate that although the present disclosure has been explained with respect to a defined set of functional modules, any other module or set of modules can be added/deleted/modified/combined, and any such changes in architecture/construction of the proposed system are completely within the scope of the present disclosure. Each module can also be fragmented into one or more functional sub-modules, all of which also completely within the scope of the present disclosure.
[00181 Various objects, features, aspects and advantages of the inventive subject matter will become more apparent from the following detailed description of preferred embodiments, along with the accompanying drawing figures in which like numerals represent like components.
[00191 Fig. 1 illustrates a block diagram of a network security system based on honeypot.
[0020] Fig. 2 illustrates a flowchart describing a data processing method for network security system.
[0021] Fig. 3 illustrates working of a honeypot based network security system.
[0022] Fig. 4 illustrates detail process flow of analysis to construct TCP data packets.
[0023] Other objects, advantages and novel features of the invention will become apparent from the following detailed description of the present embodiment when taken in conjunction with the accompanying drawings.
[0024] Embodiments of the present invention include various steps, which will be described below. The steps may be performed by hardware components or may be embodied in machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with the instructions to perform the steps. Alternatively, steps may be performed by a combination of hardware, software, and firmware and/or by human operators.
[0025] Various methods described herein may be practiced by combining one or more machine-readable storage media containing the code/instruction according to the present invention with appropriate standard device hardware to execute the instruction contained therein. An apparatus for practicing various embodiments of the present invention may involve one or more computers (say server) (or one or more processors within a single computer) and storage systems containing or having network access to computer program(s) coded in accordance with various methods described herein, and the method steps of the invention could be accomplished by modules, devises, routines, subroutines, or subparts of a computer program product.
[0026] Exemplary embodiments will now be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. These embodiments are provided so that this disclosure will be thorough and complete and will fully convey the scope of the invention to those of ordinary skill in the art. Moreover, all statements herein reciting embodiments of the invention, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future (i.e., any elements developed that perform the same function, regardless of structure).
[00271 Thus, for example, it will be appreciated by those of ordinary skill in the art that the diagrams, schematics, illustrations, and the like represent conceptual views or processes illustrating systems and methods embodying this invention. The functions of the various elements shown in the figures may be provided through the use of dedicated hardware as well as hardware capable of executing associated software. Similarly, any switches shown in the figures are conceptual only. Their function may be carried out through the operation of program logic, through dedicated logic, through the interaction of program control and dedicated logic, or even manually, the particular technique being selectable by the entity implementing this invention. Those of ordinary skill in the art further understand that the exemplary hardware, software, processes, methods, and/or operating systems described herein are for illustrative purposes and, thus, are not intended to be limited to any particular named.
[00281 In an embodiment of the present disclosure, Fig. 1 illustrates a block diagram of a network security system based on honeypot.
[0029] In an aspect, in certain networks rather than understanding the blackhats' attacking methods, two other things are more crucial. They are: recognizing the attacker's origin on the honeypot, and location of the attacker comprises of IP address of the system, ISP, Geographical location or possible state or country. Origin refers to the current location of the system or the server from where the attacker is attempting attacks on the military database server.
[00301 In an aspect, the said system comprises an attacking terminal that sends source data to the honeypot and a honeypot for acquiring the source data sent by the attacking terminal.
[00311 In an aspect, the honeypot in the security system consists of a database comprising a set of internet protocol (IP) addresses that are not in use but are used to track the attacking terminal. The database is divided into different layers.
[00321 In an embodiment of the present disclosure, Fig. 2 illustrates a flowchart describing a data processing method for network security system.
[0033] In another aspect of the present invention, the method of data processing on a honeypot-based network security system comprises of: acquiring a plurality of transmission control protocol (TCP) type source data set that are sent by the attack terminal, simulating a TCP protocol for constructing a TCP feedback data packet which meets the pre-set requirement, and sending the TCP feedback data packet to the attack terminal.
[0034] In the aspect, the Transmission Control Protocol (TCP) is a transport protocol which is used on top of an Internet Protocol (IP) to ensure reliable transmission of packets. It includes mechanisms to solve many of the problems that arise from packet-based messaging. Such problems include lost packets, packets out of order, duplicate packets, and corrupted packets.
[0035] In an embodiment of the present disclosure, Fig. 3 illustrates working of a honeypot based network security system and more particularly illustrates the the different layers of database and firewalls in the honeypot. The first layer (106) contains the dummy database server which has all the bogus information relating to the administrator. It is less secured and open to all. The data in this server is provided in such a way that it will attract those who are planning their ways against the security of the network. These attackers try to gain access to the information content in the server. As soon as they gain root to the system. The honeypot monitors their activities. The second layer (110) contains the original data. This layer of the database is separated from the honeypot by a firewall (108). This firewall (108) is programmed in such a way that it does not provide access to any of the incoming requests from the honeypot. Honeypots are placed in the network without any communication with any of the network clients, not even with the admin's own network systems. So source trying to make a communication is a potential attacker. Since honeypots are vulnerable to "uplink liability" additional firewall inside the network gives an extra hand in giving a check to the security of the real database servers by blocking the outbound activities of the honeypot. Another layer (112) of the database is a very basic and prolific one that accounts to contain information meant to be provided to the media and information center. Therefore, we have four modules in our honeypot system with respect to the three different layers of the database server.
[00361 In another embodiment of the present disclosure, Fig. 4 illustrates detail process flow of analysis to construct TCP data packets. In an aspect, simulating a TCP protocol for constructing a TCP feedback data packet includes analysis of the acquired source data. The analysis by the system has three modules: SCANPORT, ATTACK ANALYSER, and FIND BLACKLISTED IP.
[0037] In an aspect, SCANPORT is the first module, in it all the open ports are scanned for checking which ones are free and which ones are attacked and being used by the attacker. Functionality corresponding to port number will itself reveal much information regarding the attack. All the ports which are being used for communication in the network both incoming and outgoing, will be displayed. The algorithmic steps include opening user interfaces for the SCANPORT, entering server IP address, entering port numbers to be scanned, Displaying the port numbers if not free.
[0038] In an aspect, ATTACK ANALYSER is the next module. In this module, as soon as the attacker gains access to the system and starts attacking, it is detected by the honeypot and then starts creating log files for the same. If in the network any harmful intrusions such as Trojans/Rootkit is also found, then that is also saved in the log file in the Captured files. Apart from these attacks admin can check for system communications in details for which ports are engaged in communications in a network of admin's system. The log files can be analysed from this module. The steps performed by this module are: Selecting a log file, Displaying the intruder's IP address, Displaying the port numbers of admin's system which are being communicated, Analysing both the log files and the port numbers in detail.
[00391 In an aspect, FIND BLACKLISTED IP is another module. This module checks for the highly busy location from where the attack is occurring the maximum number of times. Once the IP address is retrieved, it gets checked in the blacklisted logs. Then it checks the frequency of the IP address attempting to open some document i.e. how many times does an attack followed from the same IP address. If the frequency of attacks exceeds the limit set by the administrator from the military network, then add it to the blacklisted IP. Such an IP add, and its location is of interest to the user intended. The algorithm performed by this module includes the steps: entering the list of Foreign IP Address, Monitoring the number of attempts made from that IP, If the number of attempts exceeds the limit set: Add it to BLACKLIST and look for time and location, else if the number of attempts is less than the limit, repeat the second step, then finally, Disconnect Honeypot system from the network.
[0040] In an aspect, the algorithm used for filtering out harmful intrusions detected by the honeypot has the following steps: Step 1: Extract the intrusions using HoneyBot Log Files; Analyse the intrusions detected in the Log Files and extract them into .csv file format; Step 2: Analyse the local and remote ports used for communication; Step 3: Extract the Foreign address from Log File, create a list of Suspected Harmful Foreign addresses and create the Blacklisted IP addresses; Step 4: Analyse the foreign/intruders address using the knowledgebase from previously analysed results from the honeypot. Step 5: Find out the geographical locations of the blacklisted IP addresses per 4000-5000 intrusions.
[0041] In an aspect, the TCP protocol generates the TCP feedback data packet by using the TCP packet header and analysing it against the preset response rules.
[0042] In an aspect, after analysing the TCP packet header a feedback data corresponding to the source data is generated based on the predetermined honeypot rules.
[00431 In an aspect, the feedback data packet comprises of the TCP packet header and the feedback data.
[00441 In an aspect, the analysis to construct TCP feedback data packet is performed in three modules: SCANPORT, ATTACK ANALYSER, and FIND BLACKLISTED IP.
Claims (8)
1. A honeypot-based network security system (100), wherein the said system comprises of:
an attacking terminal (102) which sends a source data to the honeypot;
a honeypot (104) for acquiring the source data sent by the attacking terminal, wherein the honeypot comprises of a set of internet protocol (IP) address which are not in use but are used to track the attacking terminal.
2. A honeypot-based network security system (100) as claimed in claim 1, wherein the honeypot (104) consists of three layers of database: a honeypot database layer (106), an original database layer (110), and a basic information database layer (112).
3. A honeypot-based network security system (100) as claimed in claim 1, wherein the honeypot database layer (106) consists of a bogus data, the original database layer (110) is separated form first layer (106) with a strong firewall (108), and the third layer (112) consist of information meant to be provided to media and information system.
4. A method (200) of data processing on a honeypot-based network security system (100), wherein the said method comprises of:
Acquiring (202), plurality of source data set that are sent by the attack terminal, wherein the source data set is a transmission control protocol (TCP) type;
Simulating (204), a TCP protocol for constructing a TCP feedback data packet, wherein the TCP feedback meets the pre-set requirement;
Sending (206), the TCP feedback data packet to the attack terminal.
5. The method (200) of data processing on a honeypot-based network security system (100) as claimed in claim 4, wherein the TCP protocol generates the TCP feedback data packet by using the TCP packet header and analysing it against the preset response rules.
6. The method (200) of data processing on a honeypot-based network security system (100) as claimed in claim 4, wherein after analysing the TCP packet header a feedback data corresponding to the source data is generated based on the predetermined honeypot rules.
7. The method (200) of data processing on a honeypot-based network security system (100) as claimed in claim 4, wherein the feedback data packet comprises of the TCP packet header and the feedback data.
8. The method (200) of data processing on a honeypot-based network security system (100) as claimed in claim 4, wherein the analysis to construct TCP feedback data packet is performed in three modules: SCANPORT, ATTACK ANALYSER, and FIND BLACKLISTED IP.
Application no.: Total no. of sheets: 4 Jun 2021 2021103735 Applicant name: Page 1 of 4
Fig. 1, Block diagram of a honeypot based network security system.
Application no.: Total no. of sheets: 4 Jun 2021 2021103735 Applicant name: Page 2 of 4
Fig. 2 Flowchart of a data processing method for honeypot based network security system.
Application no.: Total no. of sheets: 4 Jun 2021 2021103735 Applicant name: Page 3 of 4
Fig. 3 Working of a honeypot based network security system.
Application no.: Total no. of sheets: 4 Jun 2021 2021103735 Applicant name: Page 4 of 4
Fig. 4 Detail process flow of analysis to construct TCP data packets.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| IN202111024369 | 2021-06-01 | ||
| IN202111024369 | 2021-06-01 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| AU2021103735A4 true AU2021103735A4 (en) | 2021-08-26 |
Family
ID=77369584
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2021103735A Ceased AU2021103735A4 (en) | 2021-06-01 | 2021-06-30 | A honeypot based network security system |
Country Status (1)
| Country | Link |
|---|---|
| AU (1) | AU2021103735A4 (en) |
-
2021
- 2021-06-30 AU AU2021103735A patent/AU2021103735A4/en not_active Ceased
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107733851B (en) | DNS tunnel Trojan detection method based on communication behavior analysis | |
| Dickerson et al. | Fuzzy network profiling for intrusion detection | |
| US6513122B1 (en) | Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities | |
| Hoque et al. | Network attacks: Taxonomy, tools and systems | |
| Joshi et al. | Honeypots: a new paradigm to information security | |
| CN111526121B (en) | Intrusion prevention method and device, electronic equipment and computer readable medium | |
| US20090077663A1 (en) | Score-based intrusion prevention system | |
| US20040054925A1 (en) | System and method for detecting and countering a network attack | |
| US11888882B2 (en) | Network traffic correlation engine | |
| CN110557405B (en) | High-interaction SSH honeypot implementation method | |
| CN107204965B (en) | Method and system for intercepting password cracking behavior | |
| CN111970300A (en) | Network intrusion prevention system based on behavior inspection | |
| Kumar et al. | Artificial intelligence managed network defense system against port scanning outbreaks | |
| CN112751861A (en) | Malicious mail detection method and system based on dense network and network big data | |
| AU2021103735A4 (en) | A honeypot based network security system | |
| Stanciu | Technologies, methodologies and challenges in network intrusion detection and prevention systems. | |
| Ivanova et al. | Method of fuzzing testing of firewalls using the gray box method | |
| Memari et al. | Container based virtual honeynet for increased network security | |
| Blackwell | Ramit-Rule-Based Alert Management Information Tool | |
| Gallopeni et al. | Botnet command-and-control traffic analysis | |
| Taylor et al. | Low-Level network attack recognition: a signature-based approach | |
| Ramakrishnan et al. | Pandora: An IOT Based Intrusion Detection Honeypot with Real-time Monitoring | |
| Mehra et al. | A Novel Framework for Prevention against DDoS Attacks using Software Defined Machine Learning Model | |
| Asokan et al. | A Case Study Using Companies to Examine the Nmap Tool’s Applicability for Network Security Assessment | |
| Mantoo et al. | A machine learning model for detection of man in the middle attack over unsecured devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FGI | Letters patent sealed or granted (innovation patent) | ||
| MK22 | Patent ceased section 143a(d), or expired - non payment of renewal fee or expiry |