Computer Communication Laboratory
Dept. of computing, Soonsil University


The effectiveness of the working style is enhanced and the infrastructure for sharing knowledgement is commonly used due to the explosive growth of internet user. The new businesses such as B2B, e-mail, e-conference, e-medical treatment and e-library are derived from internet and now we are facing with sharing of knowledgement beyond information. Beside of these affirmative aspects given from internet, negative side of illegal use of internet is being embossed. Particularly, the collapse of knowledge infrastructure due to the malicious hacker, draining away the private information to black community, forging and destroying it illegally is a big threat to the existence of internet and the damage of the system or network from attackers is reported in the world. The methods and tools they use are tending to be automated and elaborated. So, it's very difficult to detect the attacks and respond to it actively before the system is crashed by the attack since they take decisive action with form of multiply distributed attack using the excellent toolkits.

Honeypot is a trap to capture an attacker. It entices an attacker into the system and opens the vulnerabilities to the attacker. Honeypot is classified with research and production honeypot according to its purpose. The purpose of research honeypot is to study the new attacking patterns and methods varied from known attack rapidly and correctly. The work history of the attacker from starting of attack is monitored in real-time and logged to the system file to analyze the new methods and respond it. The production honeypot has system and network protection function to resist the attack. As the honeypot is a response system itself, it is able to react the known attack using the policy-based response module by defining the new policies and rules for each pattern of known attacks. The roll-back function to recover from the crashed to original status when the system has attacked and destroyed from the attack is strongly recommended. And the reverse attacking is now on discussion to detect and attack the hacker actively.

We are designing and implementing the honeypot system integrated win research and production function for their use. To make our project more successful, the various functions such as enticement of attacker, intrude detection, rule definition and verification, virtualization of the system and network, active and passive response, analyzation of attack log, detection of key stroke, concealment of important data using rootkis and active response based on policy are under development. And the 'Honeynet' to make secure the network against the attack focusing on the network itself is on research.

The following figure shows the main function blocks for honeypot system.

Figure 1. Function Blocks for Honeypot System

Receiving packets from external sites, the detection engine composed of rule processing and analyzing component gets start to analyze the violation by inspecting the main interesting field of the header and payload of the given packets. The rules to detect the abnormal attempts is easy to expand and downloadable from the snort project site for known attacks.

The attacks detected are notified to main block in real-time where the main block plays a role of calling the other function blocks for detailed analyze and response.

First, it calls the linux shell, the fake shell allocated from the system bounded to the attacker when assigning the basic shell. The 'keystrokes' are captured by it and transmitted to management server with secure manner without delay.

If a attacker is willing to access the important files or scripts then the shell protect it from be damaged seriously by using the protection function block composed of root-kits amicable and scanner. The amicable root-kits are the part of honeypot system to protect the system being attacked. Using it makes the system more secure and helps it to alive. The root-kits hide the important objects(files, init scripts, password files, system configuration files, network information and so on) by modifying the results of executed command by an attacker thanks for the some kernel service calls installed by the honeypot system.

The scanner is for detecting the kernel and user level root-kits hostile to the honeypot system that is installed from an attacker for hide the existence of him. The scanner references the system map created in kernel compile time and address information file generated from amicable root-kits. By cross-referencing it to current kernel symbols(ksyms) every time it scheduled, it is able to detect the illegal root-kits(LKM). Every time an attacker accesses any files, the original image for that files are copied to secure device or folder and snapshot for changed files are added to snapshot list which composed of the file information and hash code(MD-5). Once the hostile root-kits are detected, it should notify it to rollback function block to decide if it takes the partial or whole recovery process.

The rollback function block starts the recovery procedure by referencing the given policy. It can recover the system using whole system image or backup image transferred to backup device(partial image) by the scanner in every schedule time.

The policy is defined as how to react the attack and demage form an unauthorized users. There are pre-defined policies to react the abnormal behavior such as session drop, logging, alerting and reverse attacking. The new policies can be defined by an administrator anytime he needs.

Copyright. Computer Networking and Mobile Computing Team All right reserved.