Authors

Sherif Mohamed

Amr Khaled

Ahmed Mohamed

Mostafa Khaled


Publishing Date

November 8, 2021

Abstract

Attacks on the internet keep on increasing and it causes harm to our security system. In order to minimize this threat, it is necessary to have a security system that has the ability to detect everyday attacks and prevent them. “Honeypot is one of the proactive defense technologies, in which resources placed in a network with the aim to observe and capture new attacks”. This proposal introduces a honeypot-based model for intrusion detection systems (IDS) which enable the system to monitor attack.

1.1 Background

Honeypot is a computer security tool that prevents attacks, protecting our privacy and sensitive data. The main goal of the honeypot is to reduce our security holes. this can be done in three steps: prevention, detection, and reaction. Prevention makes our system more complex to any attacker. However detection is active to detect attackers and monitor their activities. Finally recovering where minimization of losses after the attack takes place. Honeypot can be classified into three levels of interaction: low, medium and high-interaction honeypots. These interaction honeypots have their advantages and disadvantages. Besides the situation where everyone should be used. Low interaction honeypot is a simulation on a limited scale by using one virtual machine. It is used for collecting information only, and can be deployed easily. It can be attacked easily by the attacker and use it to gain information about the network. Medium interaction honeypot is more complex where it simulates more than one virtual machine and it is used to encourage the attacker to take more actions, that helps in discovering the security holes and the sent malicious attacks. But it doesn’t support all operating system services. High interaction honeypot is the advanced one where it uses many real servers that simulates the same network in the operating system to give the attacker the capability to interact with it to detect the security holes and resolve it. But this can be risky where the attacker can detect the honeypot and compromise it. All of these categories of interaction can be used in production or research honeypot. Production honeypot can be used to detect the attacker and mitigation that can be implemented by low-interaction honeypot that can be easy to deploy it. Research honeypot study the way used in the attack, analyze it and gather more information that is usually implemented by high-interaction honeypot that might be risky.

1.2 Motivation

•Sharing information via the Internet has become more common in recent years, spanning a variety of platforms and web applications.

•Web-based programs that accept users’ critical information store it in databases.

•Nowadays, a Firewall blocks the attacker from accessing the system without getting any information about him.

•Firewall can’t be able to detect several attacks so can’t block it.

•Build a honeypot that shall be able to detect those attacks that firewall can’t be able to detect it.

1.3 Problem Statement

Our main problem indicates from where the attack exists either from internal or external network. The system will monitor all the activities. It differs in the internal network as it will monitor the attacker activity, even if the attacker will try to attack any part of the system that is unauthorized to him. Moreover we will try to catch that, even if it is from the public network we will know that it belongs to us or have the access to enter this network. If it does not belong to us we will divert the attacker automatically to a fabricate data. There will exist a problem where the attackers can detect that it is a trap, where data is static and not realistic to our real system.