Open Access
Subscription Access
Open Access
Subscription Access
A Computational Intelligence for Performance Evaluation of Honeypots
Subscribe/Renew Journal
Internet security deals with the methods and tools used for protecting the information transactions in various business, government and academic organizations. Honeypot is an information gathering and learning tools. It is used to collect the information about the intruders, their attack patterns, reason for attack and tools used by thing. This information, which is collected about the intruders help a lot to learn about their motives, proceedings and the technical abilities of the intruders. This paper focuses on the detection of virtual environments and low interaction honeypots by using a feature set that is built using traditional system and network level finger printing mechanisms. Earlier work in the area has been mostly based on the system level detection. The results aim at bringing out the limitations in the current honeypot technology.
In our experiments for system level detection we use magic number techniques, virtual register sets technique and interrupt description table technique. In magic number technique our program takes the magic number, port number and command to execute as inputs and output whether it is VM ware or VPC or is it a host machine. In IDT technique our program uses SIDT we trace the finger prints of virtual machine and determine its VMware or VPC. In detection of sebek we look for the finger prints present in the memory and hijack the system call that is used by sebek. This paper also describes the results concerning the robustness and generalization capabilities of kernel methods in detecting honeypots using system and network finger printing data. We use traditional support vector machines. We also evaluate the impact of kernel type and parameter values on the accuracy of a support vector machine performing honeypot classification. In our experiments it is found that SVM performs the best for data sent on the same network.
In our experiments for system level detection we use magic number techniques, virtual register sets technique and interrupt description table technique. In magic number technique our program takes the magic number, port number and command to execute as inputs and output whether it is VM ware or VPC or is it a host machine. In IDT technique our program uses SIDT we trace the finger prints of virtual machine and determine its VMware or VPC. In detection of sebek we look for the finger prints present in the memory and hijack the system call that is used by sebek. This paper also describes the results concerning the robustness and generalization capabilities of kernel methods in detecting honeypots using system and network finger printing data. We use traditional support vector machines. We also evaluate the impact of kernel type and parameter values on the accuracy of a support vector machine performing honeypot classification. In our experiments it is found that SVM performs the best for data sent on the same network.
Keywords
Honeypot, Network, Operating System, Sebek, SVM.
User
Subscription
Login to verify subscription
Font Size
Information
Abstract Views: 463
PDF Views: 3