Artificial Intelligent Systems and Machine Learning

Open Access Open Access  Restricted Access Subscription Access
Open Access Open Access Open Access  Restricted Access Restricted Access Subscription Access

A Computational Intelligence for Performance Evaluation of Honeypots


Affiliations
1 Sathyabama University, Chennai, India
2 R.M.K Engineering College, Chennai, India
     

   Subscribe/Renew Journal


Internet security deals with the methods and tools used for protecting the information transactions in various business, government and academic organizations. Honeypot is an information gathering and learning tools. It is used to collect the information about the intruders, their attack patterns, reason for attack and tools used by thing. This information, which is collected about the intruders help a lot to learn about their motives, proceedings and the technical abilities of the intruders. This paper focuses on the detection of virtual environments and low interaction honeypots by using a feature set that is built using traditional system and network level finger printing mechanisms. Earlier work in the area has been mostly based on the system level detection. The results aim at bringing out the limitations in the current honeypot technology.
In our experiments for system level detection we use magic number techniques, virtual register sets technique and interrupt description table technique. In magic number technique our program takes the magic number, port number and command to execute as inputs and output whether it is VM ware or VPC or is it a host machine. In IDT technique our program uses SIDT we trace the finger prints of virtual machine and determine its VMware or VPC. In detection of sebek we look for the finger prints present in the memory and hijack the system call that is used by sebek. This paper also describes the results concerning the robustness and generalization capabilities of kernel methods in detecting honeypots using system and network finger printing data. We use traditional support vector machines. We also evaluate the impact of kernel type and parameter values on the accuracy of a support vector machine performing honeypot classification. In our experiments it is found that SVM performs the best for data sent on the same network.

Keywords

Honeypot, Network, Operating System, Sebek, SVM.
User
Subscription Login to verify subscription
Notifications
Font Size

Abstract Views: 413

PDF Views: 3




  • A Computational Intelligence for Performance Evaluation of Honeypots

Abstract Views: 413  |  PDF Views: 3

Authors

J. Visumathi
Sathyabama University, Chennai, India
K. L. Shunmuganathan
R.M.K Engineering College, Chennai, India

Abstract


Internet security deals with the methods and tools used for protecting the information transactions in various business, government and academic organizations. Honeypot is an information gathering and learning tools. It is used to collect the information about the intruders, their attack patterns, reason for attack and tools used by thing. This information, which is collected about the intruders help a lot to learn about their motives, proceedings and the technical abilities of the intruders. This paper focuses on the detection of virtual environments and low interaction honeypots by using a feature set that is built using traditional system and network level finger printing mechanisms. Earlier work in the area has been mostly based on the system level detection. The results aim at bringing out the limitations in the current honeypot technology.
In our experiments for system level detection we use magic number techniques, virtual register sets technique and interrupt description table technique. In magic number technique our program takes the magic number, port number and command to execute as inputs and output whether it is VM ware or VPC or is it a host machine. In IDT technique our program uses SIDT we trace the finger prints of virtual machine and determine its VMware or VPC. In detection of sebek we look for the finger prints present in the memory and hijack the system call that is used by sebek. This paper also describes the results concerning the robustness and generalization capabilities of kernel methods in detecting honeypots using system and network finger printing data. We use traditional support vector machines. We also evaluate the impact of kernel type and parameter values on the accuracy of a support vector machine performing honeypot classification. In our experiments it is found that SVM performs the best for data sent on the same network.

Keywords


Honeypot, Network, Operating System, Sebek, SVM.