The development of computer networks has become a rapid process. This makes the network technology to be immature and hence susceptible to cybercrimes. The current computer technologies are aimed at offering passive system protection and intrusion prevention when the network system is infiltrated by an intruder. According to Dongxia & Yongbo (2012), the traditional network security technologies are proving futile to the emerging complex attacks directed at the networks. Among all the honeypot technologies available, virtue honeypot technology stands out as the best active prevention technology. Li, Zou & Huang (2014) observe that by utilizing the original operating system plus virtual technology, the honeypot technology lures the attackers in a preempted way, analyzed, and examines the different attacking mechanisms. It then traces the source of the attacks, gathers evidence, and then comes up with the best effective solution against the attack. The system detects the attacking behaviour and redirects the attacks to a very controlled environment to guard the practical system that is running [1].
Honeypot is a network security technology that has experienced significant growth, it is based on an active defensive strategy which checks the intruders’ activities, and assists individuals to evaluate the itruders’ tools, skills used as well as the purpose behind the attack. According to Li, Zou & Huang (2014), the honeypot technology aims at luring the hackers to a decoy system which in turn delays the attack and thus giving the security professionals time a window opportunity to detecting and preventing the threat to the network. Honeypot technology, therefore, enables system administrators to locate, understand the launch address, and then verify the security strategy that is most effective against the network attack. It should be observed that the existing networks are not always safe; this is because the intrusion detection systems, encryption, firewalls, and other techniques have some weak points. The security of a network can be enhanced when these security networks are combined alongside the honeypot system to come up with a robust system against attacks by hackers [1].
As per the various strategies of intrusion detection, intrusion detection systems (IDSs) can be sub-divided into two categories that are misuse detection systems (MDSs), and anomaly detection systems (ADSs). MDSs can only be used to detect known intrusion attack characteristics while characteristic procedures of unknown attack cannot be detected. The ADSs makes use of past behavioural procedures and current activities to compare the strategies that can be effectively implemented to detect unknown and new attacks. As the network expands significantly, the complexity of the network environment increases. The traditional intrusion detection system has several limitations include there exist false questions and omissions. The other limitation is that misuse detection and intrusion technology characteristics associated with different network attacks, and there is an emergence of new attacks and omissions that are inevitable. Also, the IDS makes use of the right pattern matching algorithm to help one match the information and detect whether an intrusion is present or not. When there is a match between the signature and the content, a warning is sent that indicates that the data is not an attack, therefore there might be false positives. Thus, updating the signature database could be difficult. Majority of traditional intrusion detection systems makes use of pattern matching analysis, and the systems require an updated signature database of the eigenvalues of attack. However, the existing IDS does not always provide a good strategy of updating the signatures, and the method of attacks becomes more complex. A single based statistical method or on pattern matching analysis makes it difficult to find several attacks. The other limitation of the traditional intrusion detection system is that the existing IDS does not share information, and therefore, it becomes difficult to detect the attack, source of the attack, and the intruder because of the vulnerabilities created by the intruder. Therefore the existing IDSs and other network security products cannot work together. Other challenges being faced by the traditional intrusion detection system include false alarms, intruder increasing the number of most used mobile codes such as ActiveX and Java, and information encryption.
Existing Types of Honeypot
If the level of a honeypot is defined based on the level of the attackers’ interactivity and at the same time allowing a complex level of interaction between intruders and operating systems, them honeypot can be divided into three types which are high-interaction honeypot systems, middle-interaction honeypot systems, and low-interaction honeypot systems,
Low-Interaction Honeypot System
Low-interaction honeypot issues only particular analogue services. A low-interaction honeypot provides only specific analogue services. In their usual form, the services can be carried out by monitoring a particular port. In a low-intrusion honeypot system, intruders are not provided with the real operating system therefore they cannot access the system through remote login. Therefore the risk is low. Although there is low risk, the function of this honeypot is highly passive, the same as unidirectional connection whereby limited dat can be collected. Since the information flows from outside to the system, and there are no response messages to be sent, this type of honeypot does not include the communication process behind complex protocols. This type of honeypot is easy to arrange and as a result, it has minimal risk, operating system and analogue services, and it captures only a small quantity of information.
Middle-interaction Honeypot System
Although the intruders in a middle-interaction honeypot system are not provided with the real operating system, they are provided with a complex decoy process. This type of honeypot system is an imitation of a particular service. Therefore, the intruders attack the decoy of the specific system believing that they are attacking the actual operating system. The mechanism helps the system to collect a high quantity of information. However, risks of intrusion are high in this mechanism. Therefore, this system should ensure that no new security holes are being generated while imitating the holes and services. While utilizing high-level interaction, honeypot technology can handle complicated attacks while at the same time analyzing and capturing the attacks. If a honeypot system is implemented in an environment with high levels of interaction, one should ensure that all analogue services have a maximum level of safety.
High-Interaction Honeypot System
Many high-interaction honeypot systems are deployed in controlled environments such as behind a firewall. In such an environment, an attacker is permitted by the firewall to attack the honeypot, but they are not allowed to launch new attacks. This structure is sophisticated to implement and maintain because hackers are monitored without their consent. Since the maintenance of a high-interaction honeypot consumes a lot of time, intrusion detection system characteristic database and firewall capacity should be updated frequently to enhance continuous monitoring. The existence of an error no matter how small it might seem to be, can give a hacker full control of the operating system, intercept messages, in the application system, and attack other systems. If the high-interaction honeypot system is frequently and properly maintained, it can enable security experts to acquire information on hackers that cannot be obtained by other types of honeypot. It is expensive to implement a high-interaction honeypot system since a system administrator is required to frequently monitor the system. Uncontrollable honeypot poses high network security risks, and it is meaningless for any institution. The characteristics of a high-interaction honeypot system include records of rich information, It is sophisticated to deploy, and has high-security risks, and provides the real services and operating system instead of analogue information.
Mixed-Interaction Honeypot System
A mixed-interaction honeypot system monitors different types of data. The principle of honeypot implemented in data collection to determine whether the data is normal as well as prevent attacks from occurring. The system is supposed to keep a daily record in the virtual system, and application. The system also captures the exterior and internal gateways of a virtual gateway and virtual control server on Debian. The information can provide detailed attaching and tracking capacity. In return, the information given by the exterior gateway can access the transmission of the packets to the traffic invading the virtual gateway. The linked attacking information can be gotten from the backup data of the virtual gateway, which permits security experts to determine the type of attack.
Apache web is the server used to test honeypot, while Mozilla Firefox is used to come up with log records. The server and server deployment are run from the webserver and apache web server. Data analysis is conducted when Debian detects any traffic abnormalities to the honeypot apache web server. If traffic is suspicious but legal in practice, then the information is sent to the honeypot to be treated. In case there is an attack, or modification occurs during operation, the traffic is cut off, and data goes back to their sources. The outer interface of a virtual gateway is linked to an external network. The gateway also has an internal interface that offers the domain name system (DNS) server in the decoy server and the webserver. The DNS server is a resolution server that can be used to resolve the entire domain name and forward requests to the external gateway to be treated [2]
Honeypot systems can be classified using their involvement and deployment level. Production honeypot systems are usually easy to use, only records limited data, and are mainly used by companies or corporations. They are usually positioned within the production network with different production servers by a company to enhance the overall state of their security. Production honeypot systems are generally low-interaction honeypots, which are usually east to deploy. They offer small quantities of data about attacks and attackers than the research honeypot systems. The main purpose of the production honeypot system is to minimize risks in a company. Research honeypot systems are deployed by non-profit research corporations, educational institutions, or volunteers have to gather information about motives and strategies targeting different networks. These honeypot systems are used to systematically study and investigate the threats being face by organizations and study how to improve the level of protection in opposition to those threats. The gathered dat can also be used to protect against threats. It is difficult to deploy research honeypot systems, maintain, record far-reaching information, and are usually used by government institutions, military, and researchers.
Spam versions – Spammers misuse unsafe resources such as open mail relay and open proxies. System administrators (SA) create honeypot source codes that imitate these misusable resources to determine spammers carrying out spammer activities. Such honeypot systems provide various abilities to the SAs, although they are irrelevant misusable systems are might be risky or complex to deploy. Honeypot system can be a powerful action to those who rely on the maximum level of misuse such as spammers. These Honeypot systems can determine the obvious misuse of IP addresses which help the users to determine spammers’ response techniques, and uniform resource locators (URLs). For the honeypots with open relay, it is crucial to find out the email addresses (Dropboxes) that the spammers use as the destinations for their test messages. Dropboxes are the gadgets used by spammers to determine open relays. After discovering the open relays, it becomes easy to mislead a spammer by transmitting unlawful relay electronic -mail that is sent to the dropbox electronic-mail address. This tricks the spammer to believe that it is an actual misusable open relay, and the honeypot frequently responds by sending a huge quantity of relay spams to that specific honeypot, which stops it. There might be some difference between the misused system and the source, spammer and abusers make use of a misused system chain to detect the real starting point of the misuse traffic.
In an electronic mail trap, ana electronic-mail address is only used to acquire spam and can only be used to detect a spam honeypot. While comparing honeypot and spamtrap, honeypot might be used to describe the systems and strategies used to prevent or detect probes. Spam arrives at its destination in the same way a non-spam electronic-email would arrive. A combination of these methods is project honeypot. The devolved, open-source project uses honeypot pages deployed on websites in different areas across the world. Th honeypot pages hand-outs specifically tag spam trap electronic-mail address. Electronic-mail address harvesting and spammers can, therefore, be a pathway as the honeypot system collects and sends to the spam trap electronic-mail addresses. Database honeypot is frequently attacked with the help of structured query language (SQL) injection. Since some of the activities are not yet determined, the necessary network firewalls. While the web application is still running, as usual, several of the existing SQL database firewalls provide honeypot model allow the intruders or attackers execute against a trap database.
Honeypot in Cloud
Cloud computing is a model that provides on-demand and convenient network access to a shared pool of computing resources such as storage, applications, server, and services. (Bhavesh) A cloud has three layers which include Platform as a service (PaaS), Infrastructure as a service (IaaS), and Software as a Service (SaaS). Like an onion, the Cloud has many layers. In the above layers, SaaS is at the top of the whole structure. Honeypot deals with IaaS since it is the physical hardware (Negi). The cloud is based on physical hardware since it is the one suitable for computing such as servers, nodes, and blades. Information is stored in data centres operated by network engineers or web hosting experts. There are various types of security threats that are faced by cloud computing. Some of the threats known worldwide include denial of service, insecure interface and APIs, traffic hijacking, and malicious insiders.
Various external threats face mobile devices, where unknown attacks are caused when people are using their mobile phones in a cloud environment. In such a scenario information authentification and privacy is known by software developers and regular users where if they are aware of the results of the privacy, there will be no issues with the hacker. Most of the people using smartphones and PDAs are not aware of the technologies and advanced features in their gadgets. Via different security features including app installation like anti-viruses, mobile security and protection can be obtained.