Akash final-year-project report
-
Upload
akash-rajguru -
Category
Education
-
view
190 -
download
1
Transcript of Akash final-year-project report
INTRUSION DETECTION SYSTEMWith HONYPOTPLUS
Akash Raj guru (A00226145)
BACHELOR OF ENGINEERING (HONS) IN SOFTWARE ENGINEERING
ATHLONE INSTITUTE OF TECHNOLOGY SCHOOL OF ENGINEERING
2015
ATHLONE INSTITUTE OF TECHNOLOGYSCHOOL OF ENGINEERING
2015
INTRUSION DETECTION SYSTEMWith HONYPOTPLUS
By
Akash Raj guru (A00226145)
Thesis Submitted for the Award ofBACHELOR OF ENGINEERING (HONS) IN SOFTWARE ENGINEERING
Supervisor: Dr. Paul Jacob
INTRUSION DETECTION SYSTEM
With HONYPOTPLUS
Author: Akash Rajguru
Supervisor: Dr. Paul Jacob
ACKNOWLEGEMENT
The final project has been vary memorable and unique experience for me. It opened up a new venue of grabbing knowledge which will certainly stand me helpful in the years to come.
I am very thankful to my project guide and supervisor Dr. Paul Jacob for giving me opportunity to do project through my course of Bachelor of Engineering (Honours) in Software Engineering and for the excellence guidance for the project work and helping me in designing to project work.
My sincerely thanks to Dr. Paul Jacob (Project Supervisor) for his valuable support and making my project successfully and I also want to sincerely thanks to Dr. Declan Byrne for teaching Software Design and Mr. Michael Russell for teaching Project Management and Software Testing.
Project Summary
Welcome, this is a project on the study of network Intrusion Detection System, how prevention
can be achieved and how Honeypot concept can be used to make network more secured. It
explains the research done while developing the application software. The major research done
was about understanding how intrusion detection works and how it can be implemented in my
application using java as development programming language. There is now more major part of
research which is on honeypot architecture.
It also explains the problems that were encounter during the development of the application and
explains how these where overcome. It is about an investigation into the process of learning how
to use third party java library to achieve the project goal.
This report is going to focus on the research done to understand the concepts of intrusion
detection, intrusion prevention and honeypot. It also explores, what library’s that are analyzed
while developing application. The application that will be developing during this report is going
to be the Desktop based application, which is majorly useful for network administrators.
Akash Rajguru - B.Eng. (Hons) Software Engineering 5 | P a g e
CONTENTS
PAGE
CHAPTER 1: INTRODUCTION AND PROJECT OUTLINE 7 1.1 Project title and Interpretation 7 1.2 Network Intrusion Detection 7
1.3 Honeypot 7 1.4 Project Motivation 8 1.5 Project Aims and Objectives 9
CHAPTER 2: SCOPE 10CHAPTER 3: HARDWARE AND SOFTWARE 11CHAPTER 4: RESEARCH
12 4.1 What is intrusion detection? 12
4.2 What is prevention? 13 4.3 What is honeypot? 14 4.4 How honeypot can be implemented in the application? 15 4.5 How information is going to be stored? 16 4.6 Technologies 17 4.7 Application Domain 18
CHAPTER 5: REQUIREMENTS 19
CHAPTER 6: ARCHITECTURE 21CHAPTER 7: APPLICATION DESIGN 24
7.1 Development Language 24 7.2 Integrated Development Environment 24 7.3Major Design Decision while coding application 24 7.4 Logging to plain text file on local machine 25 7.5 Logging to plain text document on MongoDB database 25
Akash Rajguru - B.Eng. (Hons) Software Engineering 6 | P a g e
CHAPTER 8: IMPLEMENTATION FEATURES 26
CHAPTER 9: TESTING AND EVALUATION 29
CHAPTER 10: CONCLUSION 31
CHAPTER 11: REFERENCES 32
APPENDIX 33
CHAPTER 1 INTRODUCTION AND PROJECT OUTLINE
In this section I will describe network intrusion detection system, the traditional approach
to network security. I will then describe the introduction to honeypots, which is an integral part
of the complete system. This section also includes the advantage of honeypot module in system.
1.1PROJECT TITLE AND INTERPRETATION
TITLE: “INTRUSION DETECTION SYSTEM with HONYPOTPLUS”
The goal of this project is to design and develop fully implementable and tested
java based intrusion detection system with Honeypot integrated , which can monitor network
traffic from the host machine by capturing the network packets from the live network. I have
made the assumption that this tool will be able to capture the network packets and allows the
administrator to analyze the capture packets and can also be able to provide some feature to
control network traffic. In order to control traffic from host machine a module called Firewall
has been added, which allows administrator to create specific rules and it also allow
administrator to delete the rule which are already created. This tool also able to dump (store) the
captured information into a particular file format on local machine as well as on MondoDB
Akash Rajguru - B.Eng. (Hons) Software Engineering 7 | P a g e
server. This project also employee’s Honeypot which allows administrator capture hackers
information.
1.2NETWORK INTRUSION DETECTION The goal of the intrusion detection system is to identify the unauthorized of network
access, it basically identity and scan the network for incoming and outgoing network packet from
host machine. All this preferably in real time. The main functions to analyze incoming and
outgoing packet from the network interface. The detection part in system to detect the
communications of unauthorized packets from system. The pretension part in the system
provides the set of option to block the network traffic an application part, it is a type of firewall
to the system, allows application user to central the network traffic through selected network
interface.
1.3HONEYPOT The exact definition of a honeypot is as following:
A honeypot is an "an information system resource whose value lies in unauthorized or illicit use
of that resources"(from the www.securityfocus.com forum)
A more practical, but more limiting, definition is given by pcmag.com:
"A server that is configured to detect an intruder by mirroring a real production system. It
appears as an ordinary server doing work, but all the data and transactions are phony. Located
either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as
well as determine vulnerabilities in the real system" [N1].
In practice, honeypots are computers which masquerade as unprotected. The honeypot
records all actions and interactions with users. Since honeypots don't provide any legitimate
services, all activity is unauthorized (and possibly malicious). [N2].
Akash Rajguru - B.Eng. (Hons) Software Engineering 8 | P a g e
1.4 PROJECT MOTIVATIONAs we know that internet is growing day by day and from small to large enterprise,
institute are creating their own private network (LANs) for the batter performance
between computers systems as well as for data protection. So it safer to have in house
software which monitor’s the internal as well as external network traffic to find and avoid
intrusion to the network.
1.5 PROJECT AIMS AND OBJECTIVESThe final project product is aimed at implementing the following:
1. To be able to list the network interfaces on host computer.
2. To be able to capture the packets on selected network interface.
3. To allow TCP port scanning
4. To be able to block the port on machine.
5. To be able to unblock the port on machine.
6. To be able to save the capture information in txt file format
7. To be able to save the capture information on remote MongoDB server.
8. To be able to run honeypot server on specific server
9. To be able to display number of hacker connected to honeypot server.
[Note: Requirements for the final application is listed in Chapter3 Requirements]
Objectives
1. Investigate about the various java third party library.
2. Too investigate how third party library works for packet sniffing.
3. I want to build initial application which does packet sniffing from live network.
Akash Rajguru - B.Eng. (Hons) Software Engineering 9 | P a g e
4. I want to see the content of the packet.
5. To investigate difference between Jpcap and JNetcap library.
6. Create a plan of how this application will be developed
7. Decide on how to store captured information local machine as well as on remote
database.
8. Integrate all module to make complete system.
9. Test the application
10. Create documentation and a final report.
CHAPTER 2 SCOPE
What application I am developing?
After some research I have decided to create a java based desktop application which help
network administrator to achieve network security related tasks, which allows network
administrator to monitor the network traffic, allow him to the network packet flow form the
network interface, allow him to see the contents of the packet, allow him to define specific rules
to prevent communication on curtains ports on host machine.
The functionality on which I am going to focus is getting number of interfaces on the host
machine, capturing packet from the selected interface, displaying the contents of packet, allow
port scanning on the host machine in order to find which port is open and used by the specific
application, allow administrator to block certain ports on host machine in order to control
network traffic and also allow the storage of captured information locally and remotely.
This application also contains two honeypot servers which allows administrator to run the face
system virtually on the machine. This server pretends as an actual system to hackers, allowing
administrator to capture the information about the hackers. This honeypot servers are the
internal parts of the application.
As I can see from developer point of view there is scope to develop this application into quite a
lager application. I have decided that I will develop the application into numbers of modules,
Akash Rajguru - B.Eng. (Hons) Software Engineering 10 | P a g e
where each module is created separately and tested separately, and later modules are integrated
in terms of making complete application.
The modules are created in terms of prototypes, for every functionality the prototype has been
created. Every prototype is tested separately to check whether it is performing the function
correspond to requirements. Test modules are integrated with each other and tested again.
The current scope of the application is that it is a host based system, which means the application
only works with the resources of the host machine. There are two types of Intrusion Detection
system can be developed one is host based and another is network based. My application is host
based application which means it can only perform functions on host machine.
CHAPTER 3 HARDWARE AND SOFTWARE
Hardware
The hardware that is requires
“Minimum: 1.6 GHz CPU, 384 MB RAM, 1024x768 display, 5400 RPM hard drive
Recommended: 2.2 GHZ or higher CPU, 1024 MB or more RAM, 1280x1024 display,
7200 RPM or higher hard drive
Running on Windows 8 2.20 GHz CPU, 768 MB RAM
1 GB of available disk space for the minimum installation
Recommend 2GB memory for IDE and if running server locally
Software
The development of this application will require specialized software. The software that I need
use is:
a. Windows 8 operation system
b. Eclipse IDE 4.4 (Luna)
c. A Java 7 JRE/JDK
Akash Rajguru - B.Eng. (Hons) Software Engineering 11 | P a g e
d. Winpcap
CHAPTER 4 RESEARCH
Before starting development of the application it was very important to do the research to
find the answer of the following questions which comes in to the developers mind after going
through requirements. The questions where:
4.1 WHAT IS INTRUSION DETECTION?
The meaning of intrusion in computer science is “An incident of unauthorized access
to data or an automated information system.” Detection is to know that the
unauthorized access is happing to the system or network.
Intrusion Detection can be defined as "the act of detecting an unauthorized access or
actions that attempt to compromise the confidentiality, integrity or availability of a
resource." More specifically, the goal of intrusion detection is to identify entities
attempting to subvert in-place security controls.
Intrusion detection is a type of security management tool for computers and networks.
An Intrusion detection tool gathers and analyzes information from various areas
within a computer or a network to identify possible security breaches, which include
both intrusions (attacks from outside the organization) and misuse (attacks from
within the organization). Intrusion detection uses vulnerability assessment (sometimes
referred to as scanning), which is a technology developed to assess the security of a
computer system or network.
Akash Rajguru - B.Eng. (Hons) Software Engineering 12 | P a g e
There are certain functions which must be performed by the Intrusion Detection tool.
Function can be includes:
Monitoring and analyzing both user and system activities
Analyzing information in communication
Assessing system and file integrity
Ability to recognize patterns typical of attacks
Analysis of abnormal activity patterns
Tracking user policy violations
There are two common types of Intrusion Detection can be developed. [NR3]
1) Network Based (Network IDS)
2) Host Based (Host IDS)
Network Based Intrusion detection (Network IDS)
The Network based intrusion detection system attempts to identify unauthorized access and
anomalous behavior based exclusively on network traffic. A network intrusion detection system,
uses either a network tap, span port, or hub collects packets that travel through a given network.
Using the captured data, the intrusion detection system processes and flags any suspicious traffic.
Unlike an intrusion prevention system, an intrusion detection system does not actively block
network traffic. The role of a network intrusion detection system is passive, only gathering,
identifying, logging and alerting.
Host Based Intrusion Detection (Host IDS)
The Host Based Intrusion Detection system often referred to as Host IDS, host based intrusion
detection system attempts to identify unauthorized access, illegal, and anomalous behavior on a
specific device. Host based intrusion detection system generally involves an agent software
installed on each system, monitoring and alerting on local OS and application activity. The
installed agent software uses a combination of signatures, rules, and heuristics to identify
unauthorized activity. The role of a host IDS is passive, only gathering, identifying, logging, and
alerting. [NR4]
Akash Rajguru - B.Eng. (Hons) Software Engineering 13 | P a g e
After analyzing the given requirement it has be understood that my application is going to be the
Network Based Intrusion Detection system.
Now question arise here that how I am going to code Intrusion Detection system in the java.
After research I found that I need to use third party java library in order to achieve desired
functions of Intrusion Detection system. The details about the library can be found below in
technologies section.
4.2 WHAT IS PREVENTION?
The Prevention is the extended module of the Intrusion Detection System with the added ability
to block (prevent) the activity. This can be done with Network, Host, and Physical intrusion
detection systems. It basically allow the user to create certain rule for the network
communication whit in and out from the network device. The best example for prevention is the
firewall which allows users to apply certain configurations for the machine which controls the
applications communication to the external systems on the internet.
Now question arise here is how I can write the certain functionality which allows my java based
application to talk with the operation system as java application runs on the virtual machine
created by the operating system and this virtual application are not allowed to talk directly to
operation system. The solution fount for such scenario is that to use the Runtime class from the
java.lang.Object package. (Every Java application has a single instance of class Runtime that
allows the application to interface with the operating system environment in which the java
application is running. The current runtime can be obtained from the getRuntime method.) The
java class Runtime in java.lang.Object contains the exec() method which executes the specified
string command in a separate process. This is a convenience method. [NR5] [NR6] [NR7]
Process p = Runtime.getRuntime().exec(
"netsh advfirewall firewall add rule name=Block"+pro+num+
" protocol="+pro+ " dir=in localport="+num+ " action=block");
The above java code allows java application to run netsh command which defines firewall rules
for the windows operating system.
Akash Rajguru - B.Eng. (Hons) Software Engineering 14 | P a g e
The same java code is used to delete or remove rules set by the application, the only difference is
of the string command in the exec() method.
Process p = Runtime.getRuntime().exec(
"netsh advfirewall firewall delete rule name=Block"+pro+num+"");
4.3 WHAT IS HONEYPOT?
In Network Security, a honeypot is a trap which is set to detect, divert and counteract attempts at
unauthorized use of information systems. Generally, a honeypot consists of a computer, data, or
a network site that appears to be part of a network, but is actually isolated and monitored, and
which seems to contain information or a resource of value to attackers.
In practice, honeypots are computers which pretends as unprotected system. The honeypot server
or resource records all actions and interactions with hackers. Since honeypots don't provide any
legitimate services, all activity is unauthorized (and possibly malicious).
Java default library provides set of classes and methods to write a server which runs virtually on
the host operating system, and pretends like an actual computer system. To make such system I
have used java.net package, which provides socket and ServerSocket class which provides
methods to write a server which pretends as FTP server to the external as well as internal
hackers.
Akash Rajguru - B.Eng. (Hons) Software Engineering 15 | P a g e
[Taken from
“http://www.cse.wustl.edu/~jain/cse571-09/ftp/honey/fig2.png”]
The above figure describes the basic implementation of honeypot in the any system. Intrusion
detection system is the first point of contact for the hacker and the normal users. According to
the user types and the set of rules, which are defined by the administrator Intrusion detection
system decides where to send the network traffic. The anomalous traffic is sent to the honeypot
server which interact which hackers as an actual FTP server. The Intrusion detection system
controls the flow of the traffic between the applications running on the host machine. This done
by blocking all the ports on the host system and keeping open only those ports no which the
honeypot server is going to run. In my application Intrusion detection system only keep open
those ports on which the honeypot services is going to run and all other ports will be blocked or
closed by the Intrusion detection system. [NR8] [NR9] [NR10]
4.4 HOW HONEYPOT CAN BE IMPLEMENTED IN THE APPLICATION?
The honeypots are developed as separate unit while developing application. There are currently
two units which act as a servers for honeypots concept. One unit works as FTP Server and
another act as IRC Server, both of this units are testes in separately and after testing integrated in
the actual application.
Akash Rajguru - B.Eng. (Hons) Software Engineering 16 | P a g e
The honeypot servers are multi-threaded in order to support multiple client connection. The
hackers connected part in the unit shows the number of connection happened with the hackers.
4.5HOW INFORMATION IS GOING TO BE STORED?
The storage of information is the most important part of any application in Network security
domain. According to the system requirement, system should able to store the captured
information on local machine as well as on remote database. There are two separate modules to
achieve this task. The first module stores the captures information locally on the local machine
in text format document, which can be easily readable by the user. The other module stores the
captured information on the remote database which will be running on MongoDB.
The code for the module which stores captured information locally
String CaptureData=TA_OUTPUT.getText();
try {File Data = new File(DEFAULT_LOG_DIR,+new Date().getDate () +".log");
FileOutputStream datastream = new FileOutputStream(Data);
PrintStream out = new PrintStream(datastream);
out.print(CaptureData);
out.close();
datastream.close();
System.out.println("Saving........from CaptureData function");
} catch (Exception e) {
// TODO: handle exception
e.printStackTrace();
}
The second module stores the captured information on the MongoDB Server which runs locally
on port 27017
Akash Rajguru - B.Eng. (Hons) Software Engineering 17 | P a g e
String CaptureData=TA_OUTPUT.getText();
try {
MongoClient mongoclient = new MongoClient("localhost",27017);
DB db = mongoclient.getDB ( "_tep" ) ;
System.out.println("Connect to database successfully");
DBCollection coll = db.getCollection("mycol");
System.out.println("capture data" + CaptureData);
BasicDBObject document = new BasicDBObject();
document.put("first", CaptureData);
coll.insert(document);
System.out.println("DONE");
} catch (Exception e) {
e.printStackTrace();
}
The above code stores the captured information in MongoDB collection named mycol.
MongoDB : is a cross-platform document oriented database. Classified as a NoSQL database,
MongoDB eschews the traditional table-based relational database structure in favor of JSON-like
documents with dynamic schemas (MongoDB calls the format BSON), making the integration of
data in certain types of applications easier and faster.
[NR11]
4.6 TECHNOLOGIES
This project is based on java technology, so various java based libraries are
analyzed in order to achieve intrusion detection function. Some libraries like
Jpcap and JNetPcap, which allows us to capture packet in real time. It also
provides library for network protocols, packet decoding, remote capture and
Akash Rajguru - B.Eng. (Hons) Software Engineering 18 | P a g e
also provides features like dumping captured packet to an offline file,
transmitting packet no network etc.
Jpcap is an open source java network packet capture library which is based on
libpcap and winpcap libraries and it is used with java to capture and display
network traffic on Windows as well as Linux computers.
Libpcap: - It is an open source packet capture library which originally came from
tcpdump. tcpdump is a filtering model, where you can specify in a high level language
and compiler to translate high level language to low level language code, this code will
be downloaded into kernel and attached to network driver, when network packet arrive on
network interface it will run against those packets and capture the stuff you want and
send it up to stack.
Winpcap: - It is a windows version of libpcap library. It also includes driver to
support capturing packets. It just a tcpdump implementation for windows machine.
[NR12]
Library Used
Jpcap library: - is an open source network packet capture library which is
based on the libpcap and winpcap lirearies.
Jpcap captures Ethernet, TCP, UDP, IPv4, IPv6, ARP and ICMPv4
packets and analyzed each’s packet’s header and payload.
Packet class in jpcap is used to access packet field information and data.
[1]
JpcapCaptor class: - for capturing and filtering packets.
Java Runtime class: - to execute windows network shell command.
Akash Rajguru - B.Eng. (Hons) Software Engineering 19 | P a g e
Mongo driver: - to connect main application with MongoDB server.
4.7 APPLICATION DOMAIN
The main application domain of this application is the network security. This application
provides the combine features of Intrusion Detection, firewall as Prevention and Honeypot for
information collection about the hackers.
Captures packet from the specific network interface on the host machine. Host based system runs
on individual host or device on the network. Monitors inbound and outbound packets network
traffic for the particular device only (core domain is network security). Firewall part allows to
create set of rules for host machine to control the inbound and out bound network traffic.
Honeypot part is a separate application which runs in the same application pretends like an actual
computer system or resource allowing hackers to attack and captures their information.
CHAPTER 5 REQUIREMENTS
Requirements for final application
Is to make complete IDS with following functionality:
System shall have proper GUI for user interaction.
System shall be able to list all the available network interface on host
machine.
System shall be able to select particular interface for packet capture.
Akash Rajguru - B.Eng. (Hons) Software Engineering 20 | P a g e
System shall capture packets (inbound and outbound flow) from the
selected network interface.
System shall be able to scan TCP and UDP ports and display which port is
open.
System shall dump (store) the capture information in particular file format.
System shall allow administrator define rules like port blocking or
particular type of port filtering.
System shall connect to NoSql database to store every file.
System shall provide routines to analyze log files
System shall be tested using JUnit tool.
System shall have honeypot implementation with IDS
[Note: represents the functionality included in working Application]
CHAPTER 6 ARCHITECTURE
This section describes the architecture of the complete system. The system is broken into number
of modules and the modules are broken farther into unites. Each unit for the particular module is
developed separately, unites are gathered to create particular module, this module is than
executed in development environment.
Akash Rajguru - B.Eng. (Hons) Software Engineering 21 | P a g e
Intrusion Detection System with Honeypot Plus has five main modules which makes
complete system. Each module has a unique functionality, the interface module display
number of interfaces on the host machine (all types of network cards) and allows user or
administrator to select interface to capture packet from live network.
Basic process flow for Packet Capture Module.
Akash Rajguru - B.Eng. (Hons) Software Engineering 22 | P a g e
Basic process flow for Prevention Module.
Akash Rajguru - B.Eng. (Hons) Software Engineering 23 | P a g e
Basic process flow for Honeypot Module
Akash Rajguru - B.Eng. (Hons) Software Engineering 24 | P a g e
CHAPTER 7 APPLICATION DESIGN
This section provides an overview the application design process. The application includes the pre design
decisions and the relevant design decisions. This section also describes the programming language chosen
for development and the environment used for development, and then provides details of the main design
decisions which includes Multi-threading design of the programs and the logging of the information as a
text file. This section also includes the decisions on NoSQL database selection.
7.1 DEVELOPMENT LANGUAGE
We choose Java as a development language for specific reasons. The primary reason is that, we are very
familiar with Java through our previous coursework and the working experience, which enable us to focus
our time on the design and development as java provides rich set of library class to build best GUI.
Secondly, Java provides a stable and easy to use high level Sockets implementation, allowing us to not
have to learn low-level socket programming and allowing us to concentrate on design and development.
Finally, Java provides an excellent thread library which makes application Multithreaded and ease the
implementation of Honeypot and other units in application as a multi-threaded application.
7.2 INTEGRATED DEVELOPMENT ENVIRONMENT (IDE)
An IDE is an application that provides software developers with an environment that eases tasks related
to software programming as well as development. We chose Eclipse 4.4 (luna) as the IDE in which we
have developed the java application project. Eclipse is a free and open source product and is supported by
the Athlone Institute of technology. It provides all the features of modern IDE such as code completion,
refactoring and package management. Eclipse also has built in support for Java Documentation, which
allowed easy generation of source code documentations. We are closely familiar with the Eclipse
environment through coursework, allowing us to start programming without the associated learning curve
of an unfamiliar IDE.
7.3 MAJOR DESIGN DECISIONS WHILE CODING APPLICATION
We have outline out design decisions while coding the INTRUSION DETECTION SYSTEM with
HONYPOTPLUS application. The outcome of each decision is mention below with detail provided as to
how we took that decision. The main idea behind this decisions is to create a simple, yet extendable
application. The honeypot servers are quite capable of serving multiple client at a same time.
Akash Rajguru - B.Eng. (Hons) Software Engineering 25 | P a g e
Multi-threading
Multi-threading has played most important role in the application. Firstly, it is used in the capture module,
where application program uses multithreading to capture the continuous incoming and outgoing packet
from the network interface. Multithreading is also used while writing the honeypot serves , both the
servers in application are multithreaded, which means servers has the capacity to serve more than one
client at a same time. Both the server in the application supports multiple connections in order to increase
the usefulness as a honeypot
Fig 5.1 Two client connecting on same port
7.4 LOGGING TO PLAIN TEXT FILE ON LOCAL MACHINE
One of the feature of this application is that it stores log files as a text document in a local directory, and
update it time to time. We decided to store logs as plain text documents to allow end user to easily read
them and to allow parsing by third-party utilities. Here also multithreading has been used in order to
update the file with information time to time.
7.5 LOGGING TO PLAIN TEXT DOCUMENT ON MONGODB DATABASE
The another feature of this application is that it can store the information on MongoBD database on the
MongoDB Server, and update the information time to time. We decided to store logs as Mongo document
to allow end user to easily read them and to allow parsing by third-party utilities. Here also
multithreading has been used in order to update the file with information time to time.
Akash Rajguru - B.Eng. (Hons) Software Engineering 26 | P a g e
CHAPTER 8 IMPLEMENTATION FEATURES
Intrusion Detection System with Honeypot Plus supports the following features.
Graphical Interface - Intrusion Detection System with Honeypot Plus provides a simple GUI to
allow the user to control the application.
List the number of network interface - The application display the number of network interface
on the host machine, user are allowed to select the interface to capture the packet from that
interface.
Captures packet on selected interface – The packets are captures from the selected interface,
allowing to display the packet information on the application display area.
Displays captured packet information – The application extract the contents of the captured
packet and project that contents on the display area allowing user to easily read them.
List the number of open pots on machine – The application also perform port scanning on the
host machine and displays information about all the TCP and UDP pots on machine. It also tell
which port is listening.
Akash Rajguru - B.Eng. (Hons) Software Engineering 27 | P a g e
Prevention – The prevention module in the application is actually a firewall, it allows user to set
rules for the host operating system. User can create rules such as TCP port 23 block , this rule
block the port 23, any application on this port will not be able to communicate further,
application can only be able to communicate if the administrator delete the rule using the unblock
feature provided in the application.
Logging - Intrusion Detection System with Honeypot Plus creates log file for the information
captures while application is running. This logs are stored locally in C:/Temp folder. The format
of the file is normal text so that user can easily read the captured information. The name of the
log file is given automatically by the application, it uses time and date as a file name, this way of
naming allows administrator to identify particular log file according to the date.
Remote logging - Intrusion Detection System with Honeypot Plus also have additional feature
for storing the log on remote server. This module in application allows application to store the
captured information on remote NoSQL database in MongoDB server. The information stored in
MongoDB is in the form of document. The main advantage of using MongoDB is its scalability,
the MongoDB is highly scalable, and it can easily handles large amount of data sets. Application
does not need to use local storage to store the log files. Storing captured information on Mongo
Server also enable advanced feature of extra back of files, administrator can easily all files from
the Mongo Server.
Akash Rajguru - B.Eng. (Hons) Software Engineering 28 | P a g e
Honeypot Plus – This module in Intrusion Detection System with Honeypot Plus application
allows the administrator to host the fake FTP or IRC server on the hot operating system. This
servers will running in virtual machine but pretends and behave like an actual server, any client
connected to this servers can not able to make out that actually interacting with a fake system
rather than actual system. This servers host only those services which are set by application
programmer or the application administrator, so there is no chance that hacker can get into more
information than provided. This module also displays the numbers of hackers connected with the
honeypot.
No limit to number of client connected on Honeypot - Both the honeypot servers Honeypot
FTP Server and Honeypot IRC Server has a multi-threaded design so that it can listen for
connections and talk which any number of hackers simultaneously.
Akash Rajguru - B.Eng. (Hons) Software Engineering 29 | P a g e
CHAPTER 9 TESTING AND EVALUATION
Intrusion Detection System with Honeypot Plus system is developed using incremental development
approach, in which number of unit is created, then units are integrated to create module and finally
modules are combined to create the complete system. The various testing techniques has been employed
to test the system.
Unit Testing - Intrusion Detection System with Honeypot Plus application is developed in small
unites, this unit contains specific functionality for the overall system. The best example of unit is
the function written for the button click. Here each unit is test as java console application in order
to identify the proper output. Every unit is tested separately. This approach is take in order to
find the bugs hidden in the code at early stage and it also simplify the debugging process.
Individual codes are tested before integration.
Integration Testing – Every unit is combined to make a module, this modules are collection of
numbers of unites which works together to achieve specific functionality in the system. Intrusion
Detection System with Honeypot Plus system is divided and developed in modules. Each module
is tested separately. The best examples for modules in this system is capture module, save
module and port scanning module. Here the bottom up approach is taken to perform integration
testing, in this approach the development and testing is done together so that application will
becomes efficient as per the requirements. The testing is done on each module once they are
created without awaiting for other modules to create
System Testing – In this stage where all the modules are integrated to make the whole system. It
is a final stage of testing where all functional and not-functional testing is done. All the module
are interfaced to each other to make the complete system. The main idea behind this testing is to
test the behavior of the whole application is to be tested as defined in scope and the requirement
Akash Rajguru - B.Eng. (Hons) Software Engineering 30 | P a g e
specifications. It also clears how the system is interacting with the host operation system.
Bug Found
The current major bug in the system which is found while system testing is that system other
components gets freeze when honeypot server component is executed, the execution of honeypot
server frees the system but this components keep running with updating contents on the
application GUI, the only thing is other components stop updating and system goes into the
freeze mode.
Akash Rajguru - B.Eng. (Hons) Software Engineering 31 | P a g e
CHAPTER 10 CONCLUSION
In conclusion, as we know that day by day network services are getting increased which
increases number of servers and computing devices on the network to support the internet
services. It is very important for any organization to protect and secured their servers from
attackers and hackers. Intrusion detection system is the most common approach to protect
network resources. Intrusion detection systems are used worldwide by network administrators to
monitor network traffic in order to find out unauthorized activity on their network. It is also
important to improve the prevention mechanism in order to make system as well as network
more protective. Firewall feature must be improve to deal with new and latest type of threads.
We also know that today because of technology advancement the network
connections are encrypted and the encryption mechanisms are increasing time to time.
The Intrusion Detection systems are unable to monitor such encrypted connections, to
overcome this problem Honeypot comes to help, they can be taken as alternative to
Intrusion Detection system to locate the source of malicious and unauthorized traffic to
network.
Honeypots are the new approach to the network security and are advancing in the field of
network security.
The final software product of this project is the combination of three different network security
tool in order to improve the network security at the highest level. The final outcome of this
project demonstrates that it is possible to combine various functionalities, architectures and
concepts of network security to develop an application which provides maximum functionalities
to network security domain.
Intrusion Detection System with Honeypot Plus is the tool which provides features of packet inspection,
control over the network traffic and spying subsystems, which can collect the information about the
hackers allowing network administrators to protect network in more advanced ways.
Akash Rajguru - B.Eng. (Hons) Software Engineering 32 | P a g e
CHAPTER 11 REFERENCES
[1] https://www.youtube.com/watch?v=Uump9bPIER8
[2] http://www.cs.wustl.edu/~jain/cse571-09/ftp/honey/#sec1.1
[3] http://www.techopedia.com/definition/10278/honeypot
[4] http://www.cs.wustl.edu/~jain/cse571-09/ftp/honey.pdf
[5]http://www.academia.edu/1275290/JPCAP_WINPCAP_USED_FOR_NETWORK_INTRUSION_DETECTION_SYSTEM
[6] http://jnetpcap.com/
[N1] honeypot Definition - PC Magazine. pcmag.com. 24 March 2009. http://www.pcmag.com/encyclopedia_term/0,2542,t=honeypot&i=44335,00.asp
PC Magazine's encyclopedia entry for honeypot.
[N2] Talabis, Ryan. "Honeypots 101: A Honeypot By Any Other Name." 2007.
A non-technical introduction to honeypots. Provides helpful analogies for understanding the way honeypots work
[NR3] http://searchmidmarketsecurity.techtarget.com/definition/intrusion-detection
[NR4] http://www.sans.org/security-resources/idfaq/what_is_id.php
[NR5] https://docs.oracle.com/javase/7/docs/api/java/lang/Runtime.html
[NR6] http://www.tutorialspoint.com/java/lang/runtime_exec.htm
[NR7] http://www.rgagnon.com/javadetails/java-0014.html
[NR8] http://en.wikipedia.org/wiki/Honeypot (computing)
[NR9] http://searchsecurity.techtarget.com/definition/honey-pot
[NR10] http://www.cs.wustl.edu/~jain/cse571-09/ftp/honey.pdf
[NR11] http://en.wikipedia.org/wiki/MongoDB
[NR12] http://www.tcpdump.org/papers/bpf-usenix93.pdf
[NR13] “http://www.tcpdump.org/wpcap.html”
Akash Rajguru - B.Eng. (Hons) Software Engineering 33 | P a g e
APPENDIX 1
Capture_GUI.java is the main class which first initialized when application is executed. This class contains function and methods to call other class in order to perform specific function.
//-------------------------------------------------------action----public void Action_B_CAPTURE(ActionEvent X){
TA_OUTPUT.setText("");CaptureState=true;CapturePackets();
}
public void Action_B_LIST(ActionEvent X){
ListNetworkInterfaces();TF_SelectInterface.requestFocus();
}public void Action_B_SELECT(ActionEvent X){
ChooseInterface();}public void Action_B_STOP(ActionEvent X){
CaptureState = false;CAPTAIN.finished();
}
public void Action_B_PORT(ActionEvent X){
PortScanner();}public void Action_B_SAVE(ActionEvent X){
//CaptureData();
SaveCapture();}public void Action_B_SAVELOCAL(ActionEvent X){
//CaptureData();CaptureDataLocal();
}
public void Action_B_PORTBLOCK(ActionEvent X){
BlockPortSytem();}public void Action_B_PORTUNBLOCK(ActionEvent X)
Akash Rajguru - B.Eng. (Hons) Software Engineering 34 | P a g e
{
UNBlockPortSytem();}public void Action_B_HONEYSTART(ActionEvent X) throws IOException{
HONEYSTART();}public void Action_B_HONEYSTOP(ActionEvent X) throws IOException{
//new HoneypotServer().StopServer();
}public void Action_B_HONEYSTARTIRC(ActionEvent X) throws
IOException{
HONEYSTARTIRC();}public void Action_B_HONEYSTOPIRC(ActionEvent X){
}
//------------------functions------------
public void ListNetworkInterfaces(){
try{network_interface = JpcapCaptor.getDeviceList();
TA_OUTPUT.setText("");
for(int i=0; i< network_interface.length;i++){
TA_OUTPUT.append("\n\
n********************************************************Interface "+i+
" Info*******************************************************");
TA_OUTPUT.append("\nInterface Number: "+i);TA_OUTPUT.append("\nDescription :
"+network_interface[i].name+"("+
network_interface[i].description);
Akash Rajguru - B.Eng. (Hons) Software Engineering 35 | P a g e
TA_OUTPUT.append("\nDataLink Name : "+network_interface[i].datalink_name+"("+
network_interface[i].datalink_description+")");
TA_OUTPUT.append("\nIP Address1 : "+INT.address);TA_OUTPUT.append("\nSubnet : "+INT.subnet);
ADDRE = INT.address.toString();
System.out.println(ADDRE); new_ip = ADDRE.replaceAll("/",""); System.out.println(new_ip);
}
COUNTER++;
}} catch(Exception e){System.out.println(e);}
}
//----------------------------------------------------------------------------------
public void ChooseInterface(){
int Temp = Integer.parseInt(TF_SelectInterface.getText());
if(Temp > -1 && Temp < COUNTER){
INDEX= Temp;//EnableButtons();
}else {
}TF_SelectInterface.setText("");
}
//--------------------------------------------------------------------------------
public void CapturePackets(){
CAPTAIN=new CaptureThread() {
@Overridepublic Object construct() {
Akash Rajguru - B.Eng. (Hons) Software Engineering 36 | P a g e
TA_OUTPUT.setText("\nNow capturing on interface : "+INDEX+"..."+
"\n------------------------------------------------------------"+
"--------------------------------------------------\n\n");
try {
CAP = JpcapCaptor.openDevice(network_interface[INDEX],65535, false,20);
//CAP.setFilter("ip", true);
while(CaptureState){
CAP.processPacket(1, new PacketContents());
}CAP.close();
} catch (Exception e) {// TODO: handle exceptionSystem.out.println(e);
}
return 0;}public void finished(){
this.interrupt();}
};CAPTAIN.strat();
}//-----------------------------------------------------public void PortScanner(){
try { String command = "netstat -a";System.out.println(command);
String line; Process p = Runtime.getRuntime().exec(command); BufferedReader bri = new BufferedReader (new InputStreamReader(p.getInputStream())); BufferedReader bre = new BufferedReader (new InputStreamReader(p.getErrorStream())); while ((line = bri.readLine()) != null) { TA_PORT.append(line+"\n");
Akash Rajguru - B.Eng. (Hons) Software Engineering 37 | P a g e
} bri.close(); while ((line = bre.readLine()) != null) { TA_PORT.append(line+"\n"); } bre.close(); p.waitFor(); } catch (Exception err) { err.printStackTrace(); }
}//-----------------------------------------------------
public void SaveCapture(){
Thread t1 = new Thread( new Runnable() {
@Overridepublic void run() {
// TODO Auto-generated method stub
for (int i=1; i <=3; i++) {System.out.println("Saving from
SaveThread class..... ");
CaptureData();
try { Thread.sleep(10000); } catch (Exception ex) { ex.printStackTrace(); } }
}});t1.start();
}//-----------------------------------------------------public void BlockPortSytem(){
Akash Rajguru - B.Eng. (Hons) Software Engineering 38 | P a g e
String num = TF_PortBlock.getText().toString();String protocol = (String) comboBox.getSelectedItem();
BlockPort block = new BlockPort(num,protocol);}//-----------------UNBLOCK FUNCTION---------------------public void UNBlockPortSytem(){
String num = TF_PortUNBlock.getText().toString();String protocol = (String) comboBox_UN.getSelectedItem();
UNBlock unblock = new UNBlock(num,protocol);}//-----------------------HONETPOT-on FTP------------------------public void HONEYSTART() {
honeyftp = new Thread(new Runnable() {
@Overridepublic void run() {
// TODO Auto-generated method stub
try {
new HoneypotServer().runServer();} catch (IOException e) {
// TODO Auto-generated catch blocke.printStackTrace();
}
}});honeyftp.start();
// HoneypotServer h1 = new HoneypotServer();JOptionPane.showMessageDialog(MainWindow,"HoneyServer
Started");}
//-----------------------HONETPOT-on IRC------------------------public void HONEYSTARTIRC() {
Thread t2 = new Thread(new Runnable() {
@Overridepublic void run() {
// TODO Auto-generated method stub
Akash Rajguru - B.Eng. (Hons) Software Engineering 39 | P a g e
try {
new HoneypotServerIRC().runServer();} catch (IOException e) {
// TODO Auto-generated catch blocke.printStackTrace();
}
}});t2.start();
JOptionPane.showMessageDialog(MainWindow,"HoneyServerIRC Started");
}//-----------------------------------------------------
public static void CaptureData(){
String CaptureData=TA_OUTPUT.getText();
try {
MongoClient mongoclient = new MongoClient("localhost",27017);
DB db = mongoclient.getDB ( "_tep" ) ; System.out.println("Connect to database
successfully");
/* a file into mongo db using grid fs * */ DBCollection coll = db.getCollection("mycol"); System.out.println("capture data" + CaptureData); BasicDBObject document = new BasicDBObject(); document.put("first", CaptureData);
coll.insert(document); System.out.println("DONE");} catch (Exception e) {
// TODO: handle exceptione.printStackTrace();
}}
//----------------------// saving data on local machine
Akash Rajguru - B.Eng. (Hons) Software Engineering 40 | P a g e
public static void CaptureDataLocal(){
String CaptureData=TA_OUTPUT.getText();
try {File Data = new File(DEFAULT_LOG_DIR,+new Date().getDate () +".log");
FileOutputStream datastream = new FileOutputStream(Data);PrintStream out = new PrintStream(datastream);out.print(CaptureData);out.close();datastream.close();System.out.println("Saving........from CaptureData
function");
} catch (Exception e) {// TODO: handle exceptione.printStackTrace();
}}
//-------------------//data in xml formate public static void CaptureDataXML(){
String CaptureData=TA_OUTPUT.getText();
try {File Data = new File("OutPut.txt");FileOutputStream datastream = new
FileOutputStream(Data);PrintStream out = new PrintStream(datastream);out.print(CaptureData);
out.close();datastream.close();System.out.println("Saving........from
CaptureData function");
} catch (Exception e) {// TODO: handle exceptione.printStackTrace();
}}
//-------------------no of connection---public void setNumberConnections(int newNum) {
Akash Rajguru - B.Eng. (Hons) Software Engineering 41 | P a g e
System.out.println("reached here");
L_HACKERCONNECTED.setText("Hackers connected: " + newNum);}public void setNumberConnectionsIRC(int newNum) {
System.out.println("reached here");
L_HACKERCONNECTED1.setText("Hackers connected: " + newNum);}
APPENDIX 2
PortBlock.java is the class which enables application to set rules to lock certain ports.
package firewall;import java.io.BufferedReader;import java.io.InputStreamReader;
public class BlockPort { public String port ; public String protocol; public BlockPort(String num ,String pro ) {
this.port=num;this.protocol=pro; try { String line; Process p = Runtime.getRuntime().exec( "netsh advfirewall firewall add rule
name=Block"+pro+num+ " protocol="+pro+ " dir=in localport="+num+ "
action=block"); BufferedReader bri = new BufferedReader (new InputStreamReader(p.getInputStream())); BufferedReader bre = new BufferedReader (new InputStreamReader(p.getErrorStream())); while ((line = bri.readLine()) != null) { System.out.println(line); } bri.close(); while ((line = bre.readLine()) != null) { System.out.println(line); } bre.close(); p.waitFor();
Akash Rajguru - B.Eng. (Hons) Software Engineering 42 | P a g e
System.out.println("Done. rule set"); } catch (Exception err) { err.printStackTrace(); }
}}
APPENDIX 3
UNBlock.java is the class which enables application to delete rules which are set by Block.java package firewall;import java.io.BufferedReader;public class UNBlock {
public String port ; public String protocol; public UNBlock(String num ,String pro ) {
this.port=num;this.protocol=pro; try { String line; Process p = Runtime.getRuntime().exec( "netsh advfirewall firewall delete rule
name=Block"+pro+num+""); BufferedReader bri = new BufferedReader (new InputStreamReader(p.getInputStream())); BufferedReader bre = new BufferedReader (new InputStreamReader(p.getErrorStream())); while ((line = bri.readLine()) != null) { System.out.println(line); } bri.close(); while ((line = bre.readLine()) != null) { System.out.println(line); } bre.close(); p.waitFor(); System.out.println("Done. rule Deleted");
Akash Rajguru - B.Eng. (Hons) Software Engineering 43 | P a g e
} catch (Exception err) { err.printStackTrace(); }
}
}
APPENDIX 4
HoneypotServer.java is the class which provides honeypot feature to application.
package honeypotServer; import java.io.IOException;import java.net.ServerSocket;import java.net.Socket;import gui.Capture_GUI;public class HoneypotServer extends Thread{
Socket clientSocket = null;ServerSocket serverSocket = null;Capture_GUI gui = new Capture_GUI();private int i=0;public void runServer() throws IOException{
try {serverSocket = new ServerSocket(23);System.out.println("server started....on FTP 23");while(true){
clientSocket = serverSocket.accept();new Thread(new
HonetpotServerThread(clientSocket)).start();System.out.println("socket connected");incrementConnections();
}
} catch (Exception e) {}
}
Akash Rajguru - B.Eng. (Hons) Software Engineering 44 | P a g e
public void incrementConnections() {i++;System.out.println("reach");if(gui != null)
{gui.setNumberConnections(i);System.out.println("lo");}
System.out.println("executed ");System.out.println(i);
}public static void main(String[] args) throws IOException {
//new HoneypotServer().runServer();
}
}
HoneypotServerThread.java
package honeypotServer;import java.io.PrintWriter;import java.net.Socket;import java.util.Scanner;public class HonetpotServerThread implements Runnable {
Socket clientSocket; HonetpotServerThread(Socket clientSocket) {
this.clientSocket=clientSocket;}
public void run() {
try {
Scanner in1 = new Scanner(clientSocket.getInputStream());String mes;
PrintWriter out = new PrintWriter(clientSocket.getOutputStream(), true);
out.println("220 Service ready for new user.");while (true) {if (in1.hasNext()) {
Akash Rajguru - B.Eng. (Hons) Software Engineering 45 | P a g e
mes = in1.nextLine();System.out.println("hacker message :" + mes);if(mes.equals("akash")){out.println("331 User name ok, need password.");
}else if(mes.equals("akashpass"))
{out.println("230 User logged in.");
}else if(mes !="akashpass")
{out.println("501 Syntax error in parameters or
arguments.");}elseout.println("332 Need account for login.");
}else
clientSocket.close();}
} catch (Exception e) {e.printStackTrace();
} }
}
Akash Rajguru - B.Eng. (Hons) Software Engineering 46 | P a g e