Akash final-year-project report

INTRUSION DETECTION SYSTEMWith HONYPOTPLUS

Akash Raj guru (A00226145)

BACHELOR OF ENGINEERING (HONS) IN SOFTWARE ENGINEERING

ATHLONE INSTITUTE OF TECHNOLOGY SCHOOL OF ENGINEERING

2015

ATHLONE INSTITUTE OF TECHNOLOGYSCHOOL OF ENGINEERING

2015

INTRUSION DETECTION SYSTEMWith HONYPOTPLUS

By

Akash Raj guru (A00226145)

Thesis Submitted for the Award ofBACHELOR OF ENGINEERING (HONS) IN SOFTWARE ENGINEERING

Supervisor: Dr. Paul Jacob

INTRUSION DETECTION SYSTEM

With HONYPOTPLUS

Author: Akash Rajguru

Supervisor: Dr. Paul Jacob

ACKNOWLEGEMENT

The final project has been vary memorable and unique experience for me. It opened up a new venue of grabbing knowledge which will certainly stand me helpful in the years to come.

I am very thankful to my project guide and supervisor Dr. Paul Jacob for giving me opportunity to do project through my course of Bachelor of Engineering (Honours) in Software Engineering and for the excellence guidance for the project work and helping me in designing to project work.

My sincerely thanks to Dr. Paul Jacob (Project Supervisor) for his valuable support and making my project successfully and I also want to sincerely thanks to Dr. Declan Byrne for teaching Software Design and Mr. Michael Russell for teaching Project Management and Software Testing.

Project Summary

Welcome, this is a project on the study of network Intrusion Detection System, how prevention

can be achieved and how Honeypot concept can be used to make network more secured. It

explains the research done while developing the application software. The major research done

was about understanding how intrusion detection works and how it can be implemented in my

application using java as development programming language. There is now more major part of

research which is on honeypot architecture.

It also explains the problems that were encounter during the development of the application and

explains how these where overcome. It is about an investigation into the process of learning how

to use third party java library to achieve the project goal.

This report is going to focus on the research done to understand the concepts of intrusion

detection, intrusion prevention and honeypot. It also explores, what library’s that are analyzed

while developing application. The application that will be developing during this report is going

to be the Desktop based application, which is majorly useful for network administrators.

Akash Rajguru - B.Eng. (Hons) Software Engineering 5 | P a g e

CONTENTS

PAGE

CHAPTER 1: INTRODUCTION AND PROJECT OUTLINE 7 1.1 Project title and Interpretation 7 1.2 Network Intrusion Detection 7

1.3 Honeypot 7 1.4 Project Motivation 8 1.5 Project Aims and Objectives 9

CHAPTER 2: SCOPE 10CHAPTER 3: HARDWARE AND SOFTWARE 11CHAPTER 4: RESEARCH

12 4.1 What is intrusion detection? 12

4.2 What is prevention? 13 4.3 What is honeypot? 14 4.4 How honeypot can be implemented in the application? 15 4.5 How information is going to be stored? 16 4.6 Technologies 17 4.7 Application Domain 18

CHAPTER 5: REQUIREMENTS 19

CHAPTER 6: ARCHITECTURE 21CHAPTER 7: APPLICATION DESIGN 24

7.1 Development Language 24 7.2 Integrated Development Environment 24 7.3Major Design Decision while coding application 24 7.4 Logging to plain text file on local machine 25 7.5 Logging to plain text document on MongoDB database 25


CHAPTER 8: IMPLEMENTATION FEATURES 26

CHAPTER 9: TESTING AND EVALUATION 29

CHAPTER 10: CONCLUSION 31

CHAPTER 11: REFERENCES 32

APPENDIX 33

CHAPTER 1 INTRODUCTION AND PROJECT OUTLINE

In this section I will describe network intrusion detection system, the traditional approach

to network security. I will then describe the introduction to honeypots, which is an integral part

of the complete system. This section also includes the advantage of honeypot module in system.

1.1PROJECT TITLE AND INTERPRETATION

TITLE: “INTRUSION DETECTION SYSTEM with HONYPOTPLUS”

The goal of this project is to design and develop fully implementable and tested

java based intrusion detection system with Honeypot integrated , which can monitor network

traffic from the host machine by capturing the network packets from the live network. I have

made the assumption that this tool will be able to capture the network packets and allows the

administrator to analyze the capture packets and can also be able to provide some feature to

control network traffic. In order to control traffic from host machine a module called Firewall

has been added, which allows administrator to create specific rules and it also allow

administrator to delete the rule which are already created. This tool also able to dump (store) the

captured information into a particular file format on local machine as well as on MondoDB


server. This project also employee’s Honeypot which allows administrator capture hackers

information.

1.2NETWORK INTRUSION DETECTION The goal of the intrusion detection system is to identify the unauthorized of network

access, it basically identity and scan the network for incoming and outgoing network packet from

host machine. All this preferably in real time. The main functions to analyze incoming and

outgoing packet from the network interface. The detection part in system to detect the

communications of unauthorized packets from system. The pretension part in the system

provides the set of option to block the network traffic an application part, it is a type of firewall

to the system, allows application user to central the network traffic through selected network

interface.

1.3HONEYPOT The exact definition of a honeypot is as following:

A honeypot is an "an information system resource whose value lies in unauthorized or illicit use

of that resources"(from the www.securityfocus.com forum)

A more practical, but more limiting, definition is given by pcmag.com:

"A server that is configured to detect an intruder by mirroring a real production system. It

appears as an ordinary server doing work, but all the data and transactions are phony. Located

either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as

well as determine vulnerabilities in the real system" [N1].

In practice, honeypots are computers which masquerade as unprotected. The honeypot

records all actions and interactions with users. Since honeypots don't provide any legitimate

services, all activity is unauthorized (and possibly malicious). [N2].


1.4 PROJECT MOTIVATIONAs we know that internet is growing day by day and from small to large enterprise,

institute are creating their own private network (LANs) for the batter performance

between computers systems as well as for data protection. So it safer to have in house

software which monitor’s the internal as well as external network traffic to find and avoid

intrusion to the network.

1.5 PROJECT AIMS AND OBJECTIVESThe final project product is aimed at implementing the following:

1. To be able to list the network interfaces on host computer.

2. To be able to capture the packets on selected network interface.

3. To allow TCP port scanning

4. To be able to block the port on machine.

5. To be able to unblock the port on machine.

6. To be able to save the capture information in txt file format

7. To be able to save the capture information on remote MongoDB server.

8. To be able to run honeypot server on specific server

9. To be able to display number of hacker connected to honeypot server.

[Note: Requirements for the final application is listed in Chapter3 Requirements]

Objectives

1. Investigate about the various java third party library.

2. Too investigate how third party library works for packet sniffing.

3. I want to build initial application which does packet sniffing from live network.


4. I want to see the content of the packet.

5. To investigate difference between Jpcap and JNetcap library.

6. Create a plan of how this application will be developed

7. Decide on how to store captured information local machine as well as on remote

database.

8. Integrate all module to make complete system.

9. Test the application

10. Create documentation and a final report.

CHAPTER 2 SCOPE

What application I am developing?

After some research I have decided to create a java based desktop application which help

network administrator to achieve network security related tasks, which allows network

administrator to monitor the network traffic, allow him to the network packet flow form the

network interface, allow him to see the contents of the packet, allow him to define specific rules

to prevent communication on curtains ports on host machine.

The functionality on which I am going to focus is getting number of interfaces on the host

machine, capturing packet from the selected interface, displaying the contents of packet, allow

port scanning on the host machine in order to find which port is open and used by the specific

application, allow administrator to block certain ports on host machine in order to control

network traffic and also allow the storage of captured information locally and remotely.

This application also contains two honeypot servers which allows administrator to run the face

system virtually on the machine. This server pretends as an actual system to hackers, allowing

administrator to capture the information about the hackers. This honeypot servers are the

internal parts of the application.

As I can see from developer point of view there is scope to develop this application into quite a

lager application. I have decided that I will develop the application into numbers of modules,


where each module is created separately and tested separately, and later modules are integrated

in terms of making complete application.

The modules are created in terms of prototypes, for every functionality the prototype has been

created. Every prototype is tested separately to check whether it is performing the function

correspond to requirements. Test modules are integrated with each other and tested again.

The current scope of the application is that it is a host based system, which means the application

only works with the resources of the host machine. There are two types of Intrusion Detection

system can be developed one is host based and another is network based. My application is host

based application which means it can only perform functions on host machine.

CHAPTER 3 HARDWARE AND SOFTWARE

Hardware

The hardware that is requires

“Minimum: 1.6 GHz CPU, 384 MB RAM, 1024x768 display, 5400 RPM hard drive

Recommended: 2.2 GHZ or higher CPU, 1024 MB or more RAM, 1280x1024 display,

7200 RPM or higher hard drive

Running on Windows 8 2.20 GHz CPU, 768 MB RAM

1 GB of available disk space for the minimum installation

Recommend 2GB memory for IDE and if running server locally

Software

The development of this application will require specialized software. The software that I need

use is:

a. Windows 8 operation system

b. Eclipse IDE 4.4 (Luna)

c. A Java 7 JRE/JDK


d. Winpcap

CHAPTER 4 RESEARCH

Before starting development of the application it was very important to do the research to

find the answer of the following questions which comes in to the developers mind after going

through requirements. The questions where:

4.1 WHAT IS INTRUSION DETECTION?

The meaning of intrusion in computer science is “An incident of unauthorized access

to data or an automated information system.” Detection is to know that the

unauthorized access is happing to the system or network.

Intrusion Detection can be defined as "the act of detecting an unauthorized access or

actions that attempt to compromise the confidentiality, integrity or availability of a

resource." More specifically, the goal of intrusion detection is to identify entities

attempting to subvert in-place security controls.

Intrusion detection is a type of security management tool for computers and networks.

An Intrusion detection tool gathers and analyzes information from various areas

within a computer or a network to identify possible security breaches, which include

both intrusions (attacks from outside the organization) and misuse (attacks from

within the organization). Intrusion detection uses vulnerability assessment (sometimes

referred to as scanning), which is a technology developed to assess the security of a

computer system or network.


There are certain functions which must be performed by the Intrusion Detection tool.

Function can be includes:

Monitoring and analyzing both user and system activities

Analyzing information in communication

Assessing system and file integrity

Ability to recognize patterns typical of attacks

Analysis of abnormal activity patterns

Tracking user policy violations

There are two common types of Intrusion Detection can be developed. [NR3]

1) Network Based (Network IDS)

2) Host Based (Host IDS)

Network Based Intrusion detection (Network IDS)

The Network based intrusion detection system attempts to identify unauthorized access and

anomalous behavior based exclusively on network traffic. A network intrusion detection system,

uses either a network tap, span port, or hub collects packets that travel through a given network.

Using the captured data, the intrusion detection system processes and flags any suspicious traffic.

Unlike an intrusion prevention system, an intrusion detection system does not actively block

network traffic. The role of a network intrusion detection system is passive, only gathering,

identifying, logging and alerting.

Host Based Intrusion Detection (Host IDS)

The Host Based Intrusion Detection system often referred to as Host IDS, host based intrusion

detection system attempts to identify unauthorized access, illegal, and anomalous behavior on a

specific device. Host based intrusion detection system generally involves an agent software

installed on each system, monitoring and alerting on local OS and application activity. The

installed agent software uses a combination of signatures, rules, and heuristics to identify

unauthorized activity. The role of a host IDS is passive, only gathering, identifying, logging, and

alerting. [NR4]


After analyzing the given requirement it has be understood that my application is going to be the

Network Based Intrusion Detection system.

Now question arise here that how I am going to code Intrusion Detection system in the java.

After research I found that I need to use third party java library in order to achieve desired

functions of Intrusion Detection system. The details about the library can be found below in

technologies section.

4.2 WHAT IS PREVENTION?

The Prevention is the extended module of the Intrusion Detection System with the added ability

to block (prevent) the activity. This can be done with Network, Host, and Physical intrusion

detection systems. It basically allow the user to create certain rule for the network

communication whit in and out from the network device. The best example for prevention is the

firewall which allows users to apply certain configurations for the machine which controls the

applications communication to the external systems on the internet.

Now question arise here is how I can write the certain functionality which allows my java based

application to talk with the operation system as java application runs on the virtual machine

created by the operating system and this virtual application are not allowed to talk directly to

operation system. The solution fount for such scenario is that to use the Runtime class from the

java.lang.Object package. (Every Java application has a single instance of class Runtime that

allows the application to interface with the operating system environment in which the java

application is running. The current runtime can be obtained from the getRuntime method.) The

java class Runtime in java.lang.Object contains the exec() method which executes the specified

string command in a separate process. This is a convenience method. [NR5] [NR6] [NR7]

Process p = Runtime.getRuntime().exec(

"netsh advfirewall firewall add rule name=Block"+pro+num+

" protocol="+pro+ " dir=in localport="+num+ " action=block");

The above java code allows java application to run netsh command which defines firewall rules

for the windows operating system.


The same java code is used to delete or remove rules set by the application, the only difference is

of the string command in the exec() method.

Process p = Runtime.getRuntime().exec(

"netsh advfirewall firewall delete rule name=Block"+pro+num+"");

4.3 WHAT IS HONEYPOT?

In Network Security, a honeypot is a trap which is set to detect, divert and counteract attempts at

unauthorized use of information systems. Generally, a honeypot consists of a computer, data, or

a network site that appears to be part of a network, but is actually isolated and monitored, and

which seems to contain information or a resource of value to attackers.

In practice, honeypots are computers which pretends as unprotected system. The honeypot server

or resource records all actions and interactions with hackers. Since honeypots don't provide any

legitimate services, all activity is unauthorized (and possibly malicious).

Java default library provides set of classes and methods to write a server which runs virtually on

the host operating system, and pretends like an actual computer system. To make such system I

have used java.net package, which provides socket and ServerSocket class which provides

methods to write a server which pretends as FTP server to the external as well as internal

hackers.


[Taken from

“http://www.cse.wustl.edu/~jain/cse571-09/ftp/honey/fig2.png”]

The above figure describes the basic implementation of honeypot in the any system. Intrusion

detection system is the first point of contact for the hacker and the normal users. According to

the user types and the set of rules, which are defined by the administrator Intrusion detection

system decides where to send the network traffic. The anomalous traffic is sent to the honeypot

server which interact which hackers as an actual FTP server. The Intrusion detection system

controls the flow of the traffic between the applications running on the host machine. This done

by blocking all the ports on the host system and keeping open only those ports no which the

honeypot server is going to run. In my application Intrusion detection system only keep open

those ports on which the honeypot services is going to run and all other ports will be blocked or

closed by the Intrusion detection system. [NR8] [NR9] [NR10]

4.4 HOW HONEYPOT CAN BE IMPLEMENTED IN THE APPLICATION?

The honeypots are developed as separate unit while developing application. There are currently

two units which act as a servers for honeypots concept. One unit works as FTP Server and

another act as IRC Server, both of this units are testes in separately and after testing integrated in

the actual application.


The honeypot servers are multi-threaded in order to support multiple client connection. The

hackers connected part in the unit shows the number of connection happened with the hackers.

4.5HOW INFORMATION IS GOING TO BE STORED?

The storage of information is the most important part of any application in Network security

domain. According to the system requirement, system should able to store the captured

information on local machine as well as on remote database. There are two separate modules to

achieve this task. The first module stores the captures information locally on the local machine

in text format document, which can be easily readable by the user. The other module stores the

captured information on the remote database which will be running on MongoDB.

The code for the module which stores captured information locally

String CaptureData=TA_OUTPUT.getText();

try {File Data = new File(DEFAULT_LOG_DIR,+new Date().getDate () +".log");

FileOutputStream datastream = new FileOutputStream(Data);

PrintStream out = new PrintStream(datastream);

out.print(CaptureData);

out.close();

datastream.close();

System.out.println("Saving........from CaptureData function");

} catch (Exception e) {

// TODO: handle exception

e.printStackTrace();

}

The second module stores the captured information on the MongoDB Server which runs locally

on port 27017



try {

MongoClient mongoclient = new MongoClient("localhost",27017);

DB db = mongoclient.getDB ( "_tep" ) ;

System.out.println("Connect to database successfully");

DBCollection coll = db.getCollection("mycol");

System.out.println("capture data" + CaptureData);

BasicDBObject document = new BasicDBObject();

document.put("first", CaptureData);

coll.insert(document);

System.out.println("DONE");

} catch (Exception e) {

e.printStackTrace();

}

The above code stores the captured information in MongoDB collection named mycol.

MongoDB : is a cross-platform document oriented database. Classified as a NoSQL database,

MongoDB eschews the traditional table-based relational database structure in favor of JSON-like

documents with dynamic schemas (MongoDB calls the format BSON), making the integration of

data in certain types of applications easier and faster.

[NR11]

4.6 TECHNOLOGIES

This project is based on java technology, so various java based libraries are

analyzed in order to achieve intrusion detection function. Some libraries like

Jpcap and JNetPcap, which allows us to capture packet in real time. It also

provides library for network protocols, packet decoding, remote capture and


also provides features like dumping captured packet to an offline file,

transmitting packet no network etc.

Jpcap is an open source java network packet capture library which is based on

libpcap and winpcap libraries and it is used with java to capture and display

network traffic on Windows as well as Linux computers.

Libpcap: - It is an open source packet capture library which originally came from

tcpdump. tcpdump is a filtering model, where you can specify in a high level language

and compiler to translate high level language to low level language code, this code will

be downloaded into kernel and attached to network driver, when network packet arrive on

network interface it will run against those packets and capture the stuff you want and

send it up to stack.

Winpcap: - It is a windows version of libpcap library. It also includes driver to

support capturing packets. It just a tcpdump implementation for windows machine.

[NR12]

Library Used

Jpcap library: - is an open source network packet capture library which is

based on the libpcap and winpcap lirearies.

Jpcap captures Ethernet, TCP, UDP, IPv4, IPv6, ARP and ICMPv4

packets and analyzed each’s packet’s header and payload.

Packet class in jpcap is used to access packet field information and data.

[1]

JpcapCaptor class: - for capturing and filtering packets.

Java Runtime class: - to execute windows network shell command.


Mongo driver: - to connect main application with MongoDB server.

4.7 APPLICATION DOMAIN

The main application domain of this application is the network security. This application

provides the combine features of Intrusion Detection, firewall as Prevention and Honeypot for

information collection about the hackers.

Captures packet from the specific network interface on the host machine. Host based system runs

on individual host or device on the network. Monitors inbound and outbound packets network

traffic for the particular device only (core domain is network security). Firewall part allows to

create set of rules for host machine to control the inbound and out bound network traffic.

Honeypot part is a separate application which runs in the same application pretends like an actual

computer system or resource allowing hackers to attack and captures their information.

CHAPTER 5 REQUIREMENTS

Requirements for final application

Is to make complete IDS with following functionality:

System shall have proper GUI for user interaction.

System shall be able to list all the available network interface on host

machine.

System shall be able to select particular interface for packet capture.


System shall capture packets (inbound and outbound flow) from the

selected network interface.

System shall be able to scan TCP and UDP ports and display which port is

open.

System shall dump (store) the capture information in particular file format.

System shall allow administrator define rules like port blocking or

particular type of port filtering.

System shall connect to NoSql database to store every file.

System shall provide routines to analyze log files

System shall be tested using JUnit tool.

System shall have honeypot implementation with IDS

[Note: represents the functionality included in working Application]

CHAPTER 6 ARCHITECTURE

This section describes the architecture of the complete system. The system is broken into number

of modules and the modules are broken farther into unites. Each unit for the particular module is

developed separately, unites are gathered to create particular module, this module is than

executed in development environment.


Intrusion Detection System with Honeypot Plus has five main modules which makes

complete system. Each module has a unique functionality, the interface module display

number of interfaces on the host machine (all types of network cards) and allows user or

administrator to select interface to capture packet from live network.

Basic process flow for Packet Capture Module.


Basic process flow for Prevention Module.


Basic process flow for Honeypot Module


CHAPTER 7 APPLICATION DESIGN

This section provides an overview the application design process. The application includes the pre design

decisions and the relevant design decisions. This section also describes the programming language chosen

for development and the environment used for development, and then provides details of the main design

decisions which includes Multi-threading design of the programs and the logging of the information as a

text file. This section also includes the decisions on NoSQL database selection.

7.1 DEVELOPMENT LANGUAGE

We choose Java as a development language for specific reasons. The primary reason is that, we are very

familiar with Java through our previous coursework and the working experience, which enable us to focus

our time on the design and development as java provides rich set of library class to build best GUI.

Secondly, Java provides a stable and easy to use high level Sockets implementation, allowing us to not

have to learn low-level socket programming and allowing us to concentrate on design and development.

Finally, Java provides an excellent thread library which makes application Multithreaded and ease the

implementation of Honeypot and other units in application as a multi-threaded application.

7.2 INTEGRATED DEVELOPMENT ENVIRONMENT (IDE)

An IDE is an application that provides software developers with an environment that eases tasks related

to software programming as well as development. We chose Eclipse 4.4 (luna) as the IDE in which we

have developed the java application project. Eclipse is a free and open source product and is supported by

the Athlone Institute of technology. It provides all the features of modern IDE such as code completion,

refactoring and package management. Eclipse also has built in support for Java Documentation, which

allowed easy generation of source code documentations. We are closely familiar with the Eclipse

environment through coursework, allowing us to start programming without the associated learning curve

of an unfamiliar IDE.

7.3 MAJOR DESIGN DECISIONS WHILE CODING APPLICATION

We have outline out design decisions while coding the INTRUSION DETECTION SYSTEM with

HONYPOTPLUS application. The outcome of each decision is mention below with detail provided as to

how we took that decision. The main idea behind this decisions is to create a simple, yet extendable

application. The honeypot servers are quite capable of serving multiple client at a same time.


Multi-threading

Multi-threading has played most important role in the application. Firstly, it is used in the capture module,

where application program uses multithreading to capture the continuous incoming and outgoing packet

from the network interface. Multithreading is also used while writing the honeypot serves , both the

servers in application are multithreaded, which means servers has the capacity to serve more than one

client at a same time. Both the server in the application supports multiple connections in order to increase

the usefulness as a honeypot

Fig 5.1 Two client connecting on same port

7.4 LOGGING TO PLAIN TEXT FILE ON LOCAL MACHINE

One of the feature of this application is that it stores log files as a text document in a local directory, and

update it time to time. We decided to store logs as plain text documents to allow end user to easily read

them and to allow parsing by third-party utilities. Here also multithreading has been used in order to

update the file with information time to time.

7.5 LOGGING TO PLAIN TEXT DOCUMENT ON MONGODB DATABASE

The another feature of this application is that it can store the information on MongoBD database on the

MongoDB Server, and update the information time to time. We decided to store logs as Mongo document

to allow end user to easily read them and to allow parsing by third-party utilities. Here also

multithreading has been used in order to update the file with information time to time.


CHAPTER 8 IMPLEMENTATION FEATURES

Intrusion Detection System with Honeypot Plus supports the following features.

Graphical Interface - Intrusion Detection System with Honeypot Plus provides a simple GUI to

allow the user to control the application.

List the number of network interface - The application display the number of network interface

on the host machine, user are allowed to select the interface to capture the packet from that

interface.

Captures packet on selected interface – The packets are captures from the selected interface,

allowing to display the packet information on the application display area.

Displays captured packet information – The application extract the contents of the captured

packet and project that contents on the display area allowing user to easily read them.

List the number of open pots on machine – The application also perform port scanning on the

host machine and displays information about all the TCP and UDP pots on machine. It also tell

which port is listening.


Prevention – The prevention module in the application is actually a firewall, it allows user to set

rules for the host operating system. User can create rules such as TCP port 23 block , this rule

block the port 23, any application on this port will not be able to communicate further,

application can only be able to communicate if the administrator delete the rule using the unblock

feature provided in the application.

Logging - Intrusion Detection System with Honeypot Plus creates log file for the information

captures while application is running. This logs are stored locally in C:/Temp folder. The format

of the file is normal text so that user can easily read the captured information. The name of the

log file is given automatically by the application, it uses time and date as a file name, this way of

naming allows administrator to identify particular log file according to the date.

Remote logging - Intrusion Detection System with Honeypot Plus also have additional feature

for storing the log on remote server. This module in application allows application to store the

captured information on remote NoSQL database in MongoDB server. The information stored in

MongoDB is in the form of document. The main advantage of using MongoDB is its scalability,

the MongoDB is highly scalable, and it can easily handles large amount of data sets. Application

does not need to use local storage to store the log files. Storing captured information on Mongo

Server also enable advanced feature of extra back of files, administrator can easily all files from

the Mongo Server.


Honeypot Plus – This module in Intrusion Detection System with Honeypot Plus application

allows the administrator to host the fake FTP or IRC server on the hot operating system. This

servers will running in virtual machine but pretends and behave like an actual server, any client

connected to this servers can not able to make out that actually interacting with a fake system

rather than actual system. This servers host only those services which are set by application

programmer or the application administrator, so there is no chance that hacker can get into more

information than provided. This module also displays the numbers of hackers connected with the

honeypot.

No limit to number of client connected on Honeypot - Both the honeypot servers Honeypot

FTP Server and Honeypot IRC Server has a multi-threaded design so that it can listen for

connections and talk which any number of hackers simultaneously.


CHAPTER 9 TESTING AND EVALUATION

Intrusion Detection System with Honeypot Plus system is developed using incremental development

approach, in which number of unit is created, then units are integrated to create module and finally

modules are combined to create the complete system. The various testing techniques has been employed

to test the system.

Unit Testing - Intrusion Detection System with Honeypot Plus application is developed in small

unites, this unit contains specific functionality for the overall system. The best example of unit is

the function written for the button click. Here each unit is test as java console application in order

to identify the proper output. Every unit is tested separately. This approach is take in order to

find the bugs hidden in the code at early stage and it also simplify the debugging process.

Individual codes are tested before integration.

Integration Testing – Every unit is combined to make a module, this modules are collection of

numbers of unites which works together to achieve specific functionality in the system. Intrusion

Detection System with Honeypot Plus system is divided and developed in modules. Each module

is tested separately. The best examples for modules in this system is capture module, save

module and port scanning module. Here the bottom up approach is taken to perform integration

testing, in this approach the development and testing is done together so that application will

becomes efficient as per the requirements. The testing is done on each module once they are

created without awaiting for other modules to create

System Testing – In this stage where all the modules are integrated to make the whole system. It

is a final stage of testing where all functional and not-functional testing is done. All the module

are interfaced to each other to make the complete system. The main idea behind this testing is to

test the behavior of the whole application is to be tested as defined in scope and the requirement


specifications. It also clears how the system is interacting with the host operation system.

Bug Found

The current major bug in the system which is found while system testing is that system other

components gets freeze when honeypot server component is executed, the execution of honeypot

server frees the system but this components keep running with updating contents on the

application GUI, the only thing is other components stop updating and system goes into the

freeze mode.


CHAPTER 10 CONCLUSION

In conclusion, as we know that day by day network services are getting increased which

increases number of servers and computing devices on the network to support the internet

services. It is very important for any organization to protect and secured their servers from

attackers and hackers. Intrusion detection system is the most common approach to protect

network resources. Intrusion detection systems are used worldwide by network administrators to

monitor network traffic in order to find out unauthorized activity on their network. It is also

important to improve the prevention mechanism in order to make system as well as network

more protective. Firewall feature must be improve to deal with new and latest type of threads.

We also know that today because of technology advancement the network

connections are encrypted and the encryption mechanisms are increasing time to time.

The Intrusion Detection systems are unable to monitor such encrypted connections, to

overcome this problem Honeypot comes to help, they can be taken as alternative to

Intrusion Detection system to locate the source of malicious and unauthorized traffic to

network.

Honeypots are the new approach to the network security and are advancing in the field of

network security.

The final software product of this project is the combination of three different network security

tool in order to improve the network security at the highest level. The final outcome of this

project demonstrates that it is possible to combine various functionalities, architectures and

concepts of network security to develop an application which provides maximum functionalities

to network security domain.

Intrusion Detection System with Honeypot Plus is the tool which provides features of packet inspection,

control over the network traffic and spying subsystems, which can collect the information about the

hackers allowing network administrators to protect network in more advanced ways.


CHAPTER 11 REFERENCES

[1] https://www.youtube.com/watch?v=Uump9bPIER8

[2] http://www.cs.wustl.edu/~jain/cse571-09/ftp/honey/#sec1.1

[3] http://www.techopedia.com/definition/10278/honeypot

[4] http://www.cs.wustl.edu/~jain/cse571-09/ftp/honey.pdf

[5]http://www.academia.edu/1275290/JPCAP_WINPCAP_USED_FOR_NETWORK_INTRUSION_DETECTION_SYSTEM

[6] http://jnetpcap.com/

[N1] honeypot Definition - PC Magazine. pcmag.com. 24 March 2009. http://www.pcmag.com/encyclopedia_term/0,2542,t=honeypot&i=44335,00.asp

PC Magazine's encyclopedia entry for honeypot.

[N2] Talabis, Ryan. "Honeypots 101: A Honeypot By Any Other Name." 2007.

A non-technical introduction to honeypots. Provides helpful analogies for understanding the way honeypots work

[NR3] http://searchmidmarketsecurity.techtarget.com/definition/intrusion-detection

[NR4] http://www.sans.org/security-resources/idfaq/what_is_id.php

[NR5] https://docs.oracle.com/javase/7/docs/api/java/lang/Runtime.html

[NR6] http://www.tutorialspoint.com/java/lang/runtime_exec.htm

[NR7] http://www.rgagnon.com/javadetails/java-0014.html

[NR8] http://en.wikipedia.org/wiki/Honeypot (computing)

[NR9] http://searchsecurity.techtarget.com/definition/honey-pot

[NR10] http://www.cs.wustl.edu/~jain/cse571-09/ftp/honey.pdf

[NR11] http://en.wikipedia.org/wiki/MongoDB

[NR12] http://www.tcpdump.org/papers/bpf-usenix93.pdf

[NR13] “http://www.tcpdump.org/wpcap.html”


APPENDIX 1

Capture_GUI.java is the main class which first initialized when application is executed. This class contains function and methods to call other class in order to perform specific function.

//-------------------------------------------------------action----public void Action_B_CAPTURE(ActionEvent X){

TA_OUTPUT.setText("");CaptureState=true;CapturePackets();

}

public void Action_B_LIST(ActionEvent X){

ListNetworkInterfaces();TF_SelectInterface.requestFocus();

}public void Action_B_SELECT(ActionEvent X){

ChooseInterface();}public void Action_B_STOP(ActionEvent X){

CaptureState = false;CAPTAIN.finished();

}

public void Action_B_PORT(ActionEvent X){

PortScanner();}public void Action_B_SAVE(ActionEvent X){

//CaptureData();

SaveCapture();}public void Action_B_SAVELOCAL(ActionEvent X){

//CaptureData();CaptureDataLocal();

}

public void Action_B_PORTBLOCK(ActionEvent X){

BlockPortSytem();}public void Action_B_PORTUNBLOCK(ActionEvent X)


{

UNBlockPortSytem();}public void Action_B_HONEYSTART(ActionEvent X) throws IOException{

HONEYSTART();}public void Action_B_HONEYSTOP(ActionEvent X) throws IOException{

//new HoneypotServer().StopServer();

}public void Action_B_HONEYSTARTIRC(ActionEvent X) throws

IOException{

HONEYSTARTIRC();}public void Action_B_HONEYSTOPIRC(ActionEvent X){

}

//------------------functions------------

public void ListNetworkInterfaces(){

try{network_interface = JpcapCaptor.getDeviceList();

TA_OUTPUT.setText("");

for(int i=0; i< network_interface.length;i++){

TA_OUTPUT.append("\n\

n********************************************************Interface "+i+

" Info*******************************************************");

TA_OUTPUT.append("\nInterface Number: "+i);TA_OUTPUT.append("\nDescription :

"+network_interface[i].name+"("+

network_interface[i].description);


TA_OUTPUT.append("\nDataLink Name : "+network_interface[i].datalink_name+"("+

network_interface[i].datalink_description+")");

TA_OUTPUT.append("\nIP Address1 : "+INT.address);TA_OUTPUT.append("\nSubnet : "+INT.subnet);

ADDRE = INT.address.toString();

System.out.println(ADDRE); new_ip = ADDRE.replaceAll("/",""); System.out.println(new_ip);

}

COUNTER++;

}} catch(Exception e){System.out.println(e);}

}

//----------------------------------------------------------------------------------

public void ChooseInterface(){

int Temp = Integer.parseInt(TF_SelectInterface.getText());

if(Temp > -1 && Temp < COUNTER){

INDEX= Temp;//EnableButtons();

}else {

}TF_SelectInterface.setText("");

}

//--------------------------------------------------------------------------------

public void CapturePackets(){

CAPTAIN=new CaptureThread() {

@Overridepublic Object construct() {


TA_OUTPUT.setText("\nNow capturing on interface : "+INDEX+"..."+

"\n------------------------------------------------------------"+

"--------------------------------------------------\n\n");

try {

CAP = JpcapCaptor.openDevice(network_interface[INDEX],65535, false,20);

//CAP.setFilter("ip", true);

while(CaptureState){

CAP.processPacket(1, new PacketContents());

}CAP.close();

} catch (Exception e) {// TODO: handle exceptionSystem.out.println(e);

}

return 0;}public void finished(){

this.interrupt();}

};CAPTAIN.strat();

}//-----------------------------------------------------public void PortScanner(){

try { String command = "netstat -a";System.out.println(command);

String line; Process p = Runtime.getRuntime().exec(command); BufferedReader bri = new BufferedReader (new InputStreamReader(p.getInputStream())); BufferedReader bre = new BufferedReader (new InputStreamReader(p.getErrorStream())); while ((line = bri.readLine()) != null) { TA_PORT.append(line+"\n");


} bri.close(); while ((line = bre.readLine()) != null) { TA_PORT.append(line+"\n"); } bre.close(); p.waitFor(); } catch (Exception err) { err.printStackTrace(); }

}//-----------------------------------------------------

public void SaveCapture(){

Thread t1 = new Thread( new Runnable() {

@Overridepublic void run() {

// TODO Auto-generated method stub

for (int i=1; i <=3; i++) {System.out.println("Saving from

SaveThread class..... ");

CaptureData();

try { Thread.sleep(10000); } catch (Exception ex) { ex.printStackTrace(); } }

}});t1.start();

}//-----------------------------------------------------public void BlockPortSytem(){


String num = TF_PortBlock.getText().toString();String protocol = (String) comboBox.getSelectedItem();

BlockPort block = new BlockPort(num,protocol);}//-----------------UNBLOCK FUNCTION---------------------public void UNBlockPortSytem(){

String num = TF_PortUNBlock.getText().toString();String protocol = (String) comboBox_UN.getSelectedItem();

UNBlock unblock = new UNBlock(num,protocol);}//-----------------------HONETPOT-on FTP------------------------public void HONEYSTART() {

honeyftp = new Thread(new Runnable() {



try {

new HoneypotServer().runServer();} catch (IOException e) {

// TODO Auto-generated catch blocke.printStackTrace();

}

}});honeyftp.start();

// HoneypotServer h1 = new HoneypotServer();JOptionPane.showMessageDialog(MainWindow,"HoneyServer

Started");}

//-----------------------HONETPOT-on IRC------------------------public void HONEYSTARTIRC() {

Thread t2 = new Thread(new Runnable() {




try {

new HoneypotServerIRC().runServer();} catch (IOException e) {

// TODO Auto-generated catch blocke.printStackTrace();

}

}});t2.start();

JOptionPane.showMessageDialog(MainWindow,"HoneyServerIRC Started");

}//-----------------------------------------------------

public static void CaptureData(){


try {

MongoClient mongoclient = new MongoClient("localhost",27017);

DB db = mongoclient.getDB ( "_tep" ) ; System.out.println("Connect to database

successfully");

/* a file into mongo db using grid fs * */ DBCollection coll = db.getCollection("mycol"); System.out.println("capture data" + CaptureData); BasicDBObject document = new BasicDBObject(); document.put("first", CaptureData);

coll.insert(document); System.out.println("DONE");} catch (Exception e) {

// TODO: handle exceptione.printStackTrace();

}}

//----------------------// saving data on local machine


public static void CaptureDataLocal(){


try {File Data = new File(DEFAULT_LOG_DIR,+new Date().getDate () +".log");

FileOutputStream datastream = new FileOutputStream(Data);PrintStream out = new PrintStream(datastream);out.print(CaptureData);out.close();datastream.close();System.out.println("Saving........from CaptureData

function");

} catch (Exception e) {// TODO: handle exceptione.printStackTrace();

}}

//-------------------//data in xml formate public static void CaptureDataXML(){


try {File Data = new File("OutPut.txt");FileOutputStream datastream = new

FileOutputStream(Data);PrintStream out = new PrintStream(datastream);out.print(CaptureData);

out.close();datastream.close();System.out.println("Saving........from

CaptureData function");

} catch (Exception e) {// TODO: handle exceptione.printStackTrace();

}}

//-------------------no of connection---public void setNumberConnections(int newNum) {


System.out.println("reached here");

L_HACKERCONNECTED.setText("Hackers connected: " + newNum);}public void setNumberConnectionsIRC(int newNum) {

System.out.println("reached here");

L_HACKERCONNECTED1.setText("Hackers connected: " + newNum);}

APPENDIX 2

PortBlock.java is the class which enables application to set rules to lock certain ports.

package firewall;import java.io.BufferedReader;import java.io.InputStreamReader;

public class BlockPort { public String port ; public String protocol; public BlockPort(String num ,String pro ) {

this.port=num;this.protocol=pro; try { String line; Process p = Runtime.getRuntime().exec( "netsh advfirewall firewall add rule

name=Block"+pro+num+ " protocol="+pro+ " dir=in localport="+num+ "

action=block"); BufferedReader bri = new BufferedReader (new InputStreamReader(p.getInputStream())); BufferedReader bre = new BufferedReader (new InputStreamReader(p.getErrorStream())); while ((line = bri.readLine()) != null) { System.out.println(line); } bri.close(); while ((line = bre.readLine()) != null) { System.out.println(line); } bre.close(); p.waitFor();


System.out.println("Done. rule set"); } catch (Exception err) { err.printStackTrace(); }

}}

APPENDIX 3

UNBlock.java is the class which enables application to delete rules which are set by Block.java package firewall;import java.io.BufferedReader;public class UNBlock {

public String port ; public String protocol; public UNBlock(String num ,String pro ) {

this.port=num;this.protocol=pro; try { String line; Process p = Runtime.getRuntime().exec( "netsh advfirewall firewall delete rule

name=Block"+pro+num+""); BufferedReader bri = new BufferedReader (new InputStreamReader(p.getInputStream())); BufferedReader bre = new BufferedReader (new InputStreamReader(p.getErrorStream())); while ((line = bri.readLine()) != null) { System.out.println(line); } bri.close(); while ((line = bre.readLine()) != null) { System.out.println(line); } bre.close(); p.waitFor(); System.out.println("Done. rule Deleted");


} catch (Exception err) { err.printStackTrace(); }

}

}

APPENDIX 4

HoneypotServer.java is the class which provides honeypot feature to application.

package honeypotServer; import java.io.IOException;import java.net.ServerSocket;import java.net.Socket;import gui.Capture_GUI;public class HoneypotServer extends Thread{

Socket clientSocket = null;ServerSocket serverSocket = null;Capture_GUI gui = new Capture_GUI();private int i=0;public void runServer() throws IOException{

try {serverSocket = new ServerSocket(23);System.out.println("server started....on FTP 23");while(true){

clientSocket = serverSocket.accept();new Thread(new

HonetpotServerThread(clientSocket)).start();System.out.println("socket connected");incrementConnections();

}

} catch (Exception e) {}

}


public void incrementConnections() {i++;System.out.println("reach");if(gui != null)

{gui.setNumberConnections(i);System.out.println("lo");}

System.out.println("executed ");System.out.println(i);

}public static void main(String[] args) throws IOException {

//new HoneypotServer().runServer();

}

}

HoneypotServerThread.java

package honeypotServer;import java.io.PrintWriter;import java.net.Socket;import java.util.Scanner;public class HonetpotServerThread implements Runnable {

Socket clientSocket; HonetpotServerThread(Socket clientSocket) {

this.clientSocket=clientSocket;}

public void run() {

try {

Scanner in1 = new Scanner(clientSocket.getInputStream());String mes;

PrintWriter out = new PrintWriter(clientSocket.getOutputStream(), true);

out.println("220 Service ready for new user.");while (true) {if (in1.hasNext()) {


mes = in1.nextLine();System.out.println("hacker message :" + mes);if(mes.equals("akash")){out.println("331 User name ok, need password.");

}else if(mes.equals("akashpass"))

{out.println("230 User logged in.");

}else if(mes !="akashpass")

{out.println("501 Syntax error in parameters or

arguments.");}elseout.println("332 Need account for login.");

}else

clientSocket.close();}

} catch (Exception e) {e.printStackTrace();

} }

}


Akash final-year-project report

Education

Transcript of Akash final-year-project report