Avoiding Cyber-attacks to DMZ and Capturing Forensics from Intruders Using Honeypots

Nowadays, honeypots are widely used to divert attackers from the original target and keep them busy within a decoy environment. DeMilitarized Zone (DMZ) is an important zone for network administrators, because many of the services to the public network is provided at this zone. Many of the security tools such as firewalls, intrusion detection systems and several other security systems can be used to secure DMZ. But honeypots are supplementary devices used to discover attacks and capture forensics against the attackers. The most important solution to secure the DMZ is to detect attacks against servers of this zone and void these intrusions by leading them to honeypots and capturing enough forensics against the attackers. This research work is focused on providing a solution for problem areas such as response to intrusion attempts and redirection of the intruders to honeypots. The proposed system detects malicious activities and redirects them to a decoy system to capture forensics. Honeypots are decoy systems used to interact with attackers and capture forensics from their activities. In the reported work, detection of the malicious activities is carried-out using a Network-based Intrusion Detection System (NIDS). Measuring performance of the proposed system, three important factors are implemented. These factors include accuracy, false positive rate and true positive rate. Accuracy is presented as an important factor to check the performance of the system. In our simulations, the measured accuracy is more than 99 percent. False positive rate is another important factor of this system that shows the failure rate. This parameter is measured less than 0.50 percent that shows the proposed system cannot detect all the attacks against the protected machine, but attack detection is performed using a suitable rate. The last factor of system performance is true positive rate that is measured to be 100 percent. This measurement shows that all of the legitimate traffic is directed to protected machine with proposed system.