基于蜜罐技术的DDoS攻击防御研究

网络信息技术的高速发展,给我们带来很大便利的同时也伴随了各种信息安全问题,其中DDoS就是一种常见的危害严重且难于预防的网络攻击模式,能够短时间内产生洪峰攻击导致服务器因资源耗尽而终止服务。因此已经成为信息安全研究中亟待解决的难题。基于蜜罐技术的DDoS攻击的防御机制,该机制既不需要动员普通电脑用户参与,也不需要ISP服务商支持与配合,只需添加一个蜜罐服务器即可达到比较理想的防御效果。基于蜜罐技术的DDoS攻击的防御技术的原理是通过重定向器重定向黑客对真实服务器的攻击到蜜罐系统中并由蜜罐记录攻击行为数据,为后续制定防御措施提供重要资料。实验中,通过Honeyd开源软件包搭建了虚拟蜜罐系统用于Web服务器DDoS攻击的防御,并对该模型的工作原理做了详细的介绍。     

基于蜜罐技术的校园网主动式安全防御系统研究

随着如今网络信息技术的日益发展,网络攻击的行为也愈发严重,特别是对校园网的攻击.因此,为了保护校园网的网络安全,应该将蜜罐技术应用到校园网安全防御系统中,以真正起到对校园网的保护作用.基于此,本文就蜜罐技术的校园网主动式的安全防御系统进行了研究,相信对有关方面的需要能有一定的帮助.     

蜜罐技术浅析

本文介绍一个新的主动型的网络安全防御技术:蜜罐。蜜罐是个受到严密监控的网络诱骗系统,能将攻击从网络中比较重要的机器上转移开,对新攻击发出预警,同时可以在黑客攻击蜜罐期间对其的行为和过程进行深入的分析研究。文章对蜜罐技术作了全面的介绍和分析,包括蜜罐的发展历程,蜜罐的定义和分类,蜜罐的安全价值,以及使用蜜罐的缺点和风险。     

基于蜜罐技术的网络安全防御方案研究

蜜罐技术是一种主动防御网络攻击的技术,通过真实的网络系统或模拟真实网络环境的方式为攻击者提供一个网络陷阱,收集和分析流入该系统中数据,从而发现攻击,并保护网络或计算机。但由于蜜罐系统更为显著的作用是检测功能,并不能实现完全防御。该文在简要介绍蜜罐技术的定义、分类和关键技术之后,设计了一种将蜜罐系统与防火墙、入侵检测系统相结合的联动模型。     

基于蜜罐技术的网络安全防御方案研究

蜜罐技术是一种主动防御网络攻击的技术,通过真实的网络系统或模拟真实网络环境的方式为攻击者提供一个网络陷阱,收集和分析流入该系统中数据,从而发现攻击,并保护网络或计算机。但由于蜜罐系统更为显著的作用是检测功能,并不能实现完全防御。该文在简要介绍蜜罐技术的定义、分类和关键技术之后,设计了一种将蜜罐系统与防火墙、入侵检测系统相结合的联动模型。     

蜜罐信息采集技术研究

蜜罐是一种主动防御的网络安全技术,可以吸引黑客的攻击,监视和跟踪入侵者的行为并且记录下来进行分析,从而研究入侵者所使用的攻击工具、策略和方法。本文在分析了蜜罐技术和蜜罐安全价值基础上,详细研究了蜜罐的信息收集技术,针对蜜罐系统面临的安全威胁提出了防御对策。     

蜜罐与免疫入侵检测系统联动模型设计

网络攻击手段的多样性和攻击行为的动态性,给网络安全防御带来了困难。在基于免疫危险理论的入侵检测系统基础上,结合蜜罐技术和重定向机制,提出一个蜜罐和免疫入侵检测系统联动模型。介绍该模型的功能模块构成,分析检测器和危险信号相关机制。与其他模型相比,该模型具有主动性、动态性和低漏报率等优点。     

蜜罐技术的分析与研究

蜜罐是一种旨在诱骗、拖延和搜集有关攻击的诱饵,作为一种主动防御技术,在网络安全的防护中,蜜罐技术可以用来分析攻击行为和设计新的防御系统.从蜜罐技术的原理和体系结构出发,针对国内外蜜罐技术的发展现状,分析了蜜罐技术未来的研究趋势;同时根据其关键技术,提出了合理的蜜罐部署方式.     

蜜罐取证的技术及法律问题研究

蜜罐作为新兴的网络防御及动态取证技术,不仅能够主动防御网络攻击,而且还可以收集入侵者实施攻击的重要证据。它通过网络欺骗、端口重定向、报警、数据控制和数据捕获等技术,增强动态防护体系的检测与反应能力,提高网络的安全防护水平。蜜罐运行会产生一定的技术风险,而选择低风险蜜罐、强化系统的数据获取和报警功能以及增加连接控制和路由控制等能有效实现风险控制。对于蜜罐取证可能产生的陷阱、隐私权及责任等法律问题,则可采取避免过度主动引诱、隐私权提示及审慎监控等方式加以克服。     

蜜罐与入侵检测技术联动系统的研究与设计

针对单一技术在网络安全防御上的局限性,对入侵检测和蜜罐技术进行了认真研究.构建了一个新的入侵检测与蜜罐技术联动的防御系统.通过蜜罐收集入侵信息,用无监督聚类算法分析入侵数据,将数据集划分为不同的类别,提取新的攻击特征,扩充了入侵检测系统的特征库.通过实验分析和采用KDDCUP99入侵数据集进行测试,证明对于误报和漏报问题有一定的改进,提高了对未知入侵攻击的检测效率.     

蜜罐技术研究与应用进展

蜜罐是防御方为了改变网络攻防博弈不对称局面而引入的一种主动防御技术,通过部署没有业务用途的安全资源,诱骗攻击者对其进行非法使用,从而对攻击行为进行捕获和分析,了解攻击工具与方法,推测攻击意图和动机.蜜罐技术赢得了安全社区的持续关注,得到了长足发展与广泛应用,并已成为互联网安全威胁监测与分析的一种主要技术手段.介绍了蜜罐技术的起源与发展演化过程,全面分析了蜜罐技术关键机制的研究现状,回顾了蜜罐部署结构的发展过程,并归纳总结了蜜罐技术在互联网安全威胁监测、分析与防范等方向上的最新应用成果.最后,对蜜罐技术存在的问题、发展趋势与进一步研究方向进行了讨论.     

Collapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention

The honeypot has emerged as an effective tool to provide insights into new attacks and exploitation trends. However, a single honeypot or multiple independently operated honeypots only provide limited local views of network attacks. Coordinated deployment of honeypots in different network domains not only provides broader views, but also create opportunities of early network anomaly detection, attack correlation, and global network status inference. Unfortunately, coordinated honeypot operation require close collaboration and uniform security expertise across participating network domains. The conflict between distributed presence and uniform management poses a major challenge in honeypot deployment and operation.To address this challenge, we present Collapsar, a virtual machine-based architecture for network attack capture and detention. A Collapsar center hosts and manages a large number of high-interaction virtual honeypots in a local dedicated network. To attackers, these honeypots appear as real systems in their respective production networks. Decentralized logical presence of honeypots provides a wide diverse view of network attacks, while the centralized operation enables dedicated administration and convenient event correlation, eliminating the need for honeypot expertise in every production network domain. Collapsar realizes the traditional honeyfarm vision as well as our new reverse honeyfarm vision, where honeypots act as vulnerable clients exploited by real-world malicious servers. We present the design, implementation, and evaluation of a Collapsar prototype. Our experiments with a number of real-world attacks demonstrate the effectiveness and practicality of Collapsar.     

一种基于多阶段攻击响应的SDN动态蜜罐

蜜罐作为一种主动防御机制,可以通过部署诱饵目标,主动吸引攻击者与虚假资源进行交互,从而在防止有价值的真实资源受到破坏的同时,也能根据收集到的数据分析攻击行为并主动应对。然而,现有蜜罐方案存在无法针对复杂攻击手段部署特定蜜罐防御;蜜罐攻防博弈中动态性考虑不够充分,无法根据收益与成本有效选择蜜罐最佳防御策略;以及性能开销较大等缺陷。文章提出基于多阶段攻击响应和动态博弈相结合的SDN动态蜜罐架构以及基于Docker的SDN动态蜜罐部署策略和方法,设计和实现了一种可根据攻击阶段动态调整的SDN动态蜜罐系统。实验证明,该系统能够根据网络情况,面向攻击者行为,快速动态生成针对性蜜罐进行响应,有效提升了蜜罐的动态性和诱骗能力。     

基于聚类分流算法的分布式蜜罐系统设计

针对现有的网络安全防御系统主动性不足,对未知类型网络数据的判断速度慢、准确性不高的缺陷,设计了一种应用聚类算法对未知类型数据进行聚类分流的分布式蜜罐系统。在聚类过程中,采用一种改进的聚类中心选择算法,对未知类型网络数据进行模糊聚类,将聚类失败的数据分流到蜜罐中进行特征学习,从而尽早地发现新的攻击类型,减轻蜜罐的监控和记录压力,降低蜜罐被攻破的概率,有利于防御时采用更为有效的防御策略。此系统应用在政府某部门的专网中,实验结果验证了在不明显增加系统计算量的情况下,该聚类算法比平均值聚类算法有更高的聚类成功率。     

浅析引导型蜜罐群在网络安全中的应用

随着入侵攻击的复杂多样化和网络管理的难度加大,蜜罐技术作为网络安全主动防御技术的重要组成部分越来越受到人们的重视,它主要经历了欺骗系统、蜜罐和蜜网等几个发展阶段,旨在对入侵攻击进行监视、检测和分析。本文结合中小型网络安全的实际需求,提出一种新的蜜罐思路：引导型蜜罐群,设计了相应的网络安全模型,并分析它的关键技术及实际应用。     

蜜罐技术在网络安全系统中的应用与研究

随着网络技术的不断发展,网络安全技术已经从早期对攻击和病毒的被动防御开始向对攻击者进行欺骗并且对其入侵行为进行监测的方向发展。基于蜜罐技术的网络安全系统可以实现对内部网络和信息的保护,并且可以对攻击行为进行分析和取证。文中对蜜罐系统分类特点、部署位置以及配置数量进行了分析,同时对蜜罐系统中关键部分取证服务器的实现进行了研究,并进行了实验测试,测试结果表明该蜜罐系统可以实现对攻击行为进行捕捉和记录的功能。对蜜罐系统的部署和保护模式进行研究,可以从理论上优化蜜罐系统的配置和部署,具有很高的实践意义。     

蜜网技术与网络安全

网络安全领域日益受到重视,蜜罐与蜜网技术是基于主动防御理论而提出的。蜜罐与蜜网技术通过精心布置的诱骗环境来吸引网络攻击者的入侵,进而了解攻击思路、攻击工具和攻击目的等行为信息。本文介绍了蜜罐的主要技术原理,并且比较和分析了第一代、第二代和第三代蜜网模型。     

A Markov Decision Process Model for High Interaction Honeypots

Abstract

Honeypots, which are traps designed to resemble easy-to- compromise computer systems, have become essential tools for security professionals and researchers because of their significant contribution in disclosing the underworld of cybercrimes. However, recent years have witnessed the development of several anti-honeypot technologies. Botmasters can exploit the fact that honeypots should not participate in illegal actions by commanding the compromised machine to act maliciously against specific targets which are used as sensors to measure the execution of these commands. A machine that is not allowing the execution of such attacks is more likely to be a honeypot. Consequently, honeypot operators need to choose the optimal response that balances between being disclosed and being liable for participating in illicit actions. In this paper, we consider the optimal response strategy for honeypot operators. In particular, we model the interaction between botmasters and honeypots by a Markov Decision Process (MDP) and then determine the optimal policy for honeypots responding to the commands of botmasters. The model is then extended using a Partially Observable Markov Decision Process (POMDP) which allows operators of honeypots to model the uncertainty of the honeypot state as determined by botmasters. The analysis of our model confirms that exploiting the legal liability of honeypots allows botmasters to have the upper hand in their conflict with honeypots. Despite this deficiency in current honeypot designs, our model can help operators of honeypots determine the optimal strategy for responding to botmasters’ commands. We also provide simulation results that show the honeypots’ optimal response strategies and their expected rewards under different attack scenarios.     

An auto-responsive honeypot architecture for dynamic resource allocation and QoS adaptation in DDoS attacked networks

Distributed Denial of Service (DDoS) attacks generate flooding traffic from multiple sources towards selected nodes. Diluted low rate attacks lead to graceful degradation while concentrated high rate attacks leave the network functionally unstable. Previous approaches to such attacks have reached to a level where survivable systems effort to mitigate the effects of these attacks. However, even with such reactive mitigation approaches in place, network under DDoS attack becomes unstable and legitimate users in the network suffer in terms of increased response times and frequent network failures. Moreover, the Internet is dynamic in nature and the topic of automated responses to attacks has not received much attention.In this paper, we propose a proactive approach to DDoS in form of integrated auto-responsive framework that aims to restrict attack flow reach target and maintain stable network functionality even under attacked network. It combines detection and characterization with attack isolation and mitigation to recover networks from DDoS attacks. As first line of defense, our method uses high level specifications of entropy variations for legitimate interactions between clients and servers. The network generates optimized entropic detectors that monitor the behavior of flows to identify significant deviations. As the second line of defense, malicious flows are identified and directed to isolated zone of honeypots where they cannot cause any further damage to the network and legitimate flows are directed to a randomly selected server from pool of replicated servers. This approach leads the attacker to believe that they are succeeding in their attack, whereas in reality they are simply wasting time and resources.Service replication and attack isolation alone are not sufficient to mitigate the attacks. Limited network resources must be judiciously used when an attack is underway. Further, as third line of defense, we propose a Dynamic Honeypot Engine (DHE) modeled as a part of Honeypot Controller (HC) module that triggers the automatic generation of adequate nodes to service client requests and required number of honeypots that interact with attackers in contained manner. This load balancing in the network makes it attack tolerant. Legitimate clients, depending upon their trust levels built according to their monitored statistics, can track the actual servers for certain time period. Attack flows reaching honeypots are logged by Honeypot Data Repository (HDR). Most severe flows are punished by starting honeypot back propagation sessions and filtering them at the source as the last line of defense. The data collected on honeypots are used to isolate and filter present attack, if any and as an insight into future attack trends. The judicious mixture and self organization of servers and honeypots at different time intervals also guaranties promised QoS.We present the exhaustive parametric dependencies at various phases of attack and their regulation in real time to make the service network DDoS attack tolerant and insensitive to attack load. Results show that this auto-responsive network has the potential to maintain stable network functionality and guaranteed QoS even under attacks. It can be fine tuned according to the dynamically changing network conditions. We validate the effectiveness of the approach with analytical modeling on Internet type topology and simulation in ns-2 on a Linux platform.