In thefollowing, we describe the design, the implementation and the evaluation of theproposed dynamic honeypot architecture
在下文中,我们描述的设计、 执行和评价的被提出的动态蜜罐技术体系结构
Thearchitecture should be able to identify attacks before they are successful andimmediately deploy a honeypot that protects the original target VM
Thearchitecture should follow the resource saving idea of cloud computing andefficiently protect running VMs which are targets of attacks
Learningfrom attacks and identification of current misconfigurations is a main goal.
4.1 Design
Theentire procedure of the dynamic honeypot architecture can be described in sevensequential steps
A flowgraph of the proposed architecture can be seen in Figure 2
所提出的体系结构的流图可以看到图 2 中
In step1, the honeypot controller identifies an attack which aims at a guest VM on thesame hardware node
在步骤 1 中,蜜罐控制器标识***,***目的是在相同的硬件节点上的客户虚拟机
Thisattack identification is the trigger for the honeypot extraction and deploymentprocedure
Thehoneypot controller retrieves the IP address of the guest VM which is thetarget of the ongoing attack and the IP address of the attacking source.
蜜罐控制器检索持续受到***的目标 IP 地址的客户虚拟机,和 ***来源的IP 地址。
In step2, the controller delays the attack until a new honeypot VM is extracted anddeployed in step 3
在步骤 2 中,控制器延迟***,直到一个新的蜜罐 VM 被萃取出来并在步骤 3 中部署
Thisdelay is very important because the attack process should not be interrupted ordisturbed
Therefore,the extraction of the honeypot VM (step 3) must be performed in seconds
因此,必须在几秒钟内执行蜜罐 VM (步骤 3) 的萃取
In step4, the controller redirects the traffic of the attacking source to the newlydeployed honeypot VM
步骤 4,该控制器将重定向***来源的网络通信到新部署蜜罐 VM
In step5, information about the ongoing attack is passively collected benefiting fromthe hypervisor layer
在步骤 5 中,有关正在进行的***的信息,被动收集,从虚拟机管理程序层中受益
After apredefined period of time or after the detection of a successful attack,thehoneypot VM is terminated and the attacking source is banned from the networkin step 6
在一段预定的时间或检测到成功的***之后,在步骤 6 中,蜜罐 VM 被终止和***的来源会被网络禁止
Finally,in step 7, a report for the cloud user who owns the original VM is generated
最后,在步骤 7 中,为拥有原始 VM 的云用户生成一个报告
Thereport should be easy to understand and should reveal and explainvulnerabilities and misconfigurations to the cloud user
Toprevent the architecture from denial of service attacks, only one honeypot VMcan be deployed for an original VM at the same time
为了防止拒绝服务******,在同一时间只有一个蜜罐 VM 可以为原始虚拟机部署
Thishoneypot VM is used for every other attack that can run in parallel
这个蜜罐 VM 在每个其他***时,可并行运行
Figure 3illustrates the time line of the proposed architecture
图 3 显示了建议的体系结构的时间线
Theattacking source sends the first packets
Thesepackets can belong to a web directory scan, a brute force attack, or they canbe a payload of a computer worm
这些数据包可以属于 web 目录扫描、强力***,或者他们可以有效载荷的电脑蠕虫病毒
Thecontroller detects the attack and delays the packets until a new honeypot isextracted from the original target
Afterthis deployment procedure, the packets are redirected and can reach the newhoneypot VM and the attack continues
后此部署的过程中,数据包将被重定向,可以达到新的蜜罐 VM 并且***继续
Now, theattack is monitored and analyzed
Thereare four main goals for the honeypot extraction process:
1.Thedeployment of the honeypot VM has to be fast because the detected attack shouldonly be delayed for a short period of time
1.部署蜜罐 VM 都有要快,因为检测到的***应只推迟在短的时间内
We needto deploy the honeypot in a few seconds
Thearchitecture should not arise suspicion of the attacker and not interrupt thework-flow of automated attacking tools.
2.Insteadof having a cloned honeypot VM containing the same data, we want to have areduced honeypot VM without sensible data
2.而不是克隆一个包含相同的数据蜜罐 VM ,我们想要一个弱化的蜜罐 VM ,它不存在敏感数据
Thehoneypot extraction procedure is a modified VM cloning process
蜜罐技术萃取过程是修改的 VM的克隆过程
This procedurehas to be fast, according to the first goal, and it should not risk thedisclosure of sensitive or private data of the original VM
根据第一目标,此过程要快,并它不应冒风险披露原始 VM的敏感或私人数据
Forthis, we have to remove certain data.
3.If thecontroller detects a successful attack on the honeypot, it has to immediatelyterminate the honeypot VM without revealing any information
3.如果该控制器检测到对蜜罐的成功***,它不得不立即终止 没有透露任何信息的VM 蜜罐,
Accordingly,precisemonitoring of the honeypot VM is necessary.
因此,精确地监测蜜罐 VM 是必要。
4. We donot want to install additional software on the original VM
4. 我们不想在原始虚拟机上安装额外的软件
Allproposed mechanisms should run outside the VM and work on the hypervisor layer.
所有拟议的机制应该运行 VM 外,工作在虚拟机监控程序层上。