Dynamic Deploying Distributed Low-interaction Honeynet

Distributed virtual honeynet is an important security detection system to Worms, Botnet detection, Spam and Distributed Denial-Of-Service. The honeynet value significantly relies on the disguise capacity. The traditional deploying method is a static scheme that the configuration of honeynet is determined by security experts beforehand and unable to change after the deployment. The hackers or Botnet controllers identify the honeynet and may not trap into the same honeynet again. Therefore, the static deploying honeynet has relatively poor disguise capacity. To improve the disguise capacity, a novel dynamic deploying method is proposed that is capable of redeploying the honeynet in real time. The inducing degree is introduced to measure the disguise capacity by analyzing the inbound and outbound packets of the honeynet. When the inducing degree is less than a specific threshold, the dynamic deploying manager will be activated and to execuate the dynamic deploying algorithms. We have developed three novel dynamic deploying algorithms to solve the problem how to redeploy the honeynet and implemented a prototype for distributed virtual honeynet based on Honeyd. The experimental results of the simulation and real networks datasets demonstrate that the dynamic deploying approach is effective to enhance the disguise capacity of honeynet.

[1]  Giuseppe Di Battista,et al.  26 Computer Networks , 2004 .

[2]  Xing Li,et al.  Thwarting zero-day polymorphic worms with network-level length-based signature generation , 2010, TNET.

[3]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[4]  Lei Wu,et al.  Honeypot detection in advanced botnet attacks , 2010, Int. J. Inf. Comput. Secur..

[5]  Vern Paxson,et al.  Towards Situational Awareness of Large-Scale Botnet Probing Events , 2011, IEEE Transactions on Information Forensics and Security.

[6]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[7]  Niels Provos,et al.  A Hybrid Honeypot Architecture for Scalable Network Monitoring , 2004 .

[8]  Neal Krawetz,et al.  Anti-honeypot technology , 2004, IEEE Security & Privacy Magazine.

[9]  Xing Li,et al.  Thwarting Zero-Day Polymorphic Worms With Network-Level Length-Based Signature Generation , 2010, IEEE/ACM Transactions on Networking.

[10]  Yong Tang,et al.  Defending against Internet worms: a signature-based approach , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[11]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[12]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[13]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[14]  Hassan Artail,et al.  A dynamic honeypot design for intrusion detection , 2004, The IEEE/ACS International Conference onPervasive Services, 2004. ICPS 2004. Proceedings..

[15]  Chao Chen,et al.  Characterizing and defending against divide-conquer-scanning worms , 2010, Comput. Networks.

[16]  Yi-Lang Tsai,et al.  Design of virtual honeynet collaboration system in existing security research networks , 2010, 2010 10th International Symposium on Communications and Information Technologies.