Dressed up: Baiting Attackers through Endpoint Service Projection

Honeypots have been widely employed to track attackers' activities and divert potential threats against real assets. A critical challenge of honeypot research is how to better integrate deceptive honeypots as part of an overall production network. Conventional honeypots are typically deployed as separate assets near those they are protecting---they are not in the direct line of fire. Such a setup does not effectively protect real assets since attackers do not require a full network scan to identify certain production hosts. In this paper, we present a novel framework to transparently project vulnerable honey services atop real production systems without interfering the production system. The key idea is to use SDN technology to divide a production network into segments of production and decoy servers. Traffic intended for production workloads is redirected to decoys based on port or service information. The decoy servers run "vulnerable" services that are heavily monitored. From the attackers' perspective, these vulnerable services run on production systems, but traffic is instead relayed to a honeypot with the same configuration (e.g., IP address, MAC address, running services) of the protected production system. In this way, our approach capitalizes on capturing attacks before they reach protected assets. We demonstrate its feasibility with a prototype implementation and practical deployment model. Evaluation shows that our approach incurs negligible overhead and resists potential side channel fingerprinting attacks.

[1]  Aggelos Kiayias,et al.  Virtual Machine Introspection in a Hybrid Honeypot Architecture , 2012, CSET.

[2]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[3]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[4]  Jan Medved,et al.  OpenDaylight: Towards a Model-Driven SDN Controller architecture , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[5]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[6]  Hassan Artail,et al.  A dynamic honeypot design for intrusion detection , 2004, The IEEE/ACS International Conference onPervasive Services, 2004. ICPS 2004. Proceedings..

[7]  Adam Doupé,et al.  HoneyMix: Toward SDN-based Intelligent Honeynet , 2016, SDN-NFV@CODASPY.

[8]  Seungwon Shin,et al.  Software-Defined HoneyNet: Towards Mitigating Link Flooding Attacks , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W).

[9]  Srikanth V. Krishnamurthy,et al.  Cyber Deception: Virtual Networks to Defend Insider Reconnaissance , 2016, MIST@CCS.

[10]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[11]  Salvatore J. Stolfo,et al.  Automating the injection of believable decoys to detect snooping , 2010, WiSec '10.

[12]  Hiroshi Fujinoki,et al.  A Survey: Recent Advances and Future Trends in Honeypot Research , 2012 .

[13]  Xuxian Jiang,et al.  Collapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention , 2006, J. Parallel Distributed Comput..

[14]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[15]  Melvin Kohn A view from the front lines: implications of the Multisite Violence Prevention Project for violence prevention at state and local health departments. , 2004, American journal of preventive medicine.

[16]  Adam Doupé,et al.  HoneyProxy: Design and implementation of next-generation honeynet via SDN , 2017, 2017 IEEE Conference on Communications and Network Security (CNS).

[17]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[18]  Hans P. Reiser,et al.  Intrusion detection and honeypots in nested virtualization environments , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[19]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[20]  Kevin Borders,et al.  OpenFire: Using deception to reduce network attacks , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[21]  Kuang-Ching Wang,et al.  Poster: On the Safety and Efficiency of Virtual Firewall Elasticity Control , 2017, SACMAT.

[22]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[23]  Salvatore J. Stolfo,et al.  Bait and Snitch: Defending Computer Systems with Decoys , 2013 .