一种基于多阶段攻击响应的SDN动态蜜罐

doi:10.3969/j.issn.1671-1122.2021.01.004

摘要/Abstract

摘要：

蜜罐作为一种主动防御机制,可以通过部署诱饵目标,主动吸引攻击者与虚假资源进行交互,从而在防止有价值的真实资源受到破坏的同时,也能根据收集到的数据分析攻击行为并主动应对。然而,现有蜜罐方案存在无法针对复杂攻击手段部署特定蜜罐防御;蜜罐攻防博弈中动态性考虑不够充分,无法根据收益与成本有效选择蜜罐最佳防御策略;以及性能开销较大等缺陷。文章提出基于多阶段攻击响应和动态博弈相结合的SDN动态蜜罐架构以及基于Docker的SDN动态蜜罐部署策略和方法,设计和实现了一种可根据攻击阶段动态调整的SDN动态蜜罐系统。实验证明,该系统能够根据网络情况,面向攻击者行为,快速动态生成针对性蜜罐进行响应,有效提升了蜜罐的动态性和诱骗能力。

关键词: 蜜罐, 攻击图, 不完全信息动态博弈, 软件定义网络, Docker

Abstract:

As an active defense mechanism, a honeypot can actively attract attackers to interact with imitative and illusive resources by deploying decoy targets, which can not only prevent valuable real assets from being destroyed, but also analyze and deal with the attack behaviors according to the collected data. However, the existing honeypot systems have some limitations, such as unable to deploy specific defense honeypots for complex attack scenarios, unable to select the best defense strategy according to the benefits and costs because of the insufficient dynamic consideration in honeypot attack and defense game, and the performance overhead is large. This paper proposes a SDN dynamic honeypot architecture based on multi-phase attack response and dynamic game theory, presents a deployment strategy for SDN dynamic honeypot by using Docker, and implements a novel dynamic honeypot system which can be dynamically adjusted according the different attack phases. Experiments show that the system can quickly and dynamically generate a targeted honeypot for response according to the network situation and the behaviors of attackers, which effectively improves the dynamic and deception ability of honeypot.

Key words: Honeypot, attack graph, game of dynamic incomplete information, software defined network, Docker

中图分类号:

TP309

王鹃, 杨泓远, 樊成阳. 一种基于多阶段攻击响应的SDN动态蜜罐[J]. 信息网络安全, 2021, 21(1): 27-40.

WANG Juan, YANG Hongyuan, FAN Chengyang. A SDN Dynamic Honeypot with Multi-phase Attack Response[J]. Netinfo Security, 2021, 21(1): 27-40.

图/表 18

图1

图2

图3

图4

图5

图6

表1

表2

表3

表4

表5

图7

图8

图9

图10

图11

图12

图13

参考文献 36

[1]	HAYATLE O, OTROK H, YOUSSEF A. A Game Theoretic Investigation for High Interaction Honeypots[C] //IEEE. 2012 IEEE International Conference on Communications (ICC), June 10-15, 2012, Ottawa, ON, Canada. NJ: IEEE, 2012: 6662-6667.
[2]	LA Q D, QUEK T Q S, LEE J, et al. Deceptive Attack and Defense Game in Honeypot-enabled Networks for the Internet of Things[J]. IEEE Internet of Things Journal, 2016,3(6):1025-1035. doi: 10.1109/JIOT.2016.2547994 URL
[3]	GARG N, GROSU D. Deception in Honeynets: A Game-theoretic Analysis[C] //IEEE. 2007 IEEE SMC Information Assurance and Security Workshop, June 20-22, 2007, West Point, NY, USA. NJ: IEEE, 2007: 107-113.
[4]	PANJWANI S, TAN S, JARRIN K M, et al. An Experimental Evaluation to Determine If Port Scans are Precursors to an Attack[C] //IEEE. 2005 International Conference on Dependable Systems and Networks (DSN'05), June 28- July 1, 2005, Yokohama, Japan. NJ: IEEE, 2005: 602-611.
[5]	WANG Kun, DU Miao, MAHARJAN S, et al. Strategic Honeypot Game Model for Distributed Denial of Service Attacks in the Smart Grid[J]. IEEE Transactions on Smart Grid, 2017,8(5):2474-2482. doi: 10.1109/TSG.2017.2670144 URL
[6]	MCKEOWN N. Software-defined Networking[J]. INFOCOM Keynote Talk, 2009,2009(17):30-32.
[7]	DU Miao, WANG Kun. An SDN-enabled Pseudo-honeypot Strategy for Distributed Denial of Service Attacks in Industrial Internet of Things[J]. IEEE Transactions on Industrial Informatics, 2019,16(1):648-657. doi: 10.1109/TII.9424 URL
[8]	WANG Juan, WEN Ru, LI Jiangqi, et al. Detecting and Mitigating Target Link-flooding Attacks Using SDN[J]. IEEE Transactions on Dependable and Secure Computing, 2019,16(6):944-956. doi: 10.1109/TDSC.8858 URL
[9]	SHI Yuan, ZHANG Huanguo, WANG Juan, et al. Chaos: An SDN-based Moving Target Defense System[J]. Security and Communication Networks, 2017,2017(4):11-23.
[10]	HAN W, ZHAO Ziming, DOUPÉ A, et al. Honeymix: Toward SDN-based Intelligent Honeynet[C] //ACM. The 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, March 9-11, 2016, New Orleans Louisiana USA. New York: ACM, 2016: 1-6.
[11]	KYUNG S, HAN W, TIWARI N, et al. Honeyproxy: Design and Implementation of Next-generation Honeynet via SDN[C] //IEEE. 2017 IEEE Conference on Communications and Network Security (CNS), October 9-11, 2017, Las Vegas, NV, USA. NJ: IEEE, 2017: 1-9.
[12]	FAN Wenjun, DU Zhihui, SMITH-CREASEY M, et al. HoneyDOC: An Efficient Honeypot Architecture Enabling All-round Design[J]. IEEE Journal on Selected Areas in Communications, 2019,37(3):683-697. doi: 10.1109/JSAC.2019.2894307 URL
[13]	DODIA P, ZHAUNIAROVICH Y. Poster: SDN-based System to Filter Out DRDoS Amplification Traffic in ISP Networks[C] //ACM. The 2019 ACM SIGSAC Conference on Computer and Communications Security, November 11-15, 2019, London, United Kingdom. New York: ACM, 2019: 2645-2647.
[14]	LIANG Xiannuan, XIAO Yang. Game Theory for Network Security[J]. IEEE Communications Surveys & Tutorials, 2012,15(1):472-486. doi: 10.1109/SURV.2012.062612.00056 URL
[15]	The Honenet Project. The Honenet Project[EB/OL]. http://www.honeynet.org, 2020-03-18.
[16]	The Honeynet Project. Know Your Enemy: Honeynets[EB/OL]. http://old.honeynet.org/papers/honeynet/, 2009-03-30.
[17]	The Honeynet Project. Know Your Enemy GenII Honeynets[EB/OL]. http://project.honeynet.org/papers/gen2/index.html, 2020-03-25.
[18]	CHAMALES G. The Honeywall CD-ROM[J]. Security & Privacy IEEE, 2005,2(2):77-79.
[19]	YAN L K. Virtual Honeynets Revisited[C] //IEEE. The Sixth Annual IEEE SMC Information Assurance Workshop, June 15-17, 2005, West Point, NY, USA. NJ: IEEE, 2005: 232-239.
[20]	STUMPF F, GÖRLACH A, HOMANN F, et al. Nose-building Virtual Honeynets Made Easy[EB/OL]. https://www.researchgate.net/publication/228978549_NoSE-building_virtual_honeynets_made_easy, 2020-03-20.
[21]	ABBASI F H, HARRIS R J. Experiences with a Generation III Virtual Honeynet[C] //IEEE. 2009 Australasian Telecommunication Networks and Applications Conference (ATNAC), November 10-12, 2009, Canberra, ACT, Australia. NJ: IEEE, 2009: 1-6.
[22]	ARTAIL H, SAFA H, SRAJ M, et al. A Hybrid Honeypot Framework for Improving Intrusion Detection Systems in Protecting Organizational Networks[J]. Computers & Security, 2006,25(4):274-288.
[23]	PROVOS N. A Virtual Honeypot Framework[C] //USENIX. The 13th USENIX Security Symposium, August 9-13, 2004, San Diego, California, USA. Berkeley: USENIX Association, 2004: 1-14.
[24]	PORTOKALIDIS G, BOS H. Sweetbait: Zero-hour Worm Detection and Containment Using Low-and High-interaction Honeypots[J]. Computer Networks, 2007,51(5):1256-1274. doi: 10.1016/j.comnet.2006.09.005 URL
[25]	BAILEY M, COOKE E, WATSON D, et al. A Hybrid Honeypot Architecture for Scalable Network Monitoring[EB/OL]. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.7009&rep=rep1&type=pdf, 2014-10-27.
[26]	JIANG Xuxian, XU Dongyan. Collapsar: A VM-based Architecture for Network Attack Detention Center[C] // USENIX. The 13th USENIX Security Symposium, August 9-13, 2004, San Diego, California, USA. Berkeley: USENIX Association, 2004: 15-28.
[27]	ANTONIOU J. Game Theory and Networking[M] //Springer. Game Theory, the Internet of Things and 5G Networks. Cham: Springer, 2020: 1-20.
[28]	LALLIE H S, DEBATTISTA K, BAL J. A Review of Attack Graph and Attack Tree Visual Syntax in Cyber Security[EB/OL]. https://www.sciencedirect.com/science/article/abs/pii/S1574013719300772, 2020-03-20.
[29]	JIANG Wei. Research on Key Technologies of Active Defense Based on Attack Defense Game Model[D]. Harbin: Harbin Institute of Technology, 2010.
	姜伟. 基于攻防博弈模型的主动防御关键技术研究[D]. 哈尔滨:哈尔滨工业大学, 2010.
[30]	NEUMANN J V, MORGENSTERN O. Theory of Games and Economic Behavior[M]. Princeton: Princeton University Press, 1944.
[31]	MYERSON R B. Game Theory: Analysis of Conflict[M]. Cambridge: Harvard University Press, 1997.
[32]	ÇEKER H, ZHUANG Jun, UPADHYAYA S, et al. Deception-based Game Theoretical Approach to Mitigate DoS Attacks[M] //Springer. Decision and Game Theory for Security. Cham: Springer, 2016: 18-38.
[33]	NASH J F. Equilibrium Points in n-person Games[J]. Proceedings of the National Academy of Sciences of the United States of America, 1950,36(1):48-49. doi: 10.1073/pnas.36.1.48 URL pmid: 16588946
[34]	GIBBONS R S. Game Theory for Applied Economists[M]. Princeton: Princeton University Press, 1992.
[35]	HARSANYI J C. Games with Incomplete Information Played by Bayesian Players: Part I[J]. Management Science, 1967,14(3):159-182. doi: 10.1287/mnsc.14.3.159 URL
[36]	MIT Lincoln Laboratory. 2000 DARPA Intrusion Detection Scenario SpecificDatasets[EB/OL]. https://www.ll.mit.edu/r-d/datasets/2000-darpa-intrusion-detection-scenario-specific-datasets, 2020-03-20.

攻击策略	$\alpha $	CD	ID	AD
$s_{A}^{1}$	(3,2)	(40,40)	(20,20)	(20,20)
$s_{A}^{2}$	(6,5)	(80,80)	(40,40)	(50,50)
$s_{A}^{3}$	(10,9)	(100,100)	(60,60)	(100,100)

攻击策略	SD	SRL	AG	AC
$s_{A}^{1}$	(72,48)	(1,1)	(72,48)	(30,40)
$s_{A}^{2}$	(312,260)	(1,1)	(312,260)	(70,90)
$s_{A}^{3}$	(840,756)	(1,1)	(840,756)	(50,80)

防御策略攻击策略	$s_{D}^{1}$	$s_{D}^{2}$	$s_{D}^{3}$
$s_{A}^{1}$	(0.8,0.9)	(0.4,0.5)	(0.2,0.3)
$s_{A}^{2}$	(0.3,0.4)	(0.8,0.9)	(0.5,0.6)
$s_{A}^{3}$	(0.2,0.3)	(0.6,0.7)	(0.8,0.9)

防御策略	ADV	DC
$s_{D}^{1}$	（50,40）	（30,30）
$s_{D}^{2}$	（180,150）	（50,50）
$s_{D}^{3}$	（300,260）	（70,70）

防御策略攻击策略	$s_{D}^{1}$	$s_{D}^{2}$	$s_{D}^{3}$
$s_{A}^{1}$	(-65.6, 5.6) (-75.2, 5.2)	(-36.8,-23.2) (-56,-14)	(-22.4,-37.6) (-46.4,-23.6)
$s_{A}^{2}$	(-31.6,-88.4) (-84, -56)	(-187.6,67.6) (-214,74)	(-94,-26) (-136, -4)
$s_{A}^{3}$	(332, -442) (189.2,-339.2)	(-14, -106) (-113.2, 36.8)	(-182,62) (-264.4, 114.4)