信息网络安全 ›› 2021, Vol. 21 ›› Issue (1): 27-40.doi: 10.3969/j.issn.1671-1122.2021.01.004

• 技术研究 • 上一篇    下一篇

一种基于多阶段攻击响应的SDN动态蜜罐

王鹃1,2(), 杨泓远1,2, 樊成阳1,2   

  1. 1.武汉大学国家网络安全学院,武汉 430072
    2.空天信息安全与可信计算教育部重点实验室,武汉 430072
  • 收稿日期:2020-11-10 出版日期:2021-01-10 发布日期:2021-02-23
  • 通讯作者: 王鹃 E-mail:jwang@whu.edu.cn
  • 作者简介:王鹃(1976—),女,湖北,教授,博士,主要研究方向为系统和网络安全、可信计算、云计算、物联网安全|杨泓远(1995—),男,广东,硕士研究生,主要研究方向为软件测试、网络安全|樊成阳(1994—),男,湖北,硕士研究生,主要研究方向为可信计算、云计算、网络安全
  • 基金资助:
    国家自然科学基金(61872430)

A SDN Dynamic Honeypot with Multi-phase Attack Response

WANG Juan1,2(), YANG Hongyuan1,2, FAN Chengyang1,2   

  1. 1. School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
    2. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, Wuhan 430072, China
  • Received:2020-11-10 Online:2021-01-10 Published:2021-02-23
  • Contact: WANG Juan E-mail:jwang@whu.edu.cn

摘要:

蜜罐作为一种主动防御机制,可以通过部署诱饵目标,主动吸引攻击者与虚假资源进行交互,从而在防止有价值的真实资源受到破坏的同时,也能根据收集到的数据分析攻击行为并主动应对。然而,现有蜜罐方案存在无法针对复杂攻击手段部署特定蜜罐防御;蜜罐攻防博弈中动态性考虑不够充分,无法根据收益与成本有效选择蜜罐最佳防御策略;以及性能开销较大等缺陷。文章提出基于多阶段攻击响应和动态博弈相结合的SDN动态蜜罐架构以及基于Docker的SDN动态蜜罐部署策略和方法,设计和实现了一种可根据攻击阶段动态调整的SDN动态蜜罐系统。实验证明,该系统能够根据网络情况,面向攻击者行为,快速动态生成针对性蜜罐进行响应,有效提升了蜜罐的动态性和诱骗能力。

关键词: 蜜罐, 攻击图, 不完全信息动态博弈, 软件定义网络, Docker

Abstract:

As an active defense mechanism, a honeypot can actively attract attackers to interact with imitative and illusive resources by deploying decoy targets, which can not only prevent valuable real assets from being destroyed, but also analyze and deal with the attack behaviors according to the collected data. However, the existing honeypot systems have some limitations, such as unable to deploy specific defense honeypots for complex attack scenarios, unable to select the best defense strategy according to the benefits and costs because of the insufficient dynamic consideration in honeypot attack and defense game, and the performance overhead is large. This paper proposes a SDN dynamic honeypot architecture based on multi-phase attack response and dynamic game theory, presents a deployment strategy for SDN dynamic honeypot by using Docker, and implements a novel dynamic honeypot system which can be dynamically adjusted according the different attack phases. Experiments show that the system can quickly and dynamically generate a targeted honeypot for response according to the network situation and the behaviors of attackers, which effectively improves the dynamic and deception ability of honeypot.

Key words: Honeypot, attack graph, game of dynamic incomplete information, software defined network, Docker

中图分类号: