A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems

Wenjun Fan; David Fernandez

doi:10.1109/NETSOFT.2017.8004194

A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems

Wenjun Fan, David Fernandez

Technical University of Madrid

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

24 Citations (Scopus)

Abstract

Honeypots have been largely used to capture and investigate malicious behavior through deliberately sacrificing their own resources in order to be attacked. Hybrid honeypot architectures consisting of frontends and backends are widely used in the research area, specially due to the benefits of their high scalability and fidelity for detailed attacking data collection. A hybrid honeypot system often needs a facility aimed to tightly control the network traffic, for purposes such as redirecting the traffic from the frontends to the backends for in-depth attack analysis. However, the current traffic redirection approaches, particularly the TCP connection handover mechanisms, are not stealthy and they can be easily detected by attackers. This paper proposes an SDN based network data controller for hybrid honeypot systems that uses a transparent TCP connection handover mechanism and provides a traffic filtering approach based on the Snort alert functionality. The controller is implemented as an application based on the open-source Ryu SDN framework. It allows the users to configure their own network data control rules, which based on the Snort alert messages will forward or redirect the traffic to the corresponding honeypots. The experiments validate the proposed mechanism and the testing results show that the controller can efficiently perform the stealthy TCP connection handover as well.

Original language	English
Title of host publication	2017 IEEE Conference on Network Softwarization
Subtitle of host publication	Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	1-9
Number of pages	9
ISBN (Electronic)	9781509060085
DOIs	https://doi.org/10.1109/NETSOFT.2017.8004194
Publication status	Published - 2017
Externally published	Yes
Event	2017 IEEE Conference on Network Softwarization, NetSoft 2017 - Bologna, Italy Duration: 3 Jul 2017 → 7 Jul 2017

Publication series

Name	2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017

Conference

Conference	2017 IEEE Conference on Network Softwarization, NetSoft 2017
Country/Territory	Italy
City	Bologna
Period	3/07/17 → 7/07/17

Keywords

Cyber Security
Honeypots
Intrusion Detection
SDN
Traffic Redirection
Virtualization

Access to Document

10.1109/NETSOFT.2017.8004194

Cite this

Fan, W., & Fernandez, D. (2017). A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems. In 2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017 (pp. 1-9). Article 8004194 (2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/NETSOFT.2017.8004194

Fan, Wenjun ; Fernandez, David. / A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems. 2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 1-9 (2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017).

@inproceedings{a0cdab2fb052495087c23a5c893d15e1,

title = "A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems",

abstract = "Honeypots have been largely used to capture and investigate malicious behavior through deliberately sacrificing their own resources in order to be attacked. Hybrid honeypot architectures consisting of frontends and backends are widely used in the research area, specially due to the benefits of their high scalability and fidelity for detailed attacking data collection. A hybrid honeypot system often needs a facility aimed to tightly control the network traffic, for purposes such as redirecting the traffic from the frontends to the backends for in-depth attack analysis. However, the current traffic redirection approaches, particularly the TCP connection handover mechanisms, are not stealthy and they can be easily detected by attackers. This paper proposes an SDN based network data controller for hybrid honeypot systems that uses a transparent TCP connection handover mechanism and provides a traffic filtering approach based on the Snort alert functionality. The controller is implemented as an application based on the open-source Ryu SDN framework. It allows the users to configure their own network data control rules, which based on the Snort alert messages will forward or redirect the traffic to the corresponding honeypots. The experiments validate the proposed mechanism and the testing results show that the controller can efficiently perform the stealthy TCP connection handover as well.",

keywords = "Cyber Security, Honeypots, Intrusion Detection, SDN, Traffic Redirection, Virtualization",

author = "Wenjun Fan and David Fernandez",

note = "Publisher Copyright: {\textcopyright} 2017 IEEE.; 2017 IEEE Conference on Network Softwarization, NetSoft 2017 ; Conference date: 03-07-2017 Through 07-07-2017",

year = "2017",

doi = "10.1109/NETSOFT.2017.8004194",

language = "English",

series = "2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "1--9",

booktitle = "2017 IEEE Conference on Network Softwarization",

}

Fan, W & Fernandez, D 2017, A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems. in 2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017., 8004194, 2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017, Institute of Electrical and Electronics Engineers Inc., pp. 1-9, 2017 IEEE Conference on Network Softwarization, NetSoft 2017, Bologna, Italy, 3/07/17. https://doi.org/10.1109/NETSOFT.2017.8004194

A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems. / Fan, Wenjun; Fernandez, David.
2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017. Institute of Electrical and Electronics Engineers Inc., 2017. p. 1-9 8004194 (2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017).

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

TY - GEN

T1 - A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems

AU - Fan, Wenjun

AU - Fernandez, David

PY - 2017

Y1 - 2017

N2 - Honeypots have been largely used to capture and investigate malicious behavior through deliberately sacrificing their own resources in order to be attacked. Hybrid honeypot architectures consisting of frontends and backends are widely used in the research area, specially due to the benefits of their high scalability and fidelity for detailed attacking data collection. A hybrid honeypot system often needs a facility aimed to tightly control the network traffic, for purposes such as redirecting the traffic from the frontends to the backends for in-depth attack analysis. However, the current traffic redirection approaches, particularly the TCP connection handover mechanisms, are not stealthy and they can be easily detected by attackers. This paper proposes an SDN based network data controller for hybrid honeypot systems that uses a transparent TCP connection handover mechanism and provides a traffic filtering approach based on the Snort alert functionality. The controller is implemented as an application based on the open-source Ryu SDN framework. It allows the users to configure their own network data control rules, which based on the Snort alert messages will forward or redirect the traffic to the corresponding honeypots. The experiments validate the proposed mechanism and the testing results show that the controller can efficiently perform the stealthy TCP connection handover as well.

AB - Honeypots have been largely used to capture and investigate malicious behavior through deliberately sacrificing their own resources in order to be attacked. Hybrid honeypot architectures consisting of frontends and backends are widely used in the research area, specially due to the benefits of their high scalability and fidelity for detailed attacking data collection. A hybrid honeypot system often needs a facility aimed to tightly control the network traffic, for purposes such as redirecting the traffic from the frontends to the backends for in-depth attack analysis. However, the current traffic redirection approaches, particularly the TCP connection handover mechanisms, are not stealthy and they can be easily detected by attackers. This paper proposes an SDN based network data controller for hybrid honeypot systems that uses a transparent TCP connection handover mechanism and provides a traffic filtering approach based on the Snort alert functionality. The controller is implemented as an application based on the open-source Ryu SDN framework. It allows the users to configure their own network data control rules, which based on the Snort alert messages will forward or redirect the traffic to the corresponding honeypots. The experiments validate the proposed mechanism and the testing results show that the controller can efficiently perform the stealthy TCP connection handover as well.

KW - Cyber Security

KW - Honeypots

KW - Intrusion Detection

KW - SDN

KW - Traffic Redirection

KW - Virtualization

UR - http://www.scopus.com/inward/record.url?scp=85029347893&partnerID=8YFLogxK

U2 - 10.1109/NETSOFT.2017.8004194

DO - 10.1109/NETSOFT.2017.8004194

M3 - Conference Proceeding

T3 - 2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017

SP - 1

EP - 9

BT - 2017 IEEE Conference on Network Softwarization

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2017 IEEE Conference on Network Softwarization, NetSoft 2017

Y2 - 3 July 2017 through 7 July 2017

ER -

Fan W, Fernandez D. A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems. In 2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 1-9. 8004194. (2017 IEEE Conference on Network Softwarization: Softwarization Sustaining a Hyper-Connected World: en Route to 5G, NetSoft 2017). doi: 10.1109/NETSOFT.2017.8004194

A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this