Abstract
A honeypot is a dedicated security tool for enticing and deceiving adversaries. With a successful intrusion, an adversary would often obtain a shell (that is bind or reverse in accordance with the attack sort), which is used to command and control (C&C) the compromised machine. The serious consequence of C&C must be controlled. As is well-known, the C&C shell is often sustained by a TCP connection. However, many honeypots lack the capability to control the shell TCP connections, i.e., a high-interaction honeypot (HIH) is often unable to migrate the bind shell TCP connection, and a low-/medium-interaction honeypot (LIH/MIH) even does not support creating a reverse shell TCP connection. In this paper, we use Software Defined Network (SDN) and Network Function Virtualization (NFV) to propose an SDN-NFV-enabled honeypot system for providing a container-based covert attack-connection manipulation mechanism to address the above issue. Taking advantage of the SDN/NFV technology, the proposed honeypot is able to respond dynamically to build a shell-container to deceive the adversary following the moving-target defense principle. To consolidate the proposal, a prototype is implemented, and a number of experiments are conducted. The experimental results show that the proposed honeypot system is effective and efficient.
Original language | English |
---|---|
Title of host publication | 36th IEEE/IFIP Network Operations and Management Symposium, NOMS 2023 |
Publisher | IEEE |
DOIs | |
Publication status | Published - 8 May 2023 |
Event | 36th IEEE/IFIP Network Operations and Management Symposium, NOMS 2023 - Miami, United States Duration: 8 May 2023 → 12 May 2023 |
Conference
Conference | 36th IEEE/IFIP Network Operations and Management Symposium, NOMS 2023 |
---|---|
Country/Territory | United States |
City | Miami |
Period | 8/05/23 → 12/05/23 |
Keywords
- Bind Shell
- Connection Manipulation
- Honeypot
- Moving Target Defense
- NFV
- Reverse Shell
- SDN