An SDN-NFV-enabled Honeypot for Manipulating Command & Control Shell TCP Connection

Siyuan Wu, Wenjun Fan*

*Corresponding author for this work

Research output: Chapter in Book or Report/Conference proceedingConference Proceedingpeer-review

1 Citation (Scopus)

Abstract

A honeypot is a dedicated security tool for enticing and deceiving adversaries. With a successful intrusion, an adversary would often obtain a shell (that is bind or reverse in accordance with the attack sort), which is used to command and control (C&C) the compromised machine. The serious consequence of C&C must be controlled. As is well-known, the C&C shell is often sustained by a TCP connection. However, many honeypots lack the capability to control the shell TCP connections, i.e., a high-interaction honeypot (HIH) is often unable to migrate the bind shell TCP connection, and a low-/medium-interaction honeypot (LIH/MIH) even does not support creating a reverse shell TCP connection. In this paper, we use Software Defined Network (SDN) and Network Function Virtualization (NFV) to propose an SDN-NFV-enabled honeypot system for providing a container-based covert attack-connection manipulation mechanism to address the above issue. Taking advantage of the SDN/NFV technology, the proposed honeypot is able to respond dynamically to build a shell-container to deceive the adversary following the moving-target defense principle. To consolidate the proposal, a prototype is implemented, and a number of experiments are conducted. The experimental results show that the proposed honeypot system is effective and efficient.

Original languageEnglish
Title of host publication36th IEEE/IFIP Network Operations and Management Symposium, NOMS 2023
PublisherIEEE
DOIs
Publication statusPublished - 8 May 2023
Event36th IEEE/IFIP Network Operations and Management Symposium, NOMS 2023 - Miami, United States
Duration: 8 May 202312 May 2023

Conference

Conference36th IEEE/IFIP Network Operations and Management Symposium, NOMS 2023
Country/TerritoryUnited States
CityMiami
Period8/05/2312/05/23

Keywords

  • Bind Shell
  • Connection Manipulation
  • Honeypot
  • Moving Target Defense
  • NFV
  • Reverse Shell
  • SDN

Fingerprint

Dive into the research topics of 'An SDN-NFV-enabled Honeypot for Manipulating Command & Control Shell TCP Connection'. Together they form a unique fingerprint.

Cite this