Application of Content Computing in Honeyfarm • Introduction • Overview of CDN (content delivery network) • Overview of honeypot and honeyfarm • New redirection mechanism in honeyfarm • Possible future extension
Application of Content Computing in Honeyfarm
Jan 01, 2016
Application of Content Computing in Honeyfarm. Introduction Overview of CDN (content delivery network) Overview of honeypot and honeyfarm New redirection mechanism in honeyfarm Possible future extension. Introduction. Honeypot and honeyfarm are important security technologies. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Application of Content Computing in Honeyfarm
• Introduction• Overview of CDN (content delivery
network)• Overview of honeypot and honeyfarm• New redirection mechanism in honeyfarm• Possible future extension
Introduction
• Honeypot and honeyfarm are important security technologies.
• Efficient and transparent redirection mechanism is necessary for successful construction of honeyfarm.
• Content delivery network (CDN) can be used to implement redirection for honeyfarm.
• Modifications in CDN to make it suitable for redirection in honeyfarm.
Overview of CDN
• CDN:– Dedicated network of servers
– Deploy throughout the Internet
– Fast delivery of web site contents
• Four components of CDN:
– Surrogate servers
– Routers
– Request-routing infrastructure (RRI)
– Accounting logs
• Two primary technologies of CDN:– Intelligent wide area traffic management
• Direct clients’ requests to optimal site based on topological proximity.
• Two types of redirection: DNS redirection or URL rewriting.
– Cache• Saves useful contents in cache nodes.• Two cache policies: least frequently used standard
and least recently used standard.
Overview of honeypot and honeyfarm
• Honeypot– A secure resource.
– A web site with imitated contents to lure hackers.
– To research and explore hackers’ behaviors.
• Three types of honeypot:– Low-interaction honeypot.
– High-interaction honeypot.
– Medium-interaction honeypot.
• Honeyfarm:– One type of high-interaction honeypot.– Many honeypots deployed throughout the
Internet.– Emulates web sites as real as possible.– Currently uses layer 2 VPN to redirect hackers.
• Requirements of redirection in honeyfarm:– Transparency.– Quick access.– Update.
• CDN is able to fulfill requirements of redirection in honeyfarm.
New redirection mechanism in honeyfarm
• Drawback of layer 2 VPN redirection:– Centralized problem creates latency.
• Problems of CDN redirection:– Transparency requirement may not be satisfied.– Comparison of topological proximity in RRI
gives rise to a centralized problem.
• Modifications of CDN to meet the redirection requirements:– Integrating RRI, local DNS server and proxy
cache into one single component called redirection server.
– All honeypots are organized in CDN architecture.
– Redirection servers are organized in a tree structure.
Hacker
Mid-system
Asia Euro North Amer South Amer Oceania Afri ca
Root server
• Two steps in the handling of hackers:– Identification of potential hackers.– Redirection of identified hackers to the
appropriate honeypot.
• Identification of potential hackers:– Monitoring of unused IP addresses in the
intranet.– Using rule-based intrusion detection systems
(IDS).– Using firewall.– Identification of potential hackers is done in
‘mid-system’.
• Workflow of redirection of hackers:– Request from hackers to mid-system to resolve
domain name of genuine target is sent to redirection server.
– Redirection server returns its own address to mid-system so that subsequent requests will be redirected to redirection server.
– Hackers ask mid-system to send contents.
– Local redirection server asks all leaf redirection servers if requested contents have been emulated in honeyfarm.
– If yes, then
①②
③
④
①
②
③
④
③
③④
④
④
③
① The lower-layer redi rection server sends the optimal selection to the father node and asks i ts father node to fi nd the optimal honeypot in the father node’ s control l ing domain.
② The father node returns i ts selection of the optimal honeypot in i ts control l ing domain.
③ The father node asks i ts chi ld nodes to fi nd the optimal honeypot in the chi ld nodes’ control l ing domain.
Local redirection server
④ The lower-layer node sends the selection of the optimal honeypot in i ts control l ing domain to the father node.
– If no, hackers are kept in the mid-system by giving some limited privilege.
– Local redirection server selects nearest honeypot and emulate requested contents.
– When emulation completed, IP address of selected honeypot is returned.
– Local redirection server gets contents from the honeypot and disguise them as if they are from the genuine target.
– Emulated contents are sent to mid-system.
• Advantages of the new redirection mechanism:– Transparency - the modification of the requested
contents and identification of the hackers in the mid-systems can ensure transparency.
– Quick access - The distribution of comparing the topological proximity and constructing the honeyfarm in a CDN architecture increase the speed for the honeyfarm to select the best honeypot for content delivery.
– Update - the update approach of CDN can make sure that the information emulated in the honeyfarm can be updated in time.
Possible future extension
• Performance issues of the redirection mechanism.
• Issue of proxy cache.
• Combining URL rewriting and DNS-based redirection.
Thank you!
Q & A
Related Documents
