基于OpenFlow的蜜罐主动取证技术
|
摘要
提出了一种方法,将攻击流量自动从真实的云计算服务器中隔离到蜜罐服务器中.通过创建一个蜜罐网络服务器的虚拟机,使蜜罐服务器配备与真实云计算服务器相同的内存和存储设备,并通过OpenFlow控制和监控网络流量,从而将蜜罐系统与真实云服务器隔离开来.当访客正常访问服务器时,交换机会将访客的访问请求路由到真实的服务器.当某个访客被IDS标记为可疑攻击者时,交换机会重新计算路由路径,将攻击者的请求路由到制定的蜜罐中.
To provide customers with Internet remote services, cloud computing focuses on a large number of computing resources, storage resources and software resources. As cloud computing users, information resources are highly centralized, so the risk of cloud computing security incidents is much higher than the traditional application. Honeypot system can effectively capture the cloud traffic in the attack traffic. However, it is still difficult to develop seductive, protective, and deceptive honeypot systems for cloud computing security development. In this paper, a way was proposed to automatically isolate attack traffic from a real cloud computing server for a honeypot server. The honeypot system was isolated from the real cloud server by creating a virtual machine for a honeypot network server, allowing the honeypot server to have the same memory and storage devices as real cloud computing servers and monitoring the network traffic through OpenFlow. When a visitor visits the server normally, the switch can route the visitor's access request to the real server. When a visitor is marked as a suspicious attacker by IDS, the switch can recalculate the routing path and route the attacker's request to the developed honeypot.
To provide customers with Internet remote services, cloud computing focuses on a large number of computing resources, storage resources and software resources. As cloud computing users, information resources are highly centralized, so the risk of cloud computing security incidents is much higher than the traditional application. Honeypot system can effectively capture the cloud traffic in the attack traffic. However, it is still difficult to develop seductive, protective, and deceptive honeypot systems for cloud computing security development. In this paper, a way was proposed to automatically isolate attack traffic from a real cloud computing server for a honeypot server. The honeypot system was isolated from the real cloud server by creating a virtual machine for a honeypot network server, allowing the honeypot server to have the same memory and storage devices as real cloud computing servers and monitoring the network traffic through OpenFlow. When a visitor visits the server normally, the switch can route the visitor's access request to the real server. When a visitor is marked as a suspicious attacker by IDS, the switch can recalculate the routing path and route the attacker's request to the developed honeypot.
引文
[1] 冯登国,张敏,张妍,等.云计算安全研究[J].软件学报,2011,22(1):71-83.Feng Dengguo,Zhang Min,Zhang Yan,et al.Study on cloud computing security[J].Journal of Software,2011,22(1):71-83.(in Chinese)
[2] 中国工业和信息化部电信研究院.云计算白皮书[M].北京:工业和信息化部电信研究院,2016.Institute of Telecommunications,China Ministry of Industry and Information Technology.Cloud computing white paper [M].Beijing:Institute of Industry and Information Technology,2016.(in Chinese)
[3] Shin S,Gu G.CloudWatcher:network security monitoring using OpenFlow in dynamic cloud networks (or:How to provide security monitoring as a service in clouds?)[C]//2012 20th IEEE International Conference on Network Protocols (ICNP).[S.l.]:IEEE,2012:1-6.
[4] Raza S,Huang G,Chuah C N,et al.Measurouting:a framework for routing assisted traffic monitoring[J].IEEE/ACM Transactions on Networking (TON),2012,20(1):45-56.
[5] McKeown N,Anderson T,Balakrishnan H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[6] Sekar V,Krishnaswamy R,Gupta A,et al.Network-wide deployment of intrusion detection and prevention systems[C]//Proceedings of the 6th International Conference.[S.l.]:ACM,2010:18.
[7] Anonity.OpenFlow switch specification v1.2[EB/OL].[1997-01-02].https:∥www.opennetworking.org/images/stories/down-loads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.2.pdf.
[8] Hoffman K L,Padberg M,Rinaldi G.Traveling salesman problem[M]//Gass S I,Fu M C,ed.Encyclopedia of Operations Research and Management Science.Berlin:Springer,2013:1573-1578.
[2] 中国工业和信息化部电信研究院.云计算白皮书[M].北京:工业和信息化部电信研究院,2016.Institute of Telecommunications,China Ministry of Industry and Information Technology.Cloud computing white paper [M].Beijing:Institute of Industry and Information Technology,2016.(in Chinese)
[3] Shin S,Gu G.CloudWatcher:network security monitoring using OpenFlow in dynamic cloud networks (or:How to provide security monitoring as a service in clouds?)[C]//2012 20th IEEE International Conference on Network Protocols (ICNP).[S.l.]:IEEE,2012:1-6.
[4] Raza S,Huang G,Chuah C N,et al.Measurouting:a framework for routing assisted traffic monitoring[J].IEEE/ACM Transactions on Networking (TON),2012,20(1):45-56.
[5] McKeown N,Anderson T,Balakrishnan H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[6] Sekar V,Krishnaswamy R,Gupta A,et al.Network-wide deployment of intrusion detection and prevention systems[C]//Proceedings of the 6th International Conference.[S.l.]:ACM,2010:18.
[7] Anonity.OpenFlow switch specification v1.2[EB/OL].[1997-01-02].https:∥www.opennetworking.org/images/stories/down-loads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.2.pdf.
[8] Hoffman K L,Padberg M,Rinaldi G.Traveling salesman problem[M]//Gass S I,Fu M C,ed.Encyclopedia of Operations Research and Management Science.Berlin:Springer,2013:1573-1578.