TY - GEN
T1 - HoneyProxy
T2 - 2017 IEEE Conference on Communications and Network Security, CNS 2017
AU - Kyung, Sukwha
AU - Han, Wonkyu
AU - Tiwari, Naveen
AU - Dixit, Vaibhav Hemant
AU - Srinivas, Lakshmi
AU - Zhao, Ziming
AU - Doupe, Adam
AU - Ahn, Gail-Joon
N1 - Funding Information:
ACKNOWLEDGEMENT This work was partially supported by grants from National Science Foundation (NSF-ACI-1642031).
Funding Information:
This work was partially supported by grants from National Science Foundation (NSF-ACI-1642031).
Publisher Copyright:
© 2017 IEEE.
PY - 2017/12/19
Y1 - 2017/12/19
N2 - Honeynet is a network architecture that utilizes multiple honeypots to deceive attackers and analyze their malicious behaviors. However, existing honeynet has not evolved much since its latest architecture, Gen-III, which was proposed in 2004. Meanwhile, security threats and techniques used by adversaries have been continuously advanced. As a result, honeypot architecture is suffering from its limited functionalities of 'data control' and 'data capture'. Existing data control mechanism does not monitor internal propagation of malwares in the network and also does not support honeypot transition from one to another (e.g., a low-interaction honeypot to a high-interaction honeypot). The data capture capability of traditional honeynet is also insufficient as it is vulnerable to fingerprinting attacks. To address these challenges, we design and implement an innovative SDN-based honeynet named HoneyProxy as a next generation honeynet. To prevent internal propagation of malwares within honeynet, HoneyProxy globally monitors all internal traffic with the help of Software-defined Network (SDN) controller. HoneyProxy utilizes a novel connection management mechanism across different honeypots in the network to support honeypot transitions. To this end, a HoneyProxy-enabled SDN controller centrally programs the reverse proxy module that operates in three specific modes. In addition, HoneyProxy improves the data capture capability in the existing honeynet by circumventing fingerprinting attacks through multicasting malicious traffic to relevant honeypots and selecting the response which does not contain fingerprinting indicator(s). Experimental results show that HoneyProxy can support almost line rate throughput (8.23 Gbps) on 10 Gbps link with a negligible latency overhead (0.5-1.2 milliseconds)
AB - Honeynet is a network architecture that utilizes multiple honeypots to deceive attackers and analyze their malicious behaviors. However, existing honeynet has not evolved much since its latest architecture, Gen-III, which was proposed in 2004. Meanwhile, security threats and techniques used by adversaries have been continuously advanced. As a result, honeypot architecture is suffering from its limited functionalities of 'data control' and 'data capture'. Existing data control mechanism does not monitor internal propagation of malwares in the network and also does not support honeypot transition from one to another (e.g., a low-interaction honeypot to a high-interaction honeypot). The data capture capability of traditional honeynet is also insufficient as it is vulnerable to fingerprinting attacks. To address these challenges, we design and implement an innovative SDN-based honeynet named HoneyProxy as a next generation honeynet. To prevent internal propagation of malwares within honeynet, HoneyProxy globally monitors all internal traffic with the help of Software-defined Network (SDN) controller. HoneyProxy utilizes a novel connection management mechanism across different honeypots in the network to support honeypot transitions. To this end, a HoneyProxy-enabled SDN controller centrally programs the reverse proxy module that operates in three specific modes. In addition, HoneyProxy improves the data capture capability in the existing honeynet by circumventing fingerprinting attacks through multicasting malicious traffic to relevant honeypots and selecting the response which does not contain fingerprinting indicator(s). Experimental results show that HoneyProxy can support almost line rate throughput (8.23 Gbps) on 10 Gbps link with a negligible latency overhead (0.5-1.2 milliseconds)
UR - http://www.scopus.com/inward/record.url?scp=85046549040&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85046549040&partnerID=8YFLogxK
U2 - 10.1109/CNS.2017.8228653
DO - 10.1109/CNS.2017.8228653
M3 - Conference contribution
AN - SCOPUS:85046549040
T3 - 2017 IEEE Conference on Communications and Network Security, CNS 2017
SP - 1
EP - 9
BT - 2017 IEEE Conference on Communications and Network Security, CNS 2017
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 9 October 2017 through 11 October 2017
ER -