Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies

Akihiro Shimoda, Tatsuya Mori, Shigeki Goto

研究成果: Conference contribution

2 引用 (Scopus)

抜粋

A Honeypot is a system that aims to detect and analyze malicious attacks attempted on a network in an interactive manner. Because the primary objective of a honeypot is to detect enemies without being known to them, it is important to hide its existence. However, as several studies have reported, exploiting the unique characteristics of hosts working on a consecutive IP addresses range easily reveals the existence of honeypots. In fact, there exist some anti-honeypot tools that intelligently probe IP address space to locate Internet security sensors including honeypots. In order to tackle this problem, we propose a system called DarkPots, that consists of a large number of virtualized honeypots using unused and nonconsecutive IP addresses in a production network. DarkPots enables us to deploy a large number of honeypots within an active IP space used for a production network; thus detection is difficult using existing probing techniques. In addition, by virtually classifying the unused IP addresses into several groups, DarkPots enables us to perform several monitoring schemes simultaneously. This function is meaningful because we can adopt more than one monitoring schemes and compare their results in an operating network. We design and implement a prototype of DarkPots and empirically evaluate its effectiveness and feasibility by concurrently performing three independent monitoring schemes in a high-speed campus network. The system successfully emulated 7,680 of virtualized honeypots on a backbone link that carries 500 Mbps - 1 Gbps of traffic without affecting legitimate traffic. Our key findings suggest: (1) active and interactive monitoring schemes provide more in-depth insights of malicious attacks, compared to passive monitoring approach in a quantitative way, and (2) randomly distributed allocation of IP addresses has an advantage over the concentrated allocation in that it can collect more information from malwares. These features are crucial in monitoring the security threats.

元の言語English
ホスト出版物のタイトルProceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010
ページ22-30
ページ数9
DOI
出版物ステータスPublished - 2010 11 29
イベント2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010 - Seoul, Korea, Republic of
継続期間: 2010 7 192010 7 23

出版物シリーズ

名前Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010

Conference

Conference2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010
Korea, Republic of
Seoul
期間10/7/1910/7/23

    フィンガープリント

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications

これを引用

Shimoda, A., Mori, T., & Goto, S. (2010). Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies. : Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010 (pp. 22-30). [5598179] (Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010). https://doi.org/10.1109/SAINT.2010.42