application of content computing in honeyfarm introduction overview of cdn (content delivery...
TRANSCRIPT
Application of Content Computing in Honeyfarm
• Introduction• Overview of CDN (content delivery
network)• Overview of honeypot and honeyfarm• New redirection mechanism in honeyfarm• Possible future extension
Introduction
• Honeypot and honeyfarm are important security technologies.
• Efficient and transparent redirection mechanism is necessary for successful construction of honeyfarm.
• Content delivery network (CDN) can be used to implement redirection for honeyfarm.
• Modifications in CDN to make it suitable for redirection in honeyfarm.
Overview of CDN
• CDN:– Dedicated network of servers
– Deploy throughout the Internet
– Fast delivery of web site contents
• Four components of CDN:
– Surrogate servers
– Routers
– Request-routing infrastructure (RRI)
– Accounting logs
• Two primary technologies of CDN:– Intelligent wide area traffic management
• Direct clients’ requests to optimal site based on topological proximity.
• Two types of redirection: DNS redirection or URL rewriting.
– Cache• Saves useful contents in cache nodes.• Two cache policies: least frequently used standard
and least recently used standard.
Overview of honeypot and honeyfarm
• Honeypot– A secure resource.
– A web site with imitated contents to lure hackers.
– To research and explore hackers’ behaviors.
• Three types of honeypot:– Low-interaction honeypot.
– High-interaction honeypot.
– Medium-interaction honeypot.
• Honeyfarm:– One type of high-interaction honeypot.– Many honeypots deployed throughout the
Internet.– Emulates web sites as real as possible.– Currently uses layer 2 VPN to redirect hackers.
• Requirements of redirection in honeyfarm:– Transparency.– Quick access.– Update.
• CDN is able to fulfill requirements of redirection in honeyfarm.
New redirection mechanism in honeyfarm
• Drawback of layer 2 VPN redirection:– Centralized problem creates latency.
• Problems of CDN redirection:– Transparency requirement may not be satisfied.– Comparison of topological proximity in RRI
gives rise to a centralized problem.
• Modifications of CDN to meet the redirection requirements:– Integrating RRI, local DNS server and proxy
cache into one single component called redirection server.
– All honeypots are organized in CDN architecture.
– Redirection servers are organized in a tree structure.
Hacker
Mid-system
Asia Euro North Amer South Amer Oceania Afri ca
Root server
• Two steps in the handling of hackers:– Identification of potential hackers.– Redirection of identified hackers to the
appropriate honeypot.
• Identification of potential hackers:– Monitoring of unused IP addresses in the
intranet.– Using rule-based intrusion detection systems
(IDS).– Using firewall.– Identification of potential hackers is done in
‘mid-system’.
• Workflow of redirection of hackers:– Request from hackers to mid-system to resolve
domain name of genuine target is sent to redirection server.
– Redirection server returns its own address to mid-system so that subsequent requests will be redirected to redirection server.
– Hackers ask mid-system to send contents.
– Local redirection server asks all leaf redirection servers if requested contents have been emulated in honeyfarm.
– If yes, then
①②
③
④
①
②
③
④
③
③④
④
④
③
① The lower-layer redi rection server sends the optimal selection to the father node and asks i ts father node to fi nd the optimal honeypot in the father node’ s control l ing domain.
② The father node returns i ts selection of the optimal honeypot in i ts control l ing domain.
③ The father node asks i ts chi ld nodes to fi nd the optimal honeypot in the chi ld nodes’ control l ing domain.
Local redirection server
④ The lower-layer node sends the selection of the optimal honeypot in i ts control l ing domain to the father node.
– If no, hackers are kept in the mid-system by giving some limited privilege.
– Local redirection server selects nearest honeypot and emulate requested contents.
– When emulation completed, IP address of selected honeypot is returned.
– Local redirection server gets contents from the honeypot and disguise them as if they are from the genuine target.
– Emulated contents are sent to mid-system.
• Advantages of the new redirection mechanism:– Transparency - the modification of the requested
contents and identification of the hackers in the mid-systems can ensure transparency.
– Quick access - The distribution of comparing the topological proximity and constructing the honeyfarm in a CDN architecture increase the speed for the honeyfarm to select the best honeypot for content delivery.
– Update - the update approach of CDN can make sure that the information emulated in the honeyfarm can be updated in time.
Possible future extension
• Performance issues of the redirection mechanism.
• Issue of proxy cache.
• Combining URL rewriting and DNS-based redirection.
Thank you!
Q & A