摘要
基于Web技术的互联网应用的迅速发展引起了黑客的关注,针对Web的攻击成为互联网上的主要威胁之一.Web蜜罐技术可以帮助人们收集攻击信息从而使得人们能够更好的应对此类威胁,因而受到安全研究人员的重视.然而,蜜罐只能捕获针对自身的攻击,如果攻击者发现想要攻击的应用不在蜜罐系统中,那么攻击者将不会进行下一步动作,蜜罐系统也就不能捕获到攻击数据.为了提高攻击者攻击Web蜜罐成功的概率,文中提出了一种在Web蜜罐系统中部署多个不同应用的方案.首先,提出了蜜罐簇的概念,由多个不同的应用蜜罐组成蜜罐簇;然后设计了蜜罐簇协同算法,通过协同算法使得整个蜜罐簇作为一个Web蜜罐发挥作用;最后使用四种不同的应用实现了基于协同机制的蜜罐原型ArkHoney.在两个月的部署中,ArkHoney蜜罐系统捕获到来自985个不同IP的7933次请求.通过分析捕获到的数据,人工已确认针对四种应用的26次攻击.文中对捕获到的总体数据进行了统计,然后选取蜜罐簇中不同蜜罐捕获到的案例进行分析,实验表明文中提出的基于协同机制的Web蜜罐能有效增加蜜罐系统对攻击的捕获能力.
With the rapid development and increasing growth of network services on Websites,Web attack has drawn significant attention from attackers,making it one of the major threats on the Internet.Such attack has caused great loss of financial and intellectual property.High interaction honeypots can attract attackers,detect attacks and suspicious behaviors on the Internet and collect information about what attackers do during and after their attacks.The information collected by a honeypot can effectively help security vendors and services providers to learn the threats websites faced and thus protect websites from attacks.However,what attack information can be collected depend on the type and version of web applications installed in the web honeypot.High interaction Web honeypots can only collect limited information from attacks if the targetapplication is not deployed in a honeypot,due to the fact that the attacks will failed.In order to increase probability that a Web honeypot will be successfully attacked,It's better to deploy various Web applications in one single Web honeypot.This paper proposes a design scheme for high interaction Web honeypot,intending for the obvious promotion of success probability of a Web honeypot be attacked,so that to enhance attack information collection on high-interaction Web honeypot.First,we analysis the process of Web attacks against honeypot and introduced a concept called honeypot-cluster which consists of several Web honeypots and a cooperative control unit.In each of the Web honeypot,different kinds of Web applications have been installed.Then,a collaborative algorithm is designed.The cooperative control unit uses collaborative algorithm to determine which application in the honeypot-cluster is the attacker'desire.By using the collaborative algorithm,a honeypot-cluster performance as if it is a single Web honeypot.When the honeypot-cluster get an attack,it will forward the attack to the application selected by collaborative algorithm.In this way,a Web honeypot can collect more att
出处
《计算机学报》
EI
CSCD
北大核心
2018年第2期413-425,共13页
Chinese Journal of Computers
基金
本课题得到东莞市引进创新科研团队计划(201636000100038)、国家重点研发计划(2016YFB0801604)资助.
关键词
蜜罐
蜜罐簇
Web蜜罐
WEB应用
协同
honeypot
honeypot-cluster
Web honeypot
Web application
collaborative
