Container-Based Honeypot Deployment for the Analysis of Malicious Activity

2018 Global Information Infrastructure and Networking Symposium (GIIS) Pub Date : 2018-10-01 DOI:10.1109/GIIS.2018.8635778

Andronikos Kyriakou, N. Sklavos

{"title":"Container-Based Honeypot Deployment for the Analysis of Malicious Activity","authors":"Andronikos Kyriakou, N. Sklavos","doi":"10.1109/GIIS.2018.8635778","DOIUrl":null,"url":null,"abstract":"In today’s world, the field of cyber security is a fast-paced changing environment. New threats are continuously emerging, and the ability to capture and effectively analyze them is paramount. In our work, we are deploying multiple honeypot sensors in order to monitor and study the actions of the attackers. The selected honeypots are Cowrie, Dionaea and Glastopf, presented as a Linux host, a Windows host and a Web application respectively. This enables us to have a diverse and broad environment that can attract attackers aiming at different attack surfaces. The sensors are running on a containerization platform, Docker and in this way, they are lightweight, resilient and could be easily deployed and managed. Our goal is the creation of a single dashboard that can present the captured data effectively in real-time and both in macroscopic and microscopic levels. Thus, we are utilizing the Elastic Stack and we are enriching our data sources using Virus Total’s analysis engine. The proposed system ran for a three-month period and provided numerous data points, from which instantaneous useful conclusions were drawn for the behavior and nature of the malicious users.","PeriodicalId":318525,"journal":{"name":"2018 Global Information Infrastructure and Networking Symposium (GIIS)","volume":"73 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"15","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 Global Information Infrastructure and Networking Symposium (GIIS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/GIIS.2018.8635778","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 15

Abstract

In today’s world, the field of cyber security is a fast-paced changing environment. New threats are continuously emerging, and the ability to capture and effectively analyze them is paramount. In our work, we are deploying multiple honeypot sensors in order to monitor and study the actions of the attackers. The selected honeypots are Cowrie, Dionaea and Glastopf, presented as a Linux host, a Windows host and a Web application respectively. This enables us to have a diverse and broad environment that can attract attackers aiming at different attack surfaces. The sensors are running on a containerization platform, Docker and in this way, they are lightweight, resilient and could be easily deployed and managed. Our goal is the creation of a single dashboard that can present the captured data effectively in real-time and both in macroscopic and microscopic levels. Thus, we are utilizing the Elastic Stack and we are enriching our data sources using Virus Total’s analysis engine. The proposed system ran for a three-month period and provided numerous data points, from which instantaneous useful conclusions were drawn for the behavior and nature of the malicious users.

查看原文本刊更多论文

基于容器的蜜罐部署，用于恶意活动分析

当今世界，网络安全领域是一个快节奏变化的环境。新的威胁不断出现，捕捉和有效分析它们的能力至关重要。在我们的工作中，我们部署了多个蜜罐传感器来监测和研究攻击者的行为。选择的蜜罐是Cowrie、Dionaea和Glastopf，它们分别以Linux主机、Windows主机和Web应用程序的形式呈现。这使我们能够拥有一个多样化和广泛的环境，可以吸引针对不同攻击面的攻击者。传感器在集装箱化平台Docker上运行，因此，它们是轻量级的、有弹性的，可以很容易地部署和管理。我们的目标是创建一个单一的仪表板，可以在宏观和微观层面上实时有效地呈现捕获的数据。因此，我们正在利用弹性堆栈，并使用Virus Total的分析引擎丰富我们的数据源。该系统运行了三个月，并提供了大量数据点，从中可以立即得出有关恶意用户行为和性质的有用结论。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 Global Information Infrastructure and Networking Symposium (GIIS)

自引率

0.00%

发文量