HoneyV: A virtualized honeynet system based on network softwarization

NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium Pub Date : 2018-04-23 DOI:10.1109/NOMS.2018.8406205

Bahman Rashidi, Carol J. Fung, Kevin W. Hamlen, Andrzej Kamisiński

{"title":"HoneyV: A virtualized honeynet system based on network softwarization","authors":"Bahman Rashidi, Carol J. Fung, Kevin W. Hamlen, Andrzej Kamisiński","doi":"10.1109/NOMS.2018.8406205","DOIUrl":null,"url":null,"abstract":"Intrusion detection in modern enterprise networks faces challenges due to the increasing large volume of data and insufficient training data for anomaly detections. In this work, we propose a novel network topology for improved intrusion detection through multi-phase data monitoring system. Rather than the all-or-nothing approach to terminate all sessions identified as suspicious, the topology route traffic to different servers replicas with different monitoring intensity level based on their likelihood of attacks. This topology leverages recent advances in software-defined networking (SDN) to dynamically route such sessions into risk-appropriate computing environments. These environments offer enhanced training opportunities intrusion detection systems (IDSes) by exposing data streams that would not have been observable had the session merely been terminated at the first sign of maliciousness. They also afford defenders finer- grained risk management by supporting a continuum of endpoint environments, ranging from fully trusted, to semi-trusted, to fully untrusted, for example.","PeriodicalId":19331,"journal":{"name":"NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2018-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NOMS.2018.8406205","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

Intrusion detection in modern enterprise networks faces challenges due to the increasing large volume of data and insufficient training data for anomaly detections. In this work, we propose a novel network topology for improved intrusion detection through multi-phase data monitoring system. Rather than the all-or-nothing approach to terminate all sessions identified as suspicious, the topology route traffic to different servers replicas with different monitoring intensity level based on their likelihood of attacks. This topology leverages recent advances in software-defined networking (SDN) to dynamically route such sessions into risk-appropriate computing environments. These environments offer enhanced training opportunities intrusion detection systems (IDSes) by exposing data streams that would not have been observable had the session merely been terminated at the first sign of maliciousness. They also afford defenders finer- grained risk management by supporting a continuum of endpoint environments, ranging from fully trusted, to semi-trusted, to fully untrusted, for example.

查看原文本刊更多论文

HoneyV:基于网络软件化的虚拟化蜜网系统

现代企业网络中的入侵检测面临着越来越大的数据量和不足的训练数据的挑战。在这项工作中，我们提出了一种新的网络拓扑结构，以改进通过多阶段数据监控系统的入侵检测。与终止所有被识别为可疑会话的全有或全无方法不同，拓扑根据攻击的可能性将流量路由到具有不同监控强度级别的不同服务器副本。这种拓扑利用了软件定义网络(SDN)的最新进展，将此类会话动态路由到适合风险的计算环境中。这些环境通过暴露数据流，为入侵检测系统(ids)提供了更好的培训机会，如果会话只是在第一次出现恶意迹象时终止，这些数据流就不会被观察到。它们还通过支持端点环境的连续体(例如，从完全可信、半可信到完全不可信)，为防御者提供更细粒度的风险管理。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium

自引率

0.00%

发文量