Contribution to the design of a flexible and adaptive solution for the management of heterogeneous honeypot systems

Resumen

Networked computer systems are deeply integrated into every aspect of modern information-overloaded society. The mechanisms that keep our modern society owing smoothly, with activities such as efficient execution of government and commercial transactions and services, or consistent facilitation of social transactions among billions of users, are all dependent on large networked computer systems. Recent growth of the cyberspace has been phenomenal and consequently, the computers and the networks that make the Internet have become the targets of adversaries and criminals. Intrusions into a computer or network system are activities that destabilize them by compromising security in terms of confidentiality, availability or integrity, the three main characteristics of a secure and stable system. A honeypot is a valid and vital security facility used to deliberately sacrifice its own information system resource in order to capture unauthorized network traffic and malicious system activity. This thesis focuses on contribution to the design of flexible and adaptive honeypot systems. It encompasses discussion of the state of the art in the honeypot development and research area. It presents a novel taxonomy of honeypots based on a new anatomic view over honeypots, which extracts two common elements in all honeypots, decoy and security program, to define the honeypot, and also, provides the organization forms of these two elements, which are tight coupling and loose coupling. The taxonomy is validated by applying it to investigate an extensive set of existing honeypots. Detailed discussion and analysis of the related work provide a clear understanding of the research and development statement of this area. The main contribution of this thesis is the design of a novel creation and management system based on software-defined network technologies (SDN), called HoneyMagic. This system proposes a new flexible and extensible architecture based on SDN framework and a generic honeynet description language (TIHDL). It uses the SDN technology to facilitate transparent traffic redirection mechanism to forward or redirect the interesting traffic into corresponding honeypots for further investigation. For this purpose, the HoneyMagic SDN controller application implements the stealthy TCP connection handover mechanism. Also, it also presents a customizable data control approach that can allow the user to configure arbitrary traffic filtering and redirection rules according to the research requirement, as well as the deployment of the heterogeneous decoys on different virtualization platforms. In addition, the thesis presents the tests performed to validate the functions of HoneyMagic, as well as specific attack data to compare the functionalities and performance of HoneyMagic with other related tools. The experimental results show that the system can efficiently handle different honeypot systems to capture data, managing the traffic redirection interesting according to security objectives. The thesis presents tests to validate the functions of the HoneyMagic. The thesis also provides specific attacks to compare the functionalities and performance of HoneyMagic with other relative tools. The experimental results show that the system can efficiently handle different honeypots to capture data and redirect the interesting traffic in stealthy into corresponding honeypots according to the security goals as well.