写在前面:在学习蜜罐的相关内容时,接触了一些英文资料,对这些英文资料的翻译在个人博客中贴出,希望我的有限英文水平能够为大家做一点点贡献。如有翻译不妥的地方,大家可以留言指正,共同进步。做快乐的程序员,
.
写在前面:
在学习蜜罐的相关内容时,接触了一些英文资料,对这些英文资料的翻译在个人博客中贴出,希望我的有限英文水平能够为大家做一点点贡献。如有翻译不妥的地方,大家可以留言指正,共同进步。
做快乐的程序员,做热爱分享的程序员。
请大家不要纠结某个词、字的使用合不合理,理解论文主要讲述的内容为先。
每篇文章版权都会在原始文章最后注明,请大家遵守。
标签:蜜罐,云计算,IaaS
4.DYNAMICHONEYPOT SERVICE
In thefollowing, we describe the design, the implementation and the evaluation of theproposed dynamic honeypot architecture
在下文中,我们描述的设计、 执行和评价的被提出的动态蜜罐技术体系结构
Thearchitecture should be able to identify attacks before they are successful andimmediately deploy a honeypot that protects the original target VM
该体系结构应该能够在***成功之前识别他们,立即部署保护原始目标虚拟机的蜜罐
Thearchitecture should follow the resource saving idea of cloud computing andefficiently protect running VMs which are targets of attacks
体系结构应遵循云计算的资源节约理念,和有效地保护运行中的被作为***的目标的虚拟机
Learningfrom attacks and identification of current misconfigurations is a main goal.
从***和识别当前的错误中学习是一个主要的目标。
4.1 Design
Theentire procedure of the dynamic honeypot architecture can be described in sevensequential steps
可以用七个连续步骤描述动态蜜罐技术架构的整个过程
A flowgraph of the proposed architecture can be seen in Figure 2
所提出的体系结构的流图可以看到图 2 中
In step1, the honeypot controller identifies an attack which aims at a guest VM on thesame hardware node
在步骤 1 中,蜜罐控制器标识***,***目的是在相同的硬件节点上的客户虚拟机
Thisattack identification is the trigger for the honeypot extraction and deploymentprocedure
此***识别是蜜罐萃取和部署程序的触发器
Thehoneypot controller retrieves the IP address of the guest VM which is thetarget of the ongoing attack and the IP address of the attacking source.
蜜罐控制器检索持续受到***的目标 IP 地址的客户虚拟机,和 ***来源的IP 地址。
In step2, the controller delays the attack until a new honeypot VM is extracted anddeployed in step 3
在步骤 2 中,控制器延迟***,直到一个新的蜜罐 VM 被萃取出来并在步骤 3 中部署
Thisdelay is very important because the attack process should not be interrupted ordisturbed
这种延迟是非常重要的因为***过程不应中断或干扰
Therefore,the extraction of the honeypot VM (step 3) must be performed in seconds
因此,必须在几秒钟内执行蜜罐 VM (步骤 3) 的萃取
In step4, the controller redirects the traffic of the attacking source to the newlydeployed honeypot VM
步骤 4,该控制器将重定向***来源的网络通信到新部署蜜罐 VM
In step5, information about the ongoing attack is passively collected benefiting fromthe hypervisor layer
在步骤 5 中,有关正在进行的***的信息,被动收集,从虚拟机管理程序层中受益
After apredefined period of time or after the detection of a successful attack,thehoneypot VM is terminated and the attacking source is banned from the networkin step 6
在一段预定的时间或检测到成功的***之后,在步骤 6 中,蜜罐 VM 被终止和***的来源会被网络禁止
Finally,in step 7, a report for the cloud user who owns the original VM is generated
最后,在步骤 7 中,为拥有原始 VM 的云用户生成一个报告
Thereport should be easy to understand and should reveal and explainvulnerabilities and misconfigurations to the cloud user
该报告应该很容易理解和应揭示并向云用户解释的漏洞和错误配置
Toprevent the architecture from denial of service attacks, only one honeypot VMcan be deployed for an original VM at the same time
为了防止拒绝服务******,在同一时间只有一个蜜罐 VM 可以为原始虚拟机部署
Thishoneypot VM is used for every other attack that can run in parallel
这个蜜罐 VM 在每个其他***时,可并行运行
Figure 3illustrates the time line of the proposed architecture
图 3 显示了建议的体系结构的时间线
Theattacking source sends the first packets
***来源发送第一个网络数据包
Thesepackets can belong to a web directory scan, a brute force attack, or they canbe a payload of a computer worm
这些数据包可以属于 web 目录扫描、强力***,或者他们可以有效载荷的电脑蠕虫病毒
Thecontroller detects the attack and delays the packets until a new honeypot isextracted from the original target
控制器检测到的***,延迟数据包,直到新的蜜罐从原来的目标中萃取
Afterthis deployment procedure, the packets are redirected and can reach the newhoneypot VM and the attack continues
后此部署的过程中,数据包将被重定向,可以达到新的蜜罐 VM 并且***继续
Now, theattack is monitored and analyzed
现在,这次***被监测和分析
Thereare four main goals for the honeypot extraction process:
有的蜜罐萃取过程的四个主要目标:
1.Thedeployment of the honeypot VM has to be fast because the detected attack shouldonly be delayed for a short period of time
1.部署蜜罐 VM 都有要快,因为检测到的***应只推迟在短的时间内
We needto deploy the honeypot in a few seconds
我们需要在几秒钟内部署蜜罐
Thearchitecture should not arise suspicion of the attacker and not interrupt thework-flow of automated attacking tools.
体系结构应不使***者产生怀疑,并不中断自动化***工具的工作流程。
2.Insteadof having a cloned honeypot VM containing the same data, we want to have areduced honeypot VM without sensible data
2.而不是克隆一个包含相同的数据蜜罐 VM ,我们想要一个弱化的蜜罐 VM ,它不存在敏感数据
Thehoneypot extraction procedure is a modified VM cloning process
蜜罐技术萃取过程是修改的 VM的克隆过程
This procedurehas to be fast, according to the first goal, and it should not risk thedisclosure of sensitive or private data of the original VM
根据第一目标,此过程要快,并它不应冒风险披露原始 VM的敏感或私人数据
Forthis, we have to remove certain data.
为此,我们必须删除某些数据。
3.If thecontroller detects a successful attack on the honeypot, it has to immediatelyterminate the honeypot VM without revealing any information
3.如果该控制器检测到对蜜罐的成功***,它不得不立即终止 没有透露任何信息的VM 蜜罐,
Accordingly,precisemonitoring of the honeypot VM is necessary.
因此,精确地监测蜜罐 VM 是必要。
4. We donot want to install additional software on the original VM
4. 我们不想在原始虚拟机上安装额外的软件
Allproposed mechanisms should run outside the VM and work on the hypervisor layer.
所有拟议的机制应该运行 VM 外,工作在虚拟机监控程序层上。
为方便大家,我会把总的doc文档上传到网盘
百度文库
51cto:http://down.51cto.com/data/1887779
csdn
百度网盘:
个人博客:http://fergusj.blog.51cto.com
您的支持是作者写作最大的动力!
如果您喜欢这个文章,读后觉得收获很大,不妨留言点赞,让我有动力继续写出高质量的翻译。
