HoneyCloud: Elastic Honeypots - On-attack Provisioning of High-interaction Honeypots

Patrice Clemente, Jean-Francois Lalande, Jonathan Rouzaud-Cornabas

Abstract

This paper presents HoneyCloud: a large-scale high-interaction honeypots architecture based on a cloud infrastructure. The paper shows how to setup and deploy on-demand virtualized honeypot hosts on a private cloud. Each attacker is elastically assigned to a new virtual honeypot instance. HoneyCloud offers a high scalability. With a small number of public IP addresses, HoneyCloud can multiplex thousands of attackers. The attacker can perform malicious activities on the honeypot and launch new attacks from the compromised host. The HoneyCloud architecture is designed to collect operating system logs about attacks, from various IDS, tools and sensors. Each virtual honeypot instance includes network and especially system sensors that gather more useful information than traditional network oriented honeypots. The paper shows how are collected the activities of attackers into the cloud storage mechanism for further forensics. HoneyCloud also addresses efficient attacker’s session storage, long term session management, isolation between attackers and fidelity of hosts.

References

  1. Baecher, P., Koetter, M., Holz, T., Dornseif, M., and Freiling, F. (2006). The Nepenthes platform: An efficient approach to collect malware. In 9th international symposium on Recent Advances in Intrusion Detection (RAID), pages 165-184, Hamburg, Germany. Springer.
  2. Balamurugan, M. and Poornima, B. S. C. (2011). Article: Honeypot as a service in cloud. IJCA Proceedings on International Conference on Web Services Computing (ICWSC), ICWSC(1):39-43. Published by Foundation of Computer Science, New York, USA.
  3. Bousquet, A., Clemente, P., and Lalande, J.-F. (2011). SYNEMA: visual monitoring of network and system security sensors. In International Conference on Security and Cryptography, pages 375-378, Séville, Espagne.
  4. Briffaut, J., Clemente, P., Lalande, J.-F., and RouzaudCornabas, J. (2012). Honeypot forensics for system and network SIEM design. In Advances in Security Information Management: Perceptions and Outcomes, pages -. Nova Science Publishers.
  5. Chin, W. Y., Markatos, E. P., Antonatos, S., and Ioannidis, S. (2009). HoneyLab: Large-scale honeypot deployment and resource sharing. In NSS'09: Proceedings of the 2009 Third International Conference on Network and System Security, pages 381-388, Gold Coast, Queensland, Australia. IEEE Computer Society.
  6. Jiang, X. and Xu, D. (2004). Collapsar: a VM-based architecture for network attack detention center. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, pages 2-2, Boston, MA, USA. USENIX Association.
  7. Leita, C. and Dacier, M. (2008). SGNET: A worldwide deployable framework to support the analysis of malware threat models. In EDCC-7 7808: Proceedings of the 2008 Seventh European Dependable Computing Conference, pages 99-109, Kaunas, Lituania. IEEE Computer Society.
  8. Moore, D., Shannon, C., Voelker, G., and Savage, S. (2004). Network telescopes: Technical report. CAIDA, April.
  9. Nurmi, D., Wolski, R., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, L., and Zagorodnov, D. (2009). The eucalyptus open-source cloud-computing system. In CCGRID 7809: Proceedings of the 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid, pages 124-131, Shangai, China. IEEE Computer Society.
  10. Provos, N. (2004). A virtual honeypot framework. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, Boston, MA, USA. USENIX Association.
  11. Shimoda, A., Mori, T., and Goto, S. (2010). Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies. In 2010 10th Annual International Symposium on Applications and the Internet, pages 22-30, Seoul, Korea. IEEE Society.
  12. Spitzner, L. (2003). Honeypots: tracking hackers. AddisonWesley Professional.
  13. Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A. C., Voelker, G. M., and Savage, S. (2005). Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In SOSP 7805: Proceedings of the twentieth ACM symposium on Operating systems principles, pages 148-162, Brighton, United Kingdom. ACM.
Download


Paper Citation


in Harvard Style

Clemente P., Lalande J. and Rouzaud-Cornabas J. (2012). HoneyCloud: Elastic Honeypots - On-attack Provisioning of High-interaction Honeypots . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012) ISBN 978-989-8565-24-2, pages 434-439. DOI: 10.5220/0004129604340439


in Bibtex Style

@conference{secrypt12,
author={Patrice Clemente and Jean-Francois Lalande and Jonathan Rouzaud-Cornabas},
title={HoneyCloud: Elastic Honeypots - On-attack Provisioning of High-interaction Honeypots},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)},
year={2012},
pages={434-439},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004129604340439},
isbn={978-989-8565-24-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)
TI - HoneyCloud: Elastic Honeypots - On-attack Provisioning of High-interaction Honeypots
SN - 978-989-8565-24-2
AU - Clemente P.
AU - Lalande J.
AU - Rouzaud-Cornabas J.
PY - 2012
SP - 434
EP - 439
DO - 10.5220/0004129604340439