微服務中混合蜜罐使用與切換策略 - 以機 器學習流量分類為指標

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：62

、訪客IP：18.223.195.20

姓名

楊竣程(Jiun-Cheng Yang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

微服務中混合蜜罐使用與切換策略 - 以機器學習流量分類為指標
(Hybrid Honeypots Deploy And Switch Strategies On Microservice Using Machine Learning Flow Classification As Indicator)

相關論文

★ 無線行動隨意網路上穩定品質服務路由機制之研究	★ 應用多重移動式代理人之網路管理系統
★ 應用移動式代理人之網路協同防衛系統	★ 鏈路狀態資訊不確定下QoS路由之研究
★ 以訊務觀察法改善光突發交換技術之路徑建立效能	★ 感測網路與競局理論應用於舒適性空調之研究
★ 以搜尋樹為基礎之無線感測網路繞徑演算法	★ 基於無線感測網路之行動裝置輕型定位系統
★ 多媒體導覽玩具車	★ 以Smart Floor為基礎之導覽玩具車
★ 行動社群網路服務管理系統－應用於發展遲緩兒家庭	★ 具位置感知之穿戴式行動廣告系統
★ 調適性車載廣播	★ 車載網路上具預警能力之車輛碰撞避免機制
★ 應用於無線車載網路上之合作式交通資訊傳播機制以改善車輛擁塞	★ 智慧都市中應用車載網路以改善壅塞之調適性虛擬交通號誌

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

近年來資安事件愈發頻繁，防禦相關的措施如火如荼地發展著，其中，蜜罐（Honeypot）做為一個最常見的防禦機制之一，透過部署相似或偽裝的系統，混淆攻擊者的注意力，並蒐集攻擊者相關的資訊。除了市面上已存在多種類型的商用蜜罐、開源蜜罐也是一部分企業或單位的選擇，顯而易見地，越複雜的蜜罐，部署時所占用的硬體資源量，比起提供了簡單服務或功能的蜜罐，將會有顯著的增加。相對地，透過部署更加複雜的蜜罐，將會增加攻擊者識別的難度，為即將到來的攻擊或行為，蒐集更多的資訊，爭取更多寶貴的時間。然而，並非所有的場景，都有充足的資源量來部署蜜罐，抑或是作為蜜罐部署的設備，無法長久地進行高資源消耗的蜜罐部署，過高的部署成本，可能會影響使用蜜罐的意願及增加額外的開銷，因此如何降低潛在的部署成本，成為了一個挑戰。
本論文為了減少部署蜜罐時的部署成本，提出了 Transformation And Natural Semblance Honeypots（TransPot）框架，此框架應用了兩種交互蜜罐，分別為低交互蜜罐（Low Interaction Honeypot）及高交互蜜罐（High Interaction Honeypot）。因為低交互蜜罐所占用的資源量較少，因此當系統閒置時，大部分的時間將會使用低交互蜜罐來進行部署，僅當需要時，高交互蜜罐才會作為當前服務進行部署，以減少系統整體使用的平均資源量。本論文使用了基於機器學習的多種方法進行流量分類模型的產生，將蜜罐所接收到的流量進行分類，並根據流量分類模型的結果，建立了動態轉換（Dynamic Switch）與預測轉換（Predict Switch）兩種轉換模式。前者所追求的是盡可能最小化高交互蜜罐部署的時間，後者則為透過移動平均線（Moving Average）計算流量變化的趨勢，提前進行下一個時段蜜罐的預測，透過提前進行預測，減少蜜罐轉換過程中所造成的延遲或連線中斷，降低攻擊者辨識出蜜罐的可能。部署於 Kubernetes 的環境中，除了減少蜜罐部署本身的資源消耗，亦能降低環境的依賴性，並增加環境的可移植性與蜜罐框架的更換。
實驗結果顯示，該架構能有效減少蜜罐本身部署的大小，低交互蜜罐部署，約能減少 57.59% 的記憶體使用、而高交互蜜罐部署，約能減少 36.37% 的記憶體使用。而所使用的多種機器學習方法所建立的二元分類模型，最高可達到100%準確率，證實對於常見的掃描工具所產生的流量，能進行模型的訓練以有效進行判斷。此外提出的動態轉換機制，根據網路中的流量狀況與參數調整，可節省非必要的高交互蜜罐部署時間。另外一種提出的預測轉換機制中，證明了所使用的 TEMA 與 CMA 移動平均線，可尋找潛在的流量成長趨勢。本論文證實了部署混合蜜罐於微服務的可行性，提供了盡可能最大化使用記憶體的可能性，且提出相關的轉換方法與轉換策略。

摘要(英)

Due to the increase of information security issue recent years, defense measures have been developed in full swing. Honeypot is one of the most common defense mechanisms, which confuse attacker’s attention and collect information from attacker. In addition to the various type of commercial honeypots, open source honeypot are also the choice of users. More interaction honeypots will increase the difficulty of identify by attacker, but resource usage will increase when using more interaction honeypot. And the cost will affect the user’s willingness to use high interaction honeypots. How to reduce the cost in high interaction honeypot is an important issue.
This paper propose a new deployment of hybrid honeypots called Transformation And Natural Semblance Honeypots(TransPot) to reduce high interaction honeypot memory by decrease high interaction honeypot deploy time. This framework uses two types of interactive honeypots: Low Interaction Honeypot and High Interaction Honeypot. Since the Low Interaction Honeypot requires fewer resources, it is primarily used during system idle time, with the High Interaction Honeypot being deployed only when necessary, to minimize the overall average resource usage of the system.
In additional, this framework uses and compare multiple traffic classification models based on machine learning algorithm to classify the traffic received by the honeypots. Based on the results of the traffic classification model, two transformation modes are purposed: Dynamic Switch and Predict Switch. The former aims to minimize the deployment time of the High Interaction Honeypot, while the latter predicts the next honeypot for the subsequent time period using Moving Average to calculate the trend of traffic changes. By making predictions in advance, the delay or connection interruption caused by honeypot transitions is reduced, thus decreasing the likelihood of attackers identifying the honeypots. Deployed in a Kubernetes environment, this framework not only reduces the resource consumption of honeypot deployment itself but also decreases the dependence on the environment, increasing portability and enabling easy replacement of the honeypot framework.
Experimental results demonstrate that this architecture effectively reduces the size of honeypot deployments. Low Interaction Honeypot deployment can reduce memory usage by approximately 57.59%, while High Interaction Honeypot deployment can reduce memory usage by approximately 36.37%. The binary classification models built using various machine learning methods can achieve a maximum accuracy of 100%., confirming its effectiveness in distinguishing traffic generated by common scanning tools. Furthermore, the introduced Dynamic Switch mechanism can save unnecessary deployment time of the High Interaction Honeypot based on the network′s traffic conditions and parameter adjustments. In the proposed Predict Switch mechanism, the TEMA and CMA Moving Average lines are shown to identify potential traffic growth trends. This paper demonstrates the feasibility of deploying hybrid honeypots in a microservices environment, maximizing memory usage, and presents relevant transformation methods and strategies

關鍵字(中)

★ 蜜罐部署
★ 微服務架構
★ 高低交互蜜罐
★ 蜜罐轉換
★ 流量分類模型

關鍵字(英)

論文目次

目錄
摘要 i
Abstract iii
誌謝 v
目錄 vi
圖目錄 ix
表目錄 xii
第一章緒論 1
1.1. 概要 1
1.2. 研究動機 2
1.3. 研究目的 3
1.4. 章節架構 4
第二章背景知識與相關研究 5
2.1. 蜜罐（Honeypot） 5
2.2. 容器化（Containerization） 7
2.3. 微服務（Microservice） 8
2.4. 入侵偵測系統（Instruction Detect System） 10
2.5. 機器學習（Machine Learning） 11
2.6. 相關研究 12
第三章研究方法 16
3.1. 系統架構與設計 16
3.2. 系統運作流程與實作 18
3.2.1. 分類模型的產生與前處理（Model Preprocessing and Training） 20
3.2.2. 低交互與高交互蜜罐轉換（Low and High Interaction Honeypot Switch） 27
3.2.3. 動態轉換（Dynamic Switch） 29
3.2.4. 預測轉換（Predictive Switch） 33
3.3. 系統環境 36
第四章實驗與討論 38
4.1. 情境一：TransPot之各模組功能性驗證 38
4.1.1. 實驗蜜罐設計說明 38
4.1.2. 實驗一：分類模型準確度驗證 39
4.1.3. 實驗二：蜜罐轉換功能性驗證 41
4.1.4. 實驗三：動態轉換功能性驗證 43
4.1.5. 實驗四：預測轉換功能性驗證 44
4.2. 情境二：TransPot 效能驗證 47
4.2.1. 實驗五：實驗架構資源使用量與蜜罐最大部署量探討 47
4.2.2. 實驗六：蜜罐轉換機制CPU使用率比較 49
4.2.3. 實驗七：動態轉換計時器對資源使用量之影響 51
4.2.4. 實驗八：預測轉換閾值對資源使用量之影響 53
4.2.5. 實驗九：動態轉換與預測轉換參數設定之探討 57
4.2.6. 實驗十：預測轉換移動平均線對預測準確度之探討 60
4.3. 情境三：TransPot 相關比較 64
4.3.1. 實驗十一：部署環境資源使用量比較 64
4.3.2. 實驗十二：轉換機制延遲時間比較 65
第五章結論與未來研究方向 68
5.1. 結論 68
5.2. 研究限制 69
5.3. 未來研究 69
參考文獻 72

參考文獻

參考文獻
[1] “Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace”, Accessed on: May 22, 2023. [Online]. https://www.mandiant.com/resources/blog/zero-days-exploited-2022
[2] M. Şenol, “Cyber Security and Defense: Proactive Defense and Deterrence,” 2022 3rd International Informatics and Software Engineering Conference (IISEC), Ankara, Turkey, pp. 1-6, Dec, 2022
[3] R. McGrew, “Experiences with Honeypot Systems: Development, Deployment, and Analysis,” Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS′06), Kauai, HI, USA, pp. 220a-220a, Jan, 2006
[4] “Low, Medium and High Interaction Honeypot Security - Akamai”, Accessed on: May 22, 2023. [Online]. https://www.akamai.com/blog/security/high-interaction-honeypot-versus-low-interaction-honeypot-comparison
[5] W. Sun, C. Yuan and W. Fan, “A Measurement of Real-world Attack Connections toward Honeypots,” 2022 IEEE International Symposium on Measurements & Networking (M&N), Padua, Italy, pp. 1-6, Jul, 2022
[6] M. Shah, S. Ahmed, K. Saeed, M. Junaid, H. Khan and Ata-ur-rehman, “Penetration Testing Active Reconnaissance Phase – Optimized Port Scanning With Nmap Tool,” 2019 2nd International Conference on Computing, Mathematics and Engineering Technologies (iCoMET), Sukkur, Pakistan, pp. 1-6, Jun, 2019
[7] K. Kaushik, I. Punhani, S. Sharma and M. Martolia, “An Advanced Approach for performing Cyber Fraud using Banner Grabbing,” 2022 5th International Conference on Contemporary Computing and Informatics (IC3I), Uttar Pradesh, India, pp. 298-302, Dec, 2022
[8] “Kubernetes”, Accessed on: May 22, 2023. [Online]. https://Kubernetes.io/
[9] “A Realistic Cyber Defense Dataset (CSE-CIC-IDS2018) ”, Accessed on: May 22, 2023. [Online]. https://registry.opendata.aws/cse-cic-ids2018/
[10] D. Watson and J. Riden, “The Honeynet Project: Data Collection Tools, Infrastructure, Archives and Analysis,” 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing, Amsterdam, Netherlands, pp. 24-30, Apr, 2008
[11] D. Fraunholz, D. Krohmer, F. Pohl and H. D. Schotten, “On the Detection and Handling of Security Incidents and Perimeter Breaches - A Modular and Flexible Honeytoken based Framework,” 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Paris, France, pp. 1-4, Feb, 2018
[12] R. Akiyoshi, D. Kotani and Y. Okabe, “Detecting Emerging Large-Scale Vulnerability Scanning Activities by Correlating Low-Interaction Honeypots with Darknet,” 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), Tokyo, Japan, pp. 658-663, Jul, 2018
[13] Y. -J. Zhang, W. -J. Liu, K. -N. Guo and Y. -M. Kang, “Identification of SSH Honeypots Using Machine Learning Techniques Based on Multi-Fingerprinting,” 2023 IEEE 6th Information Technology,Networking,Electronic and Automation Control Conference (ITNEC), Chongqing, China, pp. 1376-1381, Feb, 2023
[14] M. Knöchel and S. Wefel, “Analysing Attackers and Intrusions on a High-Interaction Honeypot System,” 2022 27th Asia Pacific Conference on Communications (APCC), Jeju Island, Korea, pp. 433-438, Oct, 2022
[15] “Docker”, Accessed on: May 20, 2023. [Online]. https://www.docker.com/
[16] “Podman”, Accessed on: May 20, 2023. [Online]. https://podman.io/
[17] D. Bernstein, “Containers and Cloud: From LXC to Docker to Kubernetes,” in IEEE Cloud Computing, vol. 1, no. 3, pp. 81-84, Sept. 2014
[18] “Summary of the Amazon S3 Service Disruption in the Northern Virginia (US-EAST-1) Region”, Accessed on: May 20, 2023. [Online]. https://aws.amazon.com/tw/message/41926/
[19] “Lightweight Kubernetes”, Accessed on: July 20, 2023. [Online]. https://k3s.io/
[20] I. Haris, L. -L Ferreira, I. Okic, A. Dukkon, Z. Tucakovic and R. Grosu, “QoS for Dynamic Deployment of IoT Services,” 2021 22nd IEEE International Conference on Industrial Technology (ICIT), Valencia, Spain, pp. 1144-1151, 2021.
[21] H. Alaidaros, M. Mahmuddin, and A.-M. Ali, “An Overview of Flow-based and Packet-based Intrusion Detection Performance in High Speed Networks,” 2011 The International Arab Conference on Information Technology, Riyadh, Saudi Arabia, pp. 1-9, Dec, 2011
[22] S. Ray, “A Quick Review of Machine Learning Algorithms,” 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon), Faridabad, India, pp. 35-39, 2019
[23] L. H. Sarker, “Machine Learning: Algorithms, Real-World Applications and Research Directions,” SN Computer Science, 2.3:160 March, 2021
[24] B. Wang, Y. Dou, Y. Sang, Y. Zhang and J. Huang, “IoTCMal: Towards A Hybrid IoT Honeypot for Capturing and Analyzing Malware,” ICC 2020 - 2020 IEEE International Conference on Communications (ICC), Dublin, Ireland, pp. 1-7, Jun, 2020
[25] B. Park, S. P. Dang, S. Noh, J. Yi and M. Park, “Dynamic Virtual Network Honeypot,” 2019 International Conference on Information and Communication Technology Convergence (ICTC), Jeju, Korea (South), pp. 375-377, Oct, 2019
[26] H. Wang and B. Wu, “SDN-Based Hybrid Honeypot for Attack Capture,” 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), Chengdu, China, pp. 1602-1606, Mar, 2019
[27] J.-C. Acosta, “Poster: Toward Dynamic, Session-Preserving, Transition from Low to High Interaction Honeypots,” 27th ACM on Symposium on Access Control Models and Technologies, pp. 255-257, Jun, 2022
[28] “CRIU”, Accessed on: May 20, 2023. [Online]. https://criu.org/
[29] X. Chen, J. -H. Jiang and Q. Jiang, “A Method of Self-Adaptive Pre-Copy Container Checkpoint,” 2015 IEEE 21st Pacific Rim International Symposium on Dependable Computing (PRDC), Zhangjiajie, China, pp. 290-300, Nov, 2015,
[30] G. Kokolakis, G. Ntousakis, I. Karatsoris, S. Antonatos, M. Athanatos and S. Ioannidis, “HoneyChart: Automated Honeypot Management over Kubernetes,” Computer Security. ESORICS 2022 International Workshops, pp. 321-328, Sep, 2022
[31] K. Saikawa and V. Klyuev, “Detection and Classification of Malicious Access using a Dionaea Honeypot,” 2019 10th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), Metz, France, pp. 844-848, Sept, 2019
[32] A. Jicha, M. Patton and H. Chen, “SCADA Honeypots: An in-depth Analysis of Conpot,” 2016 IEEE Conference on Intelligence and Security Informatics (ISI), Tucson, AZ, USA, pp. 196-198, Sept. 2016
[33] W. Cabral, C. Valli, L. Sikos and S. Wakeling, “Review and Analysis of Cowrie Artefacts and Their Potential to be Used Deceptively,” 2019 International Conference on Computational Science and Computational Intelligence (CSCI), Las Vegas, NV, USA, pp. 166-171, Dec, 2019
[34] Github, “node_exporter”, Accessed on June 5, 2023. [Online]. Available: https://github.com/prometheus/node_exporter
[35] “Prometheus - Monitoring system & time series database”, Accessed on: June 6, 2023. [Online]. https://prometheus.io/
[36] C.-N. Shivayogimath, “An Overview of Network Penetration Testing,” International Journal of Research in Engineering and Technology (IJRET), 2014
[37] K.-L.-L. Kyaw, “Hybrid Honeypot System for Network Security,” International Journal of Computer and Information Engineering, Vol. 12, No. 12, 2008
[38] Github, “cicflowmeter”, Accessed on June 5, 2023. [Online]. Available: https://github.com/datthinh1801/cicflowmeter
[39] D. Berrar, “Cross-Validation.” pp 542-545, 2019
[40] Github, “kubernetes-client/python”, Accessed on June 5, 2023. [Online]. Available: https://github.com/kubernetes-client/python
[41] J. Jiang, J. Lu, G. Zhang and G. Long, “Optimal Cloud Resource Auto-Scaling for Web Applications,” 2013 13th IEEE/ACM International Symposium on Cluster, Cloud, and Grid Computing, Delft, Netherlands, 2013, pp. 58-65, May, 2013
[42] S. Taherizadeh, V. Stankovski and J. Cho, “Dynamic Multi-level Auto-scaling Rules for Containerized Applications,” in The Computer Journal, vol. 62, no. 2, pp. 174-197, Feb. 2019
[43] R. Moreno-Vozmediano, R.-S. Montero, E. Huedo and I.-M. Llorente, “Efficient Resource Provisioning for Elastic Cloud Services Based on Machine Learning Techniques,” Journal of Cloud Computing, Apr, 2018
[44] P. H. Isolani, N. Cardona, C. Donato, J. Marquez-Barja, L. Z. Granville and S. Latré, “SDN-based Slice Orchestration and MAC Management for QoS delivery in IEEE 802.11 Networks,” 2019 Sixth International Conference on Software Defined Systems (SDS), Rome, Italy, pp. 260-265, 2019
[45] P. Machaka, A. Bagula and F. Nelwamondo, “Using exponentially weighted moving average algorithm to defend against DDoS attacks,” 2016 Pattern Recognition Association of South Africa and Robotics and Mechatronics International Conference (PRASA-RobMech), Stellenbosch, South Africa, pp. 1-6, 2016
[46] Github, “Opencanary”, Accessed on June 5, 2023. [Online]. Available: https://github.com/thinkst/opencanary
[47] Github, “patator”, Accessed on June 5, 2023. [Online]. Available: https://github.com/lanjelot/patator
[48] Github, “SecList”, Accessed on June 5, 2023. [Online]. Available: https://github.com/danielmiessler/SecLists
[49] Wikipedia, “Moving average”, Accessed on June 12, 2023. [Online]. Available: https://en.wikipedia.org/wiki/Moving_average
[50] E.-D. Saputro, Y. Purwanto and M.-F. Ruriawan, “Medium Interaction Honeypot Infrastructure on The Internet of Things,” 2020 IEEE International Conference on Internet of Things and Intelligence System (IoTaIS), BALI, Indonesia, pp. 98-102, 2020
[51] J.-C. Acosta, “Locally-Hosted Fidelity-Adaptive Honeypots with Connection-Preserving Capabilities,” MILCOM 2022 - 2022 IEEE Military Communications Conference (MILCOM), Rockville, MD, USA, pp. 154-159, 2022
[52] “Forensic container checkpointing in Kubernetes”, Accessed on: June 30, 2023. [Online].Available: https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/
[53] R.-F. Fouladi, O. Ermiş and E. Anarim “A DDoS Attack Detection and Defense Scheme Using Time-series Analysis for SDN,” Journal of Information Security and Applications(JISA), vol 54, 2020
[54] S. Batool, F.-Z. Khan, S.-Q.-A. Shah, M. Ahmed, R. Alroobaea, A.-M. Baqasah, I. Ali and M.-A. Raza, “Lightweight Statistical Approach towards TCP SYN Flood DDoS Attack Detection and Mitigation in SDN Environment”, Security and Communication Networks, vol. 2022, Article ID 2593672, 14 pages, 2022

指導教授

周立德(Li-Der Chou)

審核日期

2023-8-9

推文