摘要: | 近年來資安事件愈發頻繁,防禦相關的措施如火如荼地發展著,其中,蜜罐(Honeypot)做為一個最常見的防禦機制之一,透過部署相似或偽裝的系統,混淆攻擊者的注意力,並蒐集攻擊者相關的資訊。除了市面上已存在多種類型的商用蜜罐、開源蜜罐也是一部分企業或單位的選擇,顯而易見地,越複雜的蜜罐,部署時所占用的硬體資源量,比起提供了簡單服務或功能的蜜罐,將會有顯著的增加。相對地,透過部署更加複雜的蜜罐,將會增加攻擊者識別的難度,為即將到來的攻擊或行為,蒐集更多的資訊,爭取更多寶貴的時間。然而,並非所有的場景,都有充足的資源量來部署蜜罐,抑或是作為蜜罐部署的設備,無法長久地進行高資源消耗的蜜罐部署,過高的部署成本,可能會影響使用蜜罐的意願及增加額外的開銷,因此如何降低潛在的部署成本,成為了一個挑戰。 本論文為了減少部署蜜罐時的部署成本,提出了 Transformation And Natural Semblance Honeypots(TransPot)框架,此框架應用了兩種交互蜜罐,分別為低交互蜜罐(Low Interaction Honeypot)及高交互蜜罐(High Interaction Honeypot)。因為低交互蜜罐所占用的資源量較少,因此當系統閒置時,大部分的時間將會使用低交互蜜罐來進行部署,僅當需要時,高交互蜜罐才會作為當前服務進行部署,以減少系統整體使用的平均資源量。本論文使用了基於機器學習的多種方法進行流量分類模型的產生,將蜜罐所接收到的流量進行分類,並根據流量分類模型的結果,建立了動態轉換 (Dynamic Switch)與預測轉換(Predict Switch)兩種轉換模式。前者所追求的是盡可能最小化高交互蜜罐部署的時間,後者則為透過移動平均線(Moving Average)計算流量變化的趨勢,提前進行下一個時段蜜罐的預測,透過提前進行預測,減少蜜罐轉換過程中所造成的延遲或連線中斷,降低攻擊者辨識出蜜罐的可能。部署於 Kubernetes 的環境中,除了減少蜜罐部署本身的資源消耗,亦能降低環境的依賴性,並增加環境的可移植性與蜜罐框架的更換。 實驗結果顯示,該架構能有效減少蜜罐本身部署的大小,低交互蜜罐部署,約能減少 57.59% 的記憶體使用、而高交互蜜罐部署,約能減少 36.37% 的記憶體使用。而所使用的多種機器學習方法所建立的二元分類模型,最高可達到100%準確率,證實對於常見的掃描工具所產生的流量,能進行模型的訓練以有效進行判斷。此外提出的動態轉換機制,根據網路中的流量狀況與參數調整,可節省非必要的高交互蜜罐部署時間。另外一種提出的預測轉換機制中,證明了所使用的 TEMA 與 CMA 移動平均線,可尋找潛在的流量成長趨勢。本論文證實了部署混合蜜罐於微服務的可行性,提供了盡可能最大化使用記憶體的可能性,且提出相關的轉換方法與轉換策略。 ;Due to the increase of information security issue recent years, defense measures have been developed in full swing. Honeypot is one of the most common defense mechanisms, which confuse attacker’s attention and collect information from attacker. In addition to the various type of commercial honeypots, open source honeypot are also the choice of users. More interaction honeypots will increase the difficulty of identify by attacker, but resource usage will increase when using more interaction honeypot. And the cost will affect the user’s willingness to use high interaction honeypots. How to reduce the cost in high interaction honeypot is an important issue. This paper propose a new deployment of hybrid honeypots called Transformation And Natural Semblance Honeypots(TransPot) to reduce high interaction honeypot memory by decrease high interaction honeypot deploy time. This framework uses two types of interactive honeypots: Low Interaction Honeypot and High Interaction Honeypot. Since the Low Interaction Honeypot requires fewer resources, it is primarily used during system idle time, with the High Interaction Honeypot being deployed only when necessary, to minimize the overall average resource usage of the system. In additional, this framework uses and compare multiple traffic classification models based on machine learning algorithm to classify the traffic received by the honeypots. Based on the results of the traffic classification model, two transformation modes are purposed: Dynamic Switch and Predict Switch. The former aims to minimize the deployment time of the High Interaction Honeypot, while the latter predicts the next honeypot for the subsequent time period using Moving Average to calculate the trend of traffic changes. By making predictions in advance, the delay or connection interruption caused by honeypot transitions is reduced, thus decreasing the likelihood of attackers identifying the honeypots. Deployed in a Kubernetes environment, this framework not only reduces the resource consumption of honeypot deployment itself but also decreases the dependence on the environment, increasing portability and enabling easy replacement of the honeypot framework. Experimental results demonstrate that this architecture effectively reduces the size of honeypot deployments. Low Interaction Honeypot deployment can reduce memory usage by approximately 57.59%, while High Interaction Honeypot deployment can reduce memory usage by approximately 36.37%. The binary classification models built using various machine learning methods can achieve a maximum accuracy of 100%., confirming its effectiveness in distinguishing traffic generated by common scanning tools. Furthermore, the introduced Dynamic Switch mechanism can save unnecessary deployment time of the High Interaction Honeypot based on the network′s traffic conditions and parameter adjustments. In the proposed Predict Switch mechanism, the TEMA and CMA Moving Average lines are shown to identify potential traffic growth trends. This paper demonstrates the feasibility of deploying hybrid honeypots in a microservices environment, maximizing memory usage, and presents relevant transformation methods and strategies |