Honeynet as a service deployment approach in enabling virtual crime scene investigation

With the exponentially spread of the Internet usage, information technology or cyber security is now an issue for anyone. There is a range of different security threats including hacking, intrusions, computer worms and viruses in the cyberworld. In order to prevent these attacks, technologies such as firewall and intrusion prevention systems depend on known attack signature. However, much less focus has been given to finding new systems’ vulnerability that can lead to new attack signature. Honeypot is valuable cyber security tool that can act as baits for intruders. It is an indispensable tool to discover, explore and study new attacks with a low false positive rate. Preparing a honeypot, however, is difficult, time consuming and expensive especially for High Interaction Honeypot (HIH). It is because its deployment processes involves design,installation and maintenance that require expertise and experience due to the high risk nature of the honeypot especially for the HIH. Furthermore, incident data analysis of any honeypot intrusion can be very costly in term of network bandwidth transfer due the huge amount of incident data transfer. From the perspective of incident data analysis and investigation, companies need to hire computer security and forensic analysis personnel who have good knowledge of different aspects of computer security. These experts are most probably located outside the company hence the data transfer for investigation are cessary. This study proposes and demonstrates a new paradigm of cyber defense in the form of a honeynet architecture based on cloud computing which offers a fully managed Honeynet-as-a-Service (HaaS). This system introduces a new and efficient technique to serve honeynet for other networks without the need of physical installation. In fact by using cloud computing to install different honeypots, it can provide an efficient service for other organizations. The cloud-based honeynet would be connected to any network by using a tunnel interface as a communication layer. It also introduces a new concept of virtual crime scene (VCS) by enabling “live-recording” and “snapshot” of intrusion events. In “live-recording” almost all attacker activities is captured. Using “snapshot” technique, the concept of forensic science namely Locard’s Exchange Principle is applied to the virtual realm. The “snapshot” is a valuable technique for preservation of evidence for the investigation process against any modification (removal or addition). Based on the cloud nature of the proposed system, minimum intervention for its installation, maintenance and analysis is required by the participated organization since it is fully managed by the operator. For the participated organizations, unused IP addresses are being used as IP addresses for the HaaS honeypots. The connections are re-directed via virtual private network (VPN) to the cloud backend. Specifically HaaS provided efficient bandwidth usage, cost and time. The cloud reduced the amount of bandwidth transfer significantly especially for “live-recording” and “snapshot” of incident data for further processing and analysis. For a single HaaS honeypot “live-recording”, measurement in real experiment has shown that the size of log files in this model is 5.4 times more (i.e. saving) than network traffic which is passed into HaaS. For a single HaaS honeypot “snapshot” the saving is 68 times than the physical honeypot. For multiple HaaS honeypots, these bandwidth saving will be much more significant i.e. few hundred times saving. It is primarily because the recording and logging are performed in the cloud side. Furthermore, a single HaaS honeypot installation can be ready in five minutes which is a very short time compare to a single physical honeypot’s installation. As a result of that, a single HaaS honeypot is 95 times faster than physical honeypot installation. In addition, single HaaS honeypot installation can also be roll backed by 4 minutes in comparison to single physical honeypot roll back time which is 28 minutes in average i.e. 7 times faster.

Preview PDF FK 2015 29RR.pdf Download (1MB) | Preview

Actions (login required)

View Item