使用蜜罐誘捕技術偵測網路異常行為

Abstract

網路的安全威脅隨著網際網路的發展也越來越嚴重，傳統的防禦設備大多是根據既定的rule去防範已知的攻擊，這樣的被動防禦已經不敷使用。我們時常會遇到惡意攻擊事件的擴大，但我們卻不知道攻擊來源或者是哪個環節安全防範需要再加強。倘若我們無法阻絕惡意攻擊的發生，但也要可以立即偵測出異常，因此若我們仍繼續使用傳統上的防護或者是偵測防護系統的規則內容若一成不變，我們很容易被日新月異的新型態攻擊手法入侵，因此我們需要化被動為主動，積極尋找一個能偵測未知型攻擊的主動防禦系統。 蜜罐是這幾年興起的主動防禦系統之一，本研究將使用基於蜜罐誘捕系統技術演進而成的蜜網(Honeynet)架構做為研究的對象，其上運行著入侵偵測系統Snort、防火牆IPtables、及作為資料收集用的Sebek Server，最後透過虛擬化技術，在單一機器上實現蜜網Honeynet架構去偵測網路異常行為的平台，從驗證該系統的可行性，並實際佈署該系統於生產環境中，同時根據縱深防禦的精神跟公司既有的網路安全防護相互搭配，該系統對於我們尋找惡意攻擊來源時有很大的幫助，讓我們可以在攻擊事件或病毒大量爆發前能事先預防。

Internet security threats with the growth of Internet has become serious. Traditional defense mechanisms are mostly based on the known rule to defense known attacks, and such passive defense have been not enough for use. We often encounter malicious attacks, but it is hard to know the source of attacks or which aspects of the system need to be strengthened on security. Since the malicious attacks can not be avoided, and the traditional passive defense methods are not enough to defense unknown attacks, we have to find out a more effective defending mechanism. This study uses the honeypot architecture which based on honeypot technology. Our system integrated the Snort system, Iptables Firewall, and the Sebek Server which used for data collection. We also adopt the virtualization technology to implement honeynet archtecture on a single machine. The experiments show that our system can effectively detect abnormal network behavior,and it can find out the attack source in time.