基于OpenFlow的蜜罐主动取证技术

提出了一种方法,将攻击流量自动从真实的云计算服务器中隔离到蜜罐服务器中.通过创建一个蜜罐网络服务器的虚拟机,使蜜罐服务器配备与真实云计算服务器相同的内存和存储设备,并通过OpenFlow控制和监控网络流量,从而将蜜罐系统与真实云服务器隔离开来.当访客正常访问服务器时,交换机会将访客的访问请求路由到真实的服务器.当某个访客被IDS标记为可疑攻击者时,交换机会重新计算路由路径,将攻击者的请求路由到制定的蜜罐中. 

Active Forensics Technology of Honeypot Based on OpenFlow

To provide customers with Internet remote services, cloud computing focuses on a large number of computing resources, storage resources and software resources. As cloud computing users, information resources are highly centralized, so the risk of cloud computing security incidents is much higher than the traditional application. Honeypot system can effectively capture the cloud traffic in the attack traffic. However, it is still difficult to develop seductive, protective, and deceptive honeypot systems for cloud computing security development. In this paper, a way was proposed to automatically isolate attack traffic from a real cloud computing server for a honeypot server. The honeypot system was isolated from the real cloud server by creating a virtual machine for a honeypot network server, allowing the honeypot server to have the same memory and storage devices as real cloud computing servers and monitoring the network traffic through OpenFlow. When a visitor visits the server normally, the switch can route the visitor''s access request to the real server. When a visitor is marked as a suspicious attacker by IDS, the switch can recalculate the routing path and route the attacker''s request to the developed honeypot.