استفاده از سیستم خبره برای ارزیابی سطح تهدید حملات
ترجمه نشده

استفاده از سیستم خبره برای ارزیابی سطح تهدید حملات

عنوان فارسی مقاله: سیستم خبره ارزیابی میکند سطح تهدید حملات به یک هانی نت SSH هیبریدی
عنوان انگلیسی مقاله: Expert system assessing threat level of attacks on a hybrid SSH honeynet
مجله/کنفرانس: رایانه ها و امنیت - Computers & Security
رشته های تحصیلی مرتبط: کامپیوتر
گرایش های تحصیلی مرتبط: مهندسی سخت افزار، مهندسی نرم افزار، هوش مصنوعی، امنیت اطلاعات
کلمات کلیدی فارسی: هانی نت، تعامل متوسط، تعامل بالا، هانی پات هیبریدی، سیستم خبره، SSH، طبقه بندی، تغییر مسیر شفاف
کلمات کلیدی انگلیسی: Honeypot، Medium interaction، High interaction، Hybrid honeynet، Expert system، SSH، Classification، Transparent redirection
نوع نگارش مقاله: مقاله پژوهشی (Research Article)
نمایه: Scopus - Master Journals List - JCR
شناسه دیجیتال (DOI): https://doi.org/10.1016/j.cose.2020.101784
دانشگاه: Department of Informatics and Computers, Faculty of Science, University of Ostrava, 30. dubna 22, 701 03 Ostrava, Czech Republic
صفحات مقاله انگلیسی: 19
ناشر: الزویر - Elsevier
نوع ارائه مقاله: ژورنال
نوع مقاله: ISI
سال انتشار مقاله: 2020
ایمپکت فاکتور: 4/337 در سال 2019
شاخص H_index: 77 در سال 2020
شاخص SJR: 0/667 در سال 2019
شناسه ISSN: 0167-4048
شاخص Quartile (چارک): Q1 در سال 2019
فرمت مقاله انگلیسی: PDF
وضعیت ترجمه: ترجمه نشده است
قیمت مقاله انگلیسی: رایگان
آیا این مقاله بیس است: بله
آیا این مقاله مدل مفهومی دارد: ندارد
آیا این مقاله پرسشنامه دارد: ندارد
آیا این مقاله متغیر دارد: ندارد
کد محصول: E14690
رفرنس: دارای رفرنس در داخل متن و انتهای مقاله
فهرست مطالب (انگلیسی)

Abstract

1- Introduction

2- Honeypot & honeynet background

3- Related works

4- Concept of the proposed hybrid honeynet

5- Implementation of the honeynet

6- Testing of the expert system using data gathered by honeynet

7- Results and further development

8- Conclusions

References

بخشی از مقاله (انگلیسی)

Abstract

Currently, many systems connected to the internet are exposed to hundreds of mostly automated network attacks on a daily basis. These are mostly very simple attacks originating from botnets. However, sophisticated attacks conducted both by automated systems and directly by humans are becoming more common. In order to develop adequate countermeasures, the behaviour of attackers has to be analysed effectively. Honeypots, a sort of lures for the attacks, are used for that purpose. Configuration of honeypots vary depending on the type of attacks they focus on attracting. For simple, analogous attacks that sequentially repeat predefined commands, medium interaction honeypots are sufficient, while more sophisticated attacks require the use of high interactive honeypots. An essential part of the analysis is to differentiate between these types of attacks to make the overall analysis efficient, in terms of efficient use of hardware resources, and effective by providing the attacker with an appropriately emulated environment. This article first analyses the current situation followed by presenting a solution in the form of a system made up of a hybrid honeynet and an expert system. For now, it focuses only on the SSH protocol, as it is widely used for remote system access and is a popular target of attacks. The system has been tested on real data collected over a one-year period. The article also deals with making redirecting SSH connections as transparent as possible.

Introduction

Cybersecurity is one of the most dynamic areas of commercial, academic, scientific, and even personal life. Therefore, to be able to react to both existing and new threats effectively, it is necessary to gain awareness of what threats are currently spreading and what is their destination and target. To gather the data, honeypots, and logical networks of honeypots known as honeynets,1 are used. The subject of this paper is to propose an expert system made to effectively classify the source of the connection to be either a simple or a sophisticated attacker. A simple attacker is typically a bot or an unskilled human attacker only executing a sequence of predefined, repeating commands, or it is a script-kiddie analysing the system and attempting to draw attention to itself. On the other hand, a sophisticated attacker, whether human or advanced malware, reacts to the situation dynamically. The honeynet is comprised of systems emulating SSH protocol, on network port 22 by default, that is among the most popular means for remote access to Linux shell, and administrators use it to manage remote systems or networks. However, it can also be used by an attacker. The SSH protocol was selected as it is among the most attacked protocols, according to the following reports: F-Secure Attack landscape H2 2018,2 Akamai - The State of the Internet Q4 2014.3 Also, the activity and artefacts left behind by an attacker using SSH connection, such as inputted commands or the SSH client used, are analytically useful. To discern and record practices of attackers mainly medium interaction honeypots were used, namely Cowrie.4 Cowrie honeypot emulates Linux shell and many of the basic Linux operating system programs, such as wget or SCP.