Expert system assessing threat level of attacks on a hybrid SSH honeynet
Identifikátory výsledku
Kód výsledku v IS VaVaI
<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F61988987%3A17310%2F20%3AA21024I6" target="_blank" >RIV/61988987:17310/20:A21024I6 - isvavai.cz</a>
Výsledek na webu
<a href="https://www.sciencedirect.com/science/article/pii/S0167404820300699" target="_blank" >https://www.sciencedirect.com/science/article/pii/S0167404820300699</a>
DOI - Digital Object Identifier
<a href="http://dx.doi.org/10.1016/j.cose.2020.101784" target="_blank" >10.1016/j.cose.2020.101784</a>
Alternativní jazyky
Jazyk výsledku
angličtina
Název v původním jazyce
Expert system assessing threat level of attacks on a hybrid SSH honeynet
Popis výsledku v původním jazyce
Currently, many systems connected to the internet are exposed to hundreds of mostly automated network attacks on a daily basis. These are mostly very simple attacks originating from botnets. However, sophisticated attacks conducted both by automated systems and directly by humans are becoming more common. In order to develop adequate countermeasures, the behaviour of attackers has to be analysed effectively. Honeypots, a sort of lures for the attacks, are used for that purpose. Configuration of honeypots vary depending on the type of attacks they focus on attracting. For simple, analogous attacks that sequentially repeat predefined commands, medium interaction honeypots are sufficient, while more sophisticated attacks require the use of high interactive honeypots. An essential part of the analysis is to differentiate between these types of attacks to make the overall analysis efficient, in terms of efficient use of hardware resources, and effective by providing the attacker with an appropriately emulated environment. This article first analyses the current situation followed by presenting a solution in the form of a system made up of a hybrid honeynet and an expert system. For now, it focuses only on the SSH protocol, as it is widely used for remote system access and is a popular target of attacks. The system has been tested on real data collected over a one-year period. The article also deals with making redirecting SSH connections as transparent as possible.
Název v anglickém jazyce
Expert system assessing threat level of attacks on a hybrid SSH honeynet
Popis výsledku anglicky
Currently, many systems connected to the internet are exposed to hundreds of mostly automated network attacks on a daily basis. These are mostly very simple attacks originating from botnets. However, sophisticated attacks conducted both by automated systems and directly by humans are becoming more common. In order to develop adequate countermeasures, the behaviour of attackers has to be analysed effectively. Honeypots, a sort of lures for the attacks, are used for that purpose. Configuration of honeypots vary depending on the type of attacks they focus on attracting. For simple, analogous attacks that sequentially repeat predefined commands, medium interaction honeypots are sufficient, while more sophisticated attacks require the use of high interactive honeypots. An essential part of the analysis is to differentiate between these types of attacks to make the overall analysis efficient, in terms of efficient use of hardware resources, and effective by providing the attacker with an appropriately emulated environment. This article first analyses the current situation followed by presenting a solution in the form of a system made up of a hybrid honeynet and an expert system. For now, it focuses only on the SSH protocol, as it is widely used for remote system access and is a popular target of attacks. The system has been tested on real data collected over a one-year period. The article also deals with making redirecting SSH connections as transparent as possible.
Klasifikace
Druh
J<sub>imp</sub> - Článek v periodiku v databázi Web of Science
CEP obor
—
OECD FORD obor
10200 - Computer and information sciences
Návaznosti výsledku
Projekt
—
Návaznosti
S - Specificky vyzkum na vysokych skolach
Ostatní
Rok uplatnění
2020
Kód důvěrnosti údajů
S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů
Údaje specifické pro druh výsledku
Název periodika
Computers & Security
ISSN
0167-4048
e-ISSN
—
Svazek periodika
92
Číslo periodika v rámci svazku
May 2020
Stát vydavatele periodika
GB - Spojené království Velké Británie a Severního Irska
Počet stran výsledku
19
Strana od-do
101784
Kód UT WoS článku
000526984900032
EID výsledku v databázi Scopus
2-s2.0-85081547742