Study And Implement Of Distributed Virtual Honeynet System

Most security technologies are designed to prevent unauthorized activity to resources, and security tools are put into place as a defensive measure. Therefore there is some shortcoming in protecting network. However as a dynamic security defensive mechanism, honeypot can improve effectively integrate safety of large scale of network, Based on analyzing the research situation of honeynet technology, as to the shortcoming of security tools in intrusion detection and in protecting system, the Distributed Virtual Honeynet System (DVHS) is designed and implemented. Our work focuses on the following contents.Firstly, an Anomaly Degree Model(ADM) is proposed. The model considered the following factors: times of baits accessed, range of baits accessing, frequency of visiting, average payload length, average port-risk and so on, and it solved the problem of judging network attack.Secondly, the architecture of DVHS is presented. Virtual honeynets in different networks are divided into first agent called FAgent and second agent called SAgent. FAgent's characteristic is to own real operation system, while SAgent can simulate many host and network services. The architecture is fitted for the large scale of network environment, not only it can make up the shortcoming of single honeynet, but also its practical expend is fewer than real honeynet.Thirdly, the DVHS prototype is designed and implemented. The prototype is compound of agent in linux platform and agent console in windows XP. Agents in different networks are composed of self-contained virtual honeynet and low-interaction honeypot, which reduces the inherent risk of honeypot, ;and adds the simulation's trueness. The prototype makes up the shortcoming of exiting different type honeypots.At last, the testing and analysis of prototype is presented. Typical hacker tools are choosed from different type attack tools and make the test and analysis to prototype system. The results of testing indicate the simulation to host and network of prototype has Deception function to some extent, reduces the risk of real host to be attacked, and the anomaly degree judgement of external host can conclude primarily whether external host is anomaly host.Our work has been applied in the project of 'Distributed Network Monitoring and Warning System' (2003AA142010), which provides strong tool and measure to recognize efficiently network attack.