| As a important security research tool and method,honeypothas been applied by many orgnizations and commercial companies for security research and protection.By using honeypot and network comprised of honeypot, which is call honeynet, enterprises and organizations are able to discover the focal security issues and spreading attacking tricks.Much research has been done to improve honeypot's architecture. Filesystem, which plays an important role in a honeypot, is a common issue in security domain. However, until now,most research on filesystem focuses on access control, encrypting, auditing, forensics and so on, not aiming at honeypot utilization.On the other hand, to the point of how to discover more potential attacks by utilizing the filesystem of honeypot, there are only fewpapers about this. This paper proposes a filesystem middleware which facilitates the honeypot to trap and log attacks. By intercepting different types of file operations, then doing context-related analysis, and making intelligent file operation responses according to analysis results, our filesystem could maximize the value of honeypot in discovering attacks and securing systems.The middleware we designed is based on Linux VFS, it is between VFS and underlying filesystems.Byintercepting file operations from high layer and manipulating them, our middleware can take control of whole system wide file operations, it can log, track, deny and even redirect file access operations, and the occasion of when to apply these manipulationsisdecided by the intelligent analytical module in the middleware.In the latter half of this paper, we did some verificationexperiments, tests andsome performance assessmentof the system which our middleware was introduced in, to ensure that the middleware is not a setbackof system performance. Our middleware serves in kernel environment, so it is transparent to upper layer and can not easily be noticed, which is more favorable in a real environment. |
PDF Full Text Request