An SDN-NFV-enabled Honeypot for Manipulating Command & Control Shell TCP Connection.

A honeypot is a dedicated security tool for enticing and deceiving adversaries. With a successful intrusion, an adversary would often obtain a shell (that is bind or reverse in accordance with the attack sort), which is used to command and control (C&C) the compromised machine. The serious consequence of C&C must be controlled. As is well-known, the C&C shell is often sustained by a TCP connection. However, many honeypots lack the capability to control the shell TCP connections, i.e., a high-interaction honeypot (HIH) is often unable to migrate the bind shell TCP connection, and a low-/medium-interaction honeypot (LIH/MIH) even does not support creating a reverse shell TCP connection. In this paper, we use Software Defined Network (SDN) and Network Function Virtualization (NFV) to propose an SDN-NFV-enabled honeypot system for providing a container-based covert attack-connection manipulation mechanism to address the above issue. Taking advantage of the SDN/NFV technology, the proposed honeypot is able to respond dynamically to build a shell-container to deceive the adversary following the moving-target defense principle. To consolidate the proposal, a prototype is implemented, and a number of experiments are conducted. The experimental results show that the proposed honeypot system is effective and efficient.