【 摘 要 】

This work explores a scalable data analytics pipeline for real-time attack detection through the use of customized honeypots at the National Center for Supercomputing Applications (NCSA). Attack detection tools are common and are constantly getting improved, but validating these tools is challenging. One must automate how to identify what data is essential to detecting the attack, extract this data from multiple different monitors, and send this data to the attack detection tool. On top of this, one must be able to efficiently scale with an ever-increasing amount of data, while also having the ability to extend to new monitors. This requires an infrastructure that is non-trivial to create or to deploy.In this work, we present a generalized architecture that aims for a real- time, scalable, and extensible pipeline that can be deployed in diverse in- frastructures to validate arbitrary attack detection tools. To demonstrate our architecture, we will show an example deployment of our pipeline using completely open-sourced tools. Our example deployment uses as its sources: 1) a customized honeypot environment at NCSA, and 2) customized attack scripts written to follow the skeleton of canonical credential-stealing attacks. To extract useful information, we have deployed network and host-based monitoring tools such as Bro and OSSEC. We have also built an attack de- tection tool named AttackTagger that we will use as our front-end detection engine.

【 预 览 】

附件列表

Files	Size	Format	View
Scalable data analytics pipeline for real-time attack detection: design, validation, and deployment in a honeypot environment	5772KB	PDF	download