The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
최근 몇 년 동안 인프라에 대한 사이버 공격이 더욱 심각해졌습니다. 불행하게도 공격자가 인프라를 제어할 수 있게 해주는 취약한 원격 관리 장치를 갖춘 인프라가 보고되었습니다. 인프라에 대한 표적 공격은 자동화된 스크립트가 아닌 인간 공격자가 수동으로 수행합니다. 여기서 공개 질문은 이러한 인프라에 대한 공격이 얼마나 자주 발생하는지, 침입 후 공격자가 수행하는 작업이 무엇인지입니다. 본 실증 연구에서는 맞춤형 인프라 허니팟을 활용하여 공격, 보안 조사 활동 등의 접근을 관찰합니다. 제안된 허니팟은 (1) 실제 장치를 허니팟으로 쉽게 배포할 수 있는 플랫폼, (2) 각 허니팟 인스턴스마다 WebUI에 표시되는 시설 이름을 변경하여 가상 시설의 수를 늘리는 메커니즘, (3) (4) 장기적인 활동을 위해 방문자를 식별하는 추적 메커니즘. 우리는 31개월 동안 허니팟을 구현하고 배포했습니다. 우리의 허니팟은 원격 관리 장치의 구성 변경과 같은 중요한 작업을 관찰했습니다. 또한 허니팟의 WebUI 및 Telnet 서비스에 대한 장기 액세스도 관찰했습니다.
Takayuki SASAKI
Yokohama National University
Mami KAWAGUCHI
Yokohama National University
Takuhiro KUMAGAI
Yokohama National University
Katsunari YOSHIOKA
Yokohama National University
Tsutomu MATSUMOTO
Yokohama National University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
부
Takayuki SASAKI, Mami KAWAGUCHI, Takuhiro KUMAGAI, Katsunari YOSHIOKA, Tsutomu MATSUMOTO, "Observation of Human-Operated Accesses Using Remote Management Device Honeypot" in IEICE TRANSACTIONS on Fundamentals,
vol. E107-A, no. 3, pp. 291-305, March 2024, doi: 10.1587/transfun.2023CIP0018.
Abstract: In recent years, cyber attacks against infrastructure have become more serious. Unfortunately, infrastructures with vulnerable remote management devices, which allow attackers to control the infrastructure, have been reported. Targeted attacks against infrastructure are conducted manually by human attackers rather than automated scripts. Here, open questions are how often the attacks against such infrastructure happen and what attackers do after intrusions. In this empirical study, we observe the accesses, including attacks and security investigation activities, using the customized infrastructure honeypot. The proposed honeypot comprises (1) a platform that easily deploys real devices as honeypots, (2) a mechanism to increase the number of fictional facilities by changing the displayed facility names on the WebUI for each honeypot instance, (3) an interaction mechanism with visitors to infer their purpose, and (4) tracking mechanisms to identify visitors for long-term activities. We implemented and deployed the honeypot for 31 months. Our honeypot observed critical operations, such as changing configurations of a remote management device. We also observed long-term access to WebUI and Telnet service of the honeypot.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.2023CIP0018/_p
부
@ARTICLE{e107-a_3_291,
author={Takayuki SASAKI, Mami KAWAGUCHI, Takuhiro KUMAGAI, Katsunari YOSHIOKA, Tsutomu MATSUMOTO, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Observation of Human-Operated Accesses Using Remote Management Device Honeypot},
year={2024},
volume={E107-A},
number={3},
pages={291-305},
abstract={In recent years, cyber attacks against infrastructure have become more serious. Unfortunately, infrastructures with vulnerable remote management devices, which allow attackers to control the infrastructure, have been reported. Targeted attacks against infrastructure are conducted manually by human attackers rather than automated scripts. Here, open questions are how often the attacks against such infrastructure happen and what attackers do after intrusions. In this empirical study, we observe the accesses, including attacks and security investigation activities, using the customized infrastructure honeypot. The proposed honeypot comprises (1) a platform that easily deploys real devices as honeypots, (2) a mechanism to increase the number of fictional facilities by changing the displayed facility names on the WebUI for each honeypot instance, (3) an interaction mechanism with visitors to infer their purpose, and (4) tracking mechanisms to identify visitors for long-term activities. We implemented and deployed the honeypot for 31 months. Our honeypot observed critical operations, such as changing configurations of a remote management device. We also observed long-term access to WebUI and Telnet service of the honeypot.},
keywords={},
doi={10.1587/transfun.2023CIP0018},
ISSN={1745-1337},
month={March},}
부
TY - JOUR
TI - Observation of Human-Operated Accesses Using Remote Management Device Honeypot
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 291
EP - 305
AU - Takayuki SASAKI
AU - Mami KAWAGUCHI
AU - Takuhiro KUMAGAI
AU - Katsunari YOSHIOKA
AU - Tsutomu MATSUMOTO
PY - 2024
DO - 10.1587/transfun.2023CIP0018
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E107-A
IS - 3
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - March 2024
AB - In recent years, cyber attacks against infrastructure have become more serious. Unfortunately, infrastructures with vulnerable remote management devices, which allow attackers to control the infrastructure, have been reported. Targeted attacks against infrastructure are conducted manually by human attackers rather than automated scripts. Here, open questions are how often the attacks against such infrastructure happen and what attackers do after intrusions. In this empirical study, we observe the accesses, including attacks and security investigation activities, using the customized infrastructure honeypot. The proposed honeypot comprises (1) a platform that easily deploys real devices as honeypots, (2) a mechanism to increase the number of fictional facilities by changing the displayed facility names on the WebUI for each honeypot instance, (3) an interaction mechanism with visitors to infer their purpose, and (4) tracking mechanisms to identify visitors for long-term activities. We implemented and deployed the honeypot for 31 months. Our honeypot observed critical operations, such as changing configurations of a remote management device. We also observed long-term access to WebUI and Telnet service of the honeypot.
ER -