Honeyv: A Virtualized Honeynet System Based On Network Softwarization

Intrusion detection in modern enterprise networks faces challenges due to the increasing large volume of data and insufficient training data for anomaly detections. In this work, we propose a novel network topology for improved intrusion detection through multi-phase data monitoring system. Rather than the all-or-nothing approach to terminate all sessions identified as suspicious, the topology route traffic to different servers replicas with different monitoring intensity level based on their likelihood of attacks. This topology leverages recent advances in software-defined networking (SDN) to dynamically route such sessions into risk-appropriate computing environments. These environments offer enhanced training opportunities intrusion detection systems (IDSes) by exposing data streams that would not have been observable had the session merely been terminated at the first sign of maliciousness. They also afford defenders finer-grained risk management by supporting a continuum of endpoint environments, ranging from fully trusted, to semi-trusted, to fully untrusted, for example.