2005 | OriginalPaper | Chapter
Towards Automatic Learning of Valid Services for Honeypots
Authors : Vishal Chowdhary, Alok Tongaonkar, Tzi-cker Chiueh
Published in: Distributed Computing and Internet Technology
Publisher: Springer Berlin Heidelberg
Activate our intelligent search to find suitable subject content or patents.
Select sections of text to find matching patents with Artificial Intelligence. powered by
Select sections of text to find additional relevant content using AI-assisted search. powered by
Honeypots have emerged as an important tool in the field of
Intrusion Detection Systems
. Honeypots are decoy machines whose sole purpose is to be compromised by network attackers, in order to gain information about the attack techniques. The biggest challenge in deploying honeypots is their configuration and maintenance compounded with the fact that they either
emulate
a few services or provide the real services. The emulated services, which are usually implemented using scripts, are restricted by the responses given to the attacker. This limits the amount of information that can be gathered. The scipts are also much easier to be detected by the attacker. On the other hand, the drawback of providing real services is the greater risk associated with their use.
In this paper, we describe
service-mining
, a machine learning approach to learn and emulate behavior of real-world services. Given large enough traces of the real-service interactions and some basic information about the service, we propose a scheme whereby we can learn the semantics of its various commands and then effectively emulate the service. This service may then be deployed on a honeypot to capture attack signatures without posing a threat to the complete network.
Our initial experience in trying to emulate the popular FTP service is promising. We are able to learn the FTP service and then intelligently and consistently respond to user queries with our emulated FTP service.