Abstract
This paper describes a system for automated generation of attack signatures for network intrusion detection systems. Our system applies pattern-matching techniques and protocol conformance checks on multiple levels in the protocol hierarchy to network traffic captured a honeypot system. We present results of running the system on an unprotected cable modem connection for 24 hours. The system successfully created precise traffic signatures that otherwise would have required the skills and time of a security officer to inspect the traffic manually.
- V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Computer Networks (Amsterdam, Netherlands: 1999), vol. 31, no. 23--24, pp. 2435--2463, 1998. {Online}. Available: http://citeseer.nj.nec.com/article/paxson98bro.html.]] Google ScholarDigital Library
- M. Roesch, "Snort: Lightweight Intrusion Detection for Networks," in Proceedings of the 13th Conference on Systems Administration, 1999, pp. 229--238.]] Google ScholarDigital Library
- C. Stoll, The Cuckoo's Egg. Addison-Wesley, 1986.]]Google Scholar
- W. R. Cheswick, "An Evening with Berferd, in which a Cracker is lured, endured, and studied," in Proceedings of the 1992 Winter USENIX Conference, 1992.]]Google Scholar
- L. Spitzner, Honeypots: Tracking HacKers. Addison-Wesley, 2003. {Online}. Available: http://www.tracking-hackers.com/book/]] Google ScholarDigital Library
- N. Provos, "Honeyd - A Virtual Honeypot Daemon," in 10th DFN-CERT Workshop, Hamburg, Germany, February 2003.]]Google Scholar
- D. Gusfield, Algorithms on Strings, Trees and Sequences. Cambridge University Press, 1997.]] Google ScholarDigital Library
- P. Weiner, "Linear pattern matching algorithms," in Proceedings of the 14th IEEE Symposium on Switching and Automata Theory, 1973, pp. 1--11.]]Google Scholar
- E. M. McCreight, "A space-economical suffix-tree construction algorithm," Journal of the ACM, vol. 23, pp. 262--272, 1976.]] Google ScholarDigital Library
- E. Ukkonen, "On-line construction of suffix trees," Algorithmica, no. 14, pp. 249--260, 1995.]]Google ScholarDigital Library
- S. McCanne, C. Leres, and V. Jacobson, "tcpdump/libpcap," http://www.tcpdump.org/, 1994.]]Google Scholar
- M. Handley, C. Kreibich, and V. Paxson, "Network Intrusion Detection: Evasion, Traffic Normalization, end End-to-End Protocol Semantics," in Proceedings of the 9th USENIX Security Symposium, 2000.]] Google ScholarDigital Library
- T. H. Ptacek and T. N. Newsham, "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection," Secure Networks, Inc., Tech. Rep., 1998.]]Google Scholar
Index Terms
- Honeycomb: creating intrusion detection signatures using honeypots
Recommendations
Towards proactive detection of advanced persistent threat (APT) attacks using honeypots
SIN '15: Proceedings of the 8th International Conference on Security of Information and NetworksThe Advanced Persistent Threat (APT) attacks are special kind of slow moving attacks that are designed to defeat security controls using unique attack vectors and malware specifically developed for the target organization. Aim behind APT attacks is not ...
Filtering False Positives Based on Server-Side Behaviors
Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a ...
Honeypot detection in advanced botnet attacks
Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Comments