In this paper, we design and implement a new Plugin to Honeyd which generates attack signature, automatically. Current network intrusion detection systems work on misuse detectors, where the packets in the monitored network are compared against a repository of signatures. But, we focus on automatic signature generation from malicious network traffic. Our proposed system inspects honeypot traffic and generates intrusion signatures for unknown traffic.The signature is based on traffic patterns, using Longest Common Substring (LCS) algorithm. It is noteworthy that our system is a plugin to honeyd - a low interaction honeypot. The system's output is a file containing honeypot intrusion signatures in pseudo-snort format. Signature generation system has been implemented for Linux Operating System (OS) but due to the common use of Windows OS, we implement for Windows OS, using C programming language.
| Published in |
International Journal of Intelligent Information Systems (Volume 3, Issue 6-1)
This article belongs to the Special Issue Research and Practices in Information Systems and Technologies in Developing Countries |
| DOI | 10.11648/j.ijiis.s.2014030601.14 |
| Page(s) | 23-27 |
| Creative Commons |
This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited. |
| Copyright |
Copyright © The Author(s), 2014. Published by Science Publishing Group |
Honeypot, Honeyd, Signature, Intrusion Detection System (IDS), Longest Common Substring (LCS) Algorithm
| [1] | Vusal Aliyev, “Using honeypots to study skill level of attackers based on the exploited vulnerabilities in the network”. Master of Science Thesis in the Master Degree Programme, Secure and Dependable Computer Systems, Department of Computer Science and Engineering Division of Computer Security. Goteborg, Sweden, 2010. |
| [2] | Grønland, Vidar Ajaxon. "Building IDS rules by means of a honeypot". Master’s Thesis, Master of Science in Information Security, Department of Computer Science and Media Technology Gjøvik University College, 2006. |
| [3] | Noordin, Yusuff, Mohamed. "HONEYPOTS REVEALED". IT Security Officer. Specialist Dip. Info Security, MA. Internet Security Mgmt. |
| [4] | Mark Meijerink, Jonel Spellen. "Intrusion Detection System honeypots". Master Program System and Network Administration, University of Amsterdam, 2006. |
| [5] | Baumann, Reto. "Honeyd – A low involvement Honeypot in Action". Originally published as part of the GCIA (GIAC Certified Intrusion Analyst) practical, 2003. |
| [6] | Provos, Niels. "Honeyd- A Virtual Honeypot Daemon". Center for Information Technology Integration, University of Michigan. 2003. |
| [7] | Sung, Wing-Kin; Melvin, Zhang Zhiyong. "Suffix Tree and Suffix Array". Knowledge Discovery and Data Mining Conference,2005. |
| [8] | Moody, George. "An Introduction To Cygwin". Harvard-MIT Division of Health Sciences and Technology. |
| [9] | Provos, Niels; Mathewson, Nick. "Libevent – an event notification library", 2011. URL: http://libevent.org/ |
| [10] | Van Rossum, Guido; "Introduction to Python". LinuxWorld, New York City, Documented in https://www.python.org/doc. 2002. |
| [11] | Libevent – an event notification library: http://libevent.org. |
| [12] | Libdnet: http://libdnet.sourceforge.net. |
| [13] | Christian Kreibich; libstree: http://www.icir.org/christian/ libstree . |
| [14] | Roesch,Martin; Green, Chris. "SNORT Users Manual 2.8.5", The Snort Project (https://manual.snort.org), 2009. |
APA Style
Motahareh Dehghan, Babak Sadeghiyan. (2014). Improving Honeyd for Automatic Generation of Attack Signatures. International Journal of Intelligent Information Systems, 3(6-1), 23-27. https://doi.org/10.11648/j.ijiis.s.2014030601.14
ACS Style
Motahareh Dehghan; Babak Sadeghiyan. Improving Honeyd for Automatic Generation of Attack Signatures. Int. J. Intell. Inf. Syst. 2014, 3(6-1), 23-27. doi: 10.11648/j.ijiis.s.2014030601.14
AMA Style
Motahareh Dehghan, Babak Sadeghiyan. Improving Honeyd for Automatic Generation of Attack Signatures. Int J Intell Inf Syst. 2014;3(6-1):23-27. doi: 10.11648/j.ijiis.s.2014030601.14
Share This Article
Twitter
Linked In
Facebook
Copy
Download@article{10.11648/j.ijiis.s.2014030601.14,
author = {Motahareh Dehghan and Babak Sadeghiyan},
title = {Improving Honeyd for Automatic Generation of Attack Signatures},
journal = {International Journal of Intelligent Information Systems},
volume = {3},
number = {6-1},
pages = {23-27},
doi = {10.11648/j.ijiis.s.2014030601.14},
url = {https://doi.org/10.11648/j.ijiis.s.2014030601.14},
eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ijiis.s.2014030601.14},
abstract = {In this paper, we design and implement a new Plugin to Honeyd which generates attack signature, automatically. Current network intrusion detection systems work on misuse detectors, where the packets in the monitored network are compared against a repository of signatures. But, we focus on automatic signature generation from malicious network traffic. Our proposed system inspects honeypot traffic and generates intrusion signatures for unknown traffic.The signature is based on traffic patterns, using Longest Common Substring (LCS) algorithm. It is noteworthy that our system is a plugin to honeyd - a low interaction honeypot. The system's output is a file containing honeypot intrusion signatures in pseudo-snort format. Signature generation system has been implemented for Linux Operating System (OS) but due to the common use of Windows OS, we implement for Windows OS, using C programming language.},
year = {2014}
}
TY - JOUR T1 - Improving Honeyd for Automatic Generation of Attack Signatures AU - Motahareh Dehghan AU - Babak Sadeghiyan Y1 - 2014/10/20 PY - 2014 N1 - https://doi.org/10.11648/j.ijiis.s.2014030601.14 DO - 10.11648/j.ijiis.s.2014030601.14 T2 - International Journal of Intelligent Information Systems JF - International Journal of Intelligent Information Systems JO - International Journal of Intelligent Information Systems SP - 23 EP - 27 PB - Science Publishing Group SN - 2328-7683 UR - https://doi.org/10.11648/j.ijiis.s.2014030601.14 AB - In this paper, we design and implement a new Plugin to Honeyd which generates attack signature, automatically. Current network intrusion detection systems work on misuse detectors, where the packets in the monitored network are compared against a repository of signatures. But, we focus on automatic signature generation from malicious network traffic. Our proposed system inspects honeypot traffic and generates intrusion signatures for unknown traffic.The signature is based on traffic patterns, using Longest Common Substring (LCS) algorithm. It is noteworthy that our system is a plugin to honeyd - a low interaction honeypot. The system's output is a file containing honeypot intrusion signatures in pseudo-snort format. Signature generation system has been implemented for Linux Operating System (OS) but due to the common use of Windows OS, we implement for Windows OS, using C programming language. VL - 3 IS - 6-1 ER -
Email: