| Peer-Reviewed

Improving Honeyd for Automatic Generation of Attack Signatures

Received: 7 October 2014     Accepted: 11 October 2014     Published: 20 October 2014
Views:       Downloads:
Abstract

In this paper, we design and implement a new Plugin to Honeyd which generates attack signature, automatically. Current network intrusion detection systems work on misuse detectors, where the packets in the monitored network are compared against a repository of signatures. But, we focus on automatic signature generation from malicious network traffic. Our proposed system inspects honeypot traffic and generates intrusion signatures for unknown traffic.The signature is based on traffic patterns, using Longest Common Substring (LCS) algorithm. It is noteworthy that our system is a plugin to honeyd - a low interaction honeypot. The system's output is a file containing honeypot intrusion signatures in pseudo-snort format. Signature generation system has been implemented for Linux Operating System (OS) but due to the common use of Windows OS, we implement for Windows OS, using C programming language.

Published in International Journal of Intelligent Information Systems (Volume 3, Issue 6-1)

This article belongs to the Special Issue Research and Practices in Information Systems and Technologies in Developing Countries

DOI 10.11648/j.ijiis.s.2014030601.14
Page(s) 23-27
Creative Commons

This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited.

Copyright

Copyright © The Author(s), 2014. Published by Science Publishing Group

Keywords

Honeypot, Honeyd, Signature, Intrusion Detection System (IDS), Longest Common Substring (LCS) Algorithm

References
[1] Vusal Aliyev, “Using honeypots to study skill level of attackers based on the exploited vulnerabilities in the network”. Master of Science Thesis in the Master Degree Programme, Secure and Dependable Computer Systems, Department of Computer Science and Engineering Division of Computer Security. Goteborg, Sweden, 2010.
[2] Grønland, Vidar Ajaxon. "Building IDS rules by means of a honeypot". Master’s Thesis, Master of Science in Information Security, Department of Computer Science and Media Technology Gjøvik University College, 2006.
[3] Noordin, Yusuff, Mohamed. "HONEYPOTS REVEALED". IT Security Officer. Specialist Dip. Info Security, MA. Internet Security Mgmt.
[4] Mark Meijerink, Jonel Spellen. "Intrusion Detection System honeypots". Master Program System and Network Administration, University of Amsterdam, 2006.
[5] Baumann, Reto. "Honeyd – A low involvement Honeypot in Action". Originally published as part of the GCIA (GIAC Certified Intrusion Analyst) practical, 2003.
[6] Provos, Niels. "Honeyd- A Virtual Honeypot Daemon". Center for Information Technology Integration, University of Michigan. 2003.
[7] Sung, Wing-Kin; Melvin, Zhang Zhiyong. "Suffix Tree and Suffix Array". Knowledge Discovery and Data Mining Conference,2005.
[8] Moody, George. "An Introduction To Cygwin". Harvard-MIT Division of Health Sciences and Technology.
[9] Provos, Niels; Mathewson, Nick. "Libevent – an event notification library", 2011. URL: http://libevent.org/
[10] Van Rossum, Guido; "Introduction to Python". LinuxWorld, New York City, Documented in https://www.python.org/doc. 2002.
[11] Libevent – an event notification library: http://libevent.org.
[12] Libdnet: http://libdnet.sourceforge.net.
[13] Christian Kreibich; libstree: http://www.icir.org/christian/ libstree .
[14] Roesch,Martin; Green, Chris. "SNORT Users Manual 2.8.5", The Snort Project (https://manual.snort.org), 2009.
Cite This Article
  • APA Style

    Motahareh Dehghan, Babak Sadeghiyan. (2014). Improving Honeyd for Automatic Generation of Attack Signatures. International Journal of Intelligent Information Systems, 3(6-1), 23-27. https://doi.org/10.11648/j.ijiis.s.2014030601.14

    Copy | Download

    ACS Style

    Motahareh Dehghan; Babak Sadeghiyan. Improving Honeyd for Automatic Generation of Attack Signatures. Int. J. Intell. Inf. Syst. 2014, 3(6-1), 23-27. doi: 10.11648/j.ijiis.s.2014030601.14

    Copy | Download

    AMA Style

    Motahareh Dehghan, Babak Sadeghiyan. Improving Honeyd for Automatic Generation of Attack Signatures. Int J Intell Inf Syst. 2014;3(6-1):23-27. doi: 10.11648/j.ijiis.s.2014030601.14

    Copy | Download

  • @article{10.11648/j.ijiis.s.2014030601.14,
      author = {Motahareh Dehghan and Babak Sadeghiyan},
      title = {Improving Honeyd for Automatic Generation of Attack Signatures},
      journal = {International Journal of Intelligent Information Systems},
      volume = {3},
      number = {6-1},
      pages = {23-27},
      doi = {10.11648/j.ijiis.s.2014030601.14},
      url = {https://doi.org/10.11648/j.ijiis.s.2014030601.14},
      eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ijiis.s.2014030601.14},
      abstract = {In this paper, we design and implement a new Plugin to Honeyd which generates attack signature, automatically. Current network intrusion detection systems work on misuse detectors, where the packets in the monitored network are compared against a repository of signatures. But, we focus on automatic signature generation from malicious network traffic. Our proposed system inspects honeypot traffic and generates intrusion signatures for unknown traffic.The signature is based on traffic patterns, using Longest Common Substring (LCS) algorithm. It is noteworthy that our system is a plugin to honeyd - a low interaction honeypot. The system's output is a file containing honeypot intrusion signatures in pseudo-snort format. Signature generation system has been implemented for Linux Operating System (OS) but due to the common use of Windows OS, we implement for Windows OS, using C programming language.},
     year = {2014}
    }
    

    Copy | Download

  • TY  - JOUR
    T1  - Improving Honeyd for Automatic Generation of Attack Signatures
    AU  - Motahareh Dehghan
    AU  - Babak Sadeghiyan
    Y1  - 2014/10/20
    PY  - 2014
    N1  - https://doi.org/10.11648/j.ijiis.s.2014030601.14
    DO  - 10.11648/j.ijiis.s.2014030601.14
    T2  - International Journal of Intelligent Information Systems
    JF  - International Journal of Intelligent Information Systems
    JO  - International Journal of Intelligent Information Systems
    SP  - 23
    EP  - 27
    PB  - Science Publishing Group
    SN  - 2328-7683
    UR  - https://doi.org/10.11648/j.ijiis.s.2014030601.14
    AB  - In this paper, we design and implement a new Plugin to Honeyd which generates attack signature, automatically. Current network intrusion detection systems work on misuse detectors, where the packets in the monitored network are compared against a repository of signatures. But, we focus on automatic signature generation from malicious network traffic. Our proposed system inspects honeypot traffic and generates intrusion signatures for unknown traffic.The signature is based on traffic patterns, using Longest Common Substring (LCS) algorithm. It is noteworthy that our system is a plugin to honeyd - a low interaction honeypot. The system's output is a file containing honeypot intrusion signatures in pseudo-snort format. Signature generation system has been implemented for Linux Operating System (OS) but due to the common use of Windows OS, we implement for Windows OS, using C programming language.
    VL  - 3
    IS  - 6-1
    ER  - 

    Copy | Download

Author Information
  • Department of Computer Engineering and Information Technology, Amirkabir University of Technology (AUT), Tehran, Iran

  • Department of Computer Engineering and Information Technology, Amirkabir University of Technology (AUT), Tehran, Iran

  • Sections