A Method to Obtain Signatures from Honeypots Data

Chi, Chi-Hung; Li, Ming; Liu, Dongxi

doi:10.1007/978-3-540-30141-7_61

Chi-Hung Chi²⁰,
Ming Li²¹ &
Dongxi Liu²⁰

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3222))

Included in the following conference series:

IFIP International Conference on Network and Parallel Computing

949 Accesses

Abstract

Building intrusion detection model in an automatic and online way is worth discussing for timely detecting new attacks. This paper gives a scheme to automatically construct snort rules based on data captured by honeypots on line. Since traffic data to honeypots represent abnormal activities, activity patterns extracted from those data can be used as attack signatures. Packets captured by honeypots are unwelcome, but it appears unnecessary to translate each of them into a signature to use entire payload as activity pattern. In this paper, we present a way based on system specifications of honeypots. It can reflect seriousness level of captured packets. Relying on discussed system specifications, only critical packets are chosen to generate signatures and discriminating values are extracted from packet payload as activity patterns. After formalizing packet structure and syntax of snort rule, we design an algorithm to generate snort rules immediately once it meets critical packets.

Download to read the full chapter text

Chapter PDF

Learning Probe Attack Patterns with Honeypots

APT Attack Heuristic Induction Honeypot Platform Based on Snort and OpenFlow

Honeypot Utilization for Network Intrusion Detection

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley, Reading (2002)
Google Scholar
Honeynet Project, Know Your Enemy, Honeynets, http://project.honeynet.org/papers/honeynet/
Roesch, M.: Snort-lightweight intrusion detection for networks. In: 1999 USENIX (1999)
Google Scholar
Ilgun, K., et al.: IEEE T. on Software Eng. 21(3), 181–199 (1995)
Article Google Scholar
Paxson, V.: Computer Networks 31(23/24), 2435–2463 (1999)
Article Google Scholar
Li, M.: An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition. Computer & Security (2004) (to appear)
Google Scholar
Kemmerer, R.A., Vigna, G.: Supplement to Computer 35(4), 27–30 (2002)
Google Scholar
Eckmann, S.T.: Proc., RAID, LNCS, vol. 2212, pp. 69–84 (2001)
Google Scholar
Kendall, K.: A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems, Master Thesis, MIT (1999)
Google Scholar
Roesch, M., Green, C.: Snort users manual, http://www.snort.org/docs/SnortUsers-Manual.pdf
http://project.honeynet.org/papers/enemy/probed.txt

Download references

Author information

Authors and Affiliations

School of Computing, National University of Singapore, Singapore, 117543
Chi-Hung Chi & Dongxi Liu
School of Information Science & Technology, East China Normal University, Shanghai, 200062, P.R. China
Ming Li

Authors

Chi-Hung Chi
View author publications
You can also search for this author in PubMed Google Scholar
Ming Li
View author publications
You can also search for this author in PubMed Google Scholar
Dongxi Liu
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Services Computing Technology and System Lab Cluster and Grid Computing Lab School of Computer Science and Technology, Huazhong University of Science and Technology, 430074, Wuhan, China
Hai Jin
University of Delaware, Newark, DE, USA
Guang R. Gao
Institute of Computing Technology, Chinese Academy of Sciences, 100080, Beijing, China
Zhiwei Xu
Software Engineering Institute, East China Normal University, 20062, Shanghai, China
Hao Chen

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Chi, CH., Li, M., Liu, D. (2004). A Method to Obtain Signatures from Honeypots Data. In: Jin, H., Gao, G.R., Xu, Z., Chen, H. (eds) Network and Parallel Computing. NPC 2004. Lecture Notes in Computer Science, vol 3222. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30141-7_61

Download citation

DOI: https://doi.org/10.1007/978-3-540-30141-7_61
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23388-6
Online ISBN: 978-3-540-30141-7
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics