16-04-2012, 04:28 PM
Honeycomb Creating Intrusion Detection Signatures Using Honeypots
honeycomb.pdf (Size: 199.35 KB / Downloads: 47)
INTRODUCTION
CURRENT network intrusion detection systems (NIDSs)
often work as misuse detectors, where the packets in the
monitored network are compared against a repository of signatures
that dene characteristics of an intrusion. Successful
matchings then re alerts.
This work focuses on signature generation. At present, the
creation of these signatures is a tedious, manual process that
requires detailed knowledge of each software exploit that is
supposed to be captured. Simplistic signatures tend to generate
large numbers of false positives, too specic ones cause false
negatives.
Connection Tracking
Honeycomb maintains state for a limited number of TCP
and UDP connections2, but has rather unique requirements
concerning network connection statekeeping. Since our aim is
to generate signatures by comparing new trafc on the honeypot
to previously seen one, we cannot release all connection
state immediately when a connection is terminated. Instead,
we only mark connections as terminated but keep them around
as long as possible, or until we can be sure that we will not
benet from storing them any longer.
Protocol Analysis
After updating connection state, Honeycomb creates an
empty signature record for the ow and starts inspecting the
packet. Each signature record has a unique identier and stores
discovered facts (i.e., characteristic properties) about the currently
investigated trafc independently of any particular NIDS
signature language. The signature record is then augmented
continuously throughout the detection process, maintaining a
count of the number of facts recorded3.
SUMMARY
We have presented Honeycomb, a system that can produce
NIDS signatures automatically by analyzing trafc on a honeypot.
The system produces good-quality signatures on a typical
end user's Internet connection. The system is particularly
good at producing signatures for worms5 the signatures
for Slammer and CodeRed II are extremely precise and were
produced without any specic knowledge hardcoded into the
system.