(WHASG) Automatic SNORT Signatures Generation by using Honeypot

An Intrusion detection system (IDS) is an important network security component that is used to monitor network traffic and detect attack attempts. A signature based intrusion detection system relies on a set of predefined signatures to detect an attack. Due to "zero-day" attacks (i.e. new unknown attacks) conventional IDS will not be able to detect these new attacks until the signatures are updated. Writing efficient new signatures to update the IDS signature database requires that the attack is first detected then studied and analyzed. These new rules should be general enough to include any modification of the attack pattern and specific so that normal traffic remains unblocked. Writing these signatures manually requires significant effort, time and knowledge to work properly. In this paper, a web based honeypot is used to generate SNORT intrusion detection system signatures (Rules) for HTTP traffic automatically. These new rules are integrated into the IDS signatures data base. We then verify the efficiency of the modified rules and show that the new rules are able to detect and block these attacks.

[1]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[2]  Ying Chen,et al.  Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes , 2007, IEEE Transactions on Dependable and Secure Computing.

[3]  Song Li,et al.  Temporal signatures for intrusion detection , 2001, Seventeenth Annual Computer Security Applications Conference.

[4]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[5]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[6]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[7]  James Won-Ki Hong,et al.  Towards automated application signature generation for traffic identification , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[8]  Lionel C. Briand,et al.  Toward Automatic Generation of Intrusion Detection Verification Rules , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[9]  Hao Wang,et al.  Theory and Techniques for Automatic Generation of Vulnerability-Based Signatures , 2008, IEEE Transactions on Dependable and Secure Computing.

[10]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[11]  Pedro García-Teodoro,et al.  Automatic Signature Generation for Network Services through Selective Extraction of Anomalous Contents , 2010, 2010 Sixth Advanced International Conference on Telecommunications.

[12]  Ke Xu,et al.  AutoSig-Automatically Generating Signatures for Applications , 2009, 2009 Ninth IEEE International Conference on Computer and Information Technology.

[13]  Muhammad Nadzir Marsono,et al.  A framework for automated malcode signatures generation , 2010, 2010 IEEE Student Conference on Research and Development (SCOReD).

[14]  Shunzheng Yu,et al.  Automatic Application Signature Construction from Unknown Traffic , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.