Honeycomb Creating Intrusion Detection Signatures Using Honeypots - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Honeycomb Creating Intrusion Detection Signatures Using Honeypots

Description:

Handshake table. Established table. 9. Tracking Connection (contd.) 10. Protocol Analysis ... Improve signature pool queue. Drop old signature and add new one ... – PowerPoint PPT presentation

Number of Views:72
Avg rating:3.0/5.0
Slides: 18
Provided by: sarmav
Category:

less

Transcript and Presenter's Notes

Title: Honeycomb Creating Intrusion Detection Signatures Using Honeypots


1
Honeycomb Creating Intrusion Detection
Signatures Using Honeypots
  • Christian Kreibich, Jon Crowcroft
  • Presented by
  • Sarma Vangala

2
Introduction
  • Automated signature generation in real time
  • Good signature should be narrow enough and
    flexible
  • Signature generation using honeypots
  • Extension of honeyd
  • Signatures generated from traffic and does not
    use previous history

3
Motivation
  • Automatic generation of intrusion detection
    signatures in real time for existing and future
    attacks

4
Overview
  • Honeycomb architecture
  • Signature creation algorithm
  • Connection tracking
  • Protocol analysis
  • Pattern detection in flows
  • Signature reporting
  • Evaluation and results
  • Conclusions

5
Honeycomb architecture
  • Implemented as honeyd plugin

6
Signature Creation Algorithm
  • To detect novel attacks, keep system free of
    history
  • Each packet goes through same sequence of steps

7
Signature Creation (contd.)
8
Tracking Connection
  • Cannot maintain state of all connections
  • Cannot release connection state immediately after
    termination mark connections terminated
  • Two stage connection state storage (upto a
    certain maximum number of bytes) with flow
    reassembly
  • Handshake table
  • Established table

9
Tracking Connection (contd.)
10
Protocol Analysis
  • Empty signature record with ID for each flow
  • Header-walking technique of Handley, Paxson to
    generate signatures for each anomaly found for
    each protocol (Analysis Signature)
  • Header comparison with each stored connection of
    same type compare the message signatures of two
  • Match ? Update discovered facts into new
    signature

11
Pattern Detection in Flow
  • Ukkonen LCS algorithm to strings built on
    exchanged messages
  • Applied in two ways horizontal and vertical

12
Horizontal Detection
13
Vertical Detection
14
Signature Reporting
  • No facts stop processing
  • Improve signature pool queue
  • Drop old signature and add new one
  • Drop send to output for storage
  • Signature reporting in Bro or pseudo-snort format

15
Evaluation and Results
  • Days traffic trace to a honeypot
  • 557 TCP, 145 UDP and 27 ICMP connections

16
Results (contd.)
  • Longest string for worm traffic
  • Worm signatures showed more of payload than HTTP
    get

17
Conclusion
  • First step towards automated signature detection
    using honeypots
  • No measure of processing time to generate
    signatures and not enough statistics to prove the
    importance of the approach
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Honeycomb Creating Intrusion Detection Signatures Using Honeypots" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!