Honeycomb Creating Intrusion Detection Signatures Using Honeypots - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Honeycomb Creating Intrusion Detection Signatures Using Honeypots

Description:

Handshake table. Established table. 9. Tracking Connection (contd.) 10. Protocol Analysis ... Improve signature pool queue. Drop old signature and add new one ... – PowerPoint PPT presentation

Number of Views:72
Avg rating:3.0/5.0
Slides: 18
Provided by: sarmav
Category:

less

Transcript and Presenter's Notes

Title: Honeycomb Creating Intrusion Detection Signatures Using Honeypots


1
Honeycomb Creating Intrusion Detection
Signatures Using Honeypots
  • Christian Kreibich, Jon Crowcroft
  • Presented by
  • Sarma Vangala

2
Introduction
  • Automated signature generation in real time
  • Good signature should be narrow enough and
    flexible
  • Signature generation using honeypots
  • Extension of honeyd
  • Signatures generated from traffic and does not
    use previous history

3
Motivation
  • Automatic generation of intrusion detection
    signatures in real time for existing and future
    attacks

4
Overview
  • Honeycomb architecture
  • Signature creation algorithm
  • Connection tracking
  • Protocol analysis
  • Pattern detection in flows
  • Signature reporting
  • Evaluation and results
  • Conclusions

5
Honeycomb architecture
  • Implemented as honeyd plugin

6
Signature Creation Algorithm
  • To detect novel attacks, keep system free of
    history
  • Each packet goes through same sequence of steps

7
Signature Creation (contd.)
8
Tracking Connection
  • Cannot maintain state of all connections
  • Cannot release connection state immediately after
    termination mark connections terminated
  • Two stage connection state storage (upto a
    certain maximum number of bytes) with flow
    reassembly
  • Handshake table
  • Established table

9
Tracking Connection (contd.)
10
Protocol Analysis
  • Empty signature record with ID for each flow
  • Header-walking technique of Handley, Paxson to
    generate signatures for each anomaly found for
    each protocol (Analysis Signature)
  • Header comparison with each stored connection of
    same type compare the message signatures of two
  • Match ? Update discovered facts into new
    signature

11
Pattern Detection in Flow
  • Ukkonen LCS algorithm to strings built on
    exchanged messages
  • Applied in two ways horizontal and vertical

12
Horizontal Detection
13
Vertical Detection
14
Signature Reporting
  • No facts stop processing
  • Improve signature pool queue
  • Drop old signature and add new one
  • Drop send to output for storage
  • Signature reporting in Bro or pseudo-snort format

15
Evaluation and Results
  • Days traffic trace to a honeypot
  • 557 TCP, 145 UDP and 27 ICMP connections

16
Results (contd.)
  • Longest string for worm traffic
  • Worm signatures showed more of payload than HTTP
    get

17
Conclusion
  • First step towards automated signature detection
    using honeypots
  • No measure of processing time to generate
    signatures and not enough statistics to prove the
    importance of the approach
Write a Comment
User Comments (0)
About PowerShow.com