Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2006)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 4219))

Included in the following conference series:

Abstract

Spitzner proposed to classify honeypots into low, medium and high interaction ones. Several instances of low interaction exist, such as honeyd, as well as high interaction, such as GenII. Medium interaction systems have recently received increased attention. ScriptGen and RolePlayer, for instance, are as talkative as a high interaction system while limiting the associated risks. In this paper, we do build upon the work we have proposed on ScriptGen to automatically create honeyd scripts able to interact with attack tools without relying on any a-priori knowledge of the protocols involved. The main contributions of this paper are threefold. First, we propose a solution to detect and handle so-called intra-protocol dependencies. Second, we do the same for inter-protocols dependencies. Last but not least, we show how, by modifying our initial refinement analysis, we can, on the fly, generate new scripts as new attacks, i.e. 0-day, show up. As few as 50 samples of attacks, i.e. less than one per platform we have currently deployed in the world, is enough to produce a script that can then automatically enrich all these platforms.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Spitzner, L.: Honeypots: Tracking Hackers. Addison-Welsey, Boston (2002)

    Google Scholar 

  2. Provos, N.: A virtual honeypot framework. In: Proceedings of the 12th USENIX Security Symposium, pp. 1–14 (2004)

    Google Scholar 

  3. Dacier, M., Pouget, F., Debar, H.: Attack processes found on the internet. In: NATO Symposium IST-041/RSY-013, Toulouse, France (2004)

    Google Scholar 

  4. Dacier, M., Pouget, F., Debar, H.: Honeypots, a practical mean to validate malicious fault assumptions. In: Proceedings of the 10th Pacific Ream Dependable Computing Conference (PRDC 2004), Tahiti (2004)

    Google Scholar 

  5. Dacier, M., Pouget, F., Debar, H.: Honeypot-based forensics. In: Proceedings of AusCERT Asia Pacific Information Technology Security Conference 2004, Brisbane, Australia (2004)

    Google Scholar 

  6. Dacier, M., Pouget, F., Debar, H.: Towards a better understanding of internet threats to enhance survivability. In: Proceedings of the International Infrastructure Survivability Workshop 2004 (IISW 2004), Lisbonne, Portugal (2004)

    Google Scholar 

  7. Dacier, M., Pouget, F., Debar, H.: Leurre.com: On the advantages of deploying a large scale distributed honeypot platform. In: Proceedings of the E-Crime and Computer Conference 2005 (ECCE 2005), Monaco (2005)

    Google Scholar 

  8. Dacier, M., Pouget, F., Debar, H.: Honeynets: foundations for the development of early warning information systems. In: Kowalik, J., Gorski, J., Sachenko, A. (eds.) Proceedings of the Cyberspace Security and Defense: Research Issues (2005)

    Google Scholar 

  9. CERT: Cert advisory ca-2003-20 w32/blaster worm (2003)

    Google Scholar 

  10. Leita, C., Mermoud, K., Dacier, M.: Scriptgen: an automated script generation tool for honeyd. In: Proceedings of the 21st Annual Computer Security Applications Conference (2005)

    Google Scholar 

  11. Needleman, S., Wunsch, C.: A general method applicable to the search for similarities in the amino acid sequence of two proteins. J. Mol. Biol. 48(3), 443–453 (1970)

    Article  Google Scholar 

  12. Cui, W., Vern, P., Weaver, N., Katz, R.H.: Protocol-independent adaptive replay of application dialog. In: The 13th Annual Network and Distributed System Security Symposium (NDSS) (2006)

    Google Scholar 

  13. Freiling, F.C., Holz, T., Wicherski, G.: Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. LNCS, pp. 319–335. Springer, Heidelberg (2005)

    Google Scholar 

  14. The Honeynet Project: Know your enemy: Tracking botnets. Know Your Enemy Whitepapers (2005)

    Google Scholar 

  15. Massicotte, F., Couture, M., De Montigny-Leboeuf, A.: Using a vmware network infrastructure to collect traffic traces for intrusion detection evaluation. In: Proceedings of the 21st Annual Computer Security Applications Conference (2005)

    Google Scholar 

  16. OSVDB: Microsoft windows lsass remote overflow (2006), http://www.osvdb.org/5248

  17. OSVDB: Microsoft pnp ms05-039 overflow (2005), http://www.osvdb.org/18605

Download references

Author information

Authors and Affiliations

  1. Institut Eurecom, Sophia Antipolis, France

    Corrado Leita & Marc Dacier

  2. Communications Research Centre, Ottawa, Canada

    Frederic Massicotte

Authors
  1. Corrado Leita
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marc Dacier
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frederic Massicotte
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Leita, C., Dacier, M., Massicotte, F. (2006). Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots. In: Zamboni, D., Kruegel, C. (eds) Recent Advances in Intrusion Detection. RAID 2006. Lecture Notes in Computer Science, vol 4219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11856214_10

Download citation

  • DOI: https://doi.org/10.1007/11856214_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-39723-6

  • Online ISBN: 978-3-540-39725-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation