ABSTRACT
One way to learn more about how a malicious program functions and what its objectives are is to deceive it with fake services that provide responses containing fabricated data. This goal can be achieved with so called record and play -honeypot that learns what the normal communication between clients and a server looks like and then tries to mimic it, but fabricates the contents of the responses so that they contain fake data. This paper outlines and presents the challenges faced in practical development of such honeypot. Some solutions and recommendations that mitigate the identified problems are also considered.
- M.H. Almeshekah and E.G. Spafford. 2014. Planning and Integrating Deception into Computer Security Defenses. In Proceedings of the 2014 workshop on New Security Paradigms Workshop. ACM, 127--138. Google ScholarDigital Library
- S. Bird, E. Klein, and E. Loper. 2009. Natural Language Processing with Python. O'Reilly Media. Google ScholarDigital Library
- J. Caballero and D. Song. 2013. Automatic protocol reverse-engineering: Message format extraction and field semantics inference. Computer Networks: The International Journal of Computer and Telecommunications Networking archive 57, 2 (2013), 451--474. Google ScholarDigital Library
- F. Cohen and D. Koike. 2004. Misleading attackers with deception. In Proceedings from the Fifth Annual IEEE Information Assurance Workshop. IEEE, 30--37.Google Scholar
- W. Cui, V. Paxson, N. Weaver, and R.H. Katz. 2006. Protocol-independent adaptive replay of application dialog. In Proceedings of the 13th Annual Network and Distributed System Security Symposium.Google Scholar
- D. Nadeau and S. Sekine. 2007. A survey of named entity recognition and classification. Lingvisticae Investigationes 30, 1 (2007), 3--26.Google ScholarCross Ref
- J. Papalitsas, S. Rauti, and V. Leppänen. 2017. A Comparison of Record and Play Honeypot Designs. Accepted for publication. (2017).Google Scholar
- S. Sekine and C. Nobata. 2004. Definition, Dictionaries and Tagger for Extended Named Entity Hierarchy. In LREC. 1977--1980.Google Scholar
- F. Shafique, K. Po, and A. Goel. 2006. Correlating Multi-session Attacks via Replay. In Proceedings of the 2nd Conference on Hot Topics in System Dependability - Volume 2 (HOTDEP'06). USENIX Association, 3--8. Google ScholarDigital Library
Index Terms
- Practical challenges in building fake services with the record and play approach
Recommendations
An auto-learning approach for network intrusion detection
In this paper, we propose a novel intrusion detection technique with a fully automatic attack signatures generation capability. The proposed approach exploits a honeypot traffic data analysis to build an attack scenarios database, used to detect ...
A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks
This paper proposes a hybrid and adaptable honeypot-based approach that improves the currently deployed IDSs for protecting networks from intruders. The main idea is to deploy low-interaction honeypots that act as emulators of services and operating ...
A data mining approach for analysis of worm activity through automatic signature generation
AISec '08: Proceedings of the 1st ACM workshop on Workshop on AISecThis paper proposes a novel framework to automatically discover and analyze traffic generated by computer worms and other anomalous behaviors that interact with a non-solicited traffic monitoring system. Network packets are analyzed by an Intrusion ...
Comments