Current network intrusion detection systems work on misuse detectors, where the jackets in the monitored network are compared against a repository of signatures. But, we focus on automatic signature generation from malicious network traffic. Our proposed system inspects honeymoon traffic and generates intrusion signatures for unknown traffic. The signature is based on traffic patterns, using Longest Common Substring (LLC) algorithm.
It is noteworthy that our system is a plugging to honeyed - a low interaction honeymoon. The system's output is a file containing honeymoon intrusion signatures in pseudonym format.Signature generation system has been implemented for Linux Operating System (SO) but due to the common use of Windows SO, we implement for Windows SO, using C programming language. Keywords: honeymoon, honeyed, Intrusion Detection System (IDS), Longest Common Substring (LLC) algorithm, signature 1. Introduction Today, in order to reduce the effects of network attacks and prevent network intrusion, many security equipment designed and implemented. One of them is honeymoon that offers a variety of services and attracts attackers.
In this paper, we obtain patterns from honesty's traffic on basis of packets sent to ultimate hosts from attackers, have approximately similar content. Then from these patterns we generate signatures. The system's output is a file containing intrusion signatures in pseudo- snort format. As illustrated in Fig.
1, our proposed system is a plugging to honeyed- low interaction homeopath designs appropriate responses based on these signatures [3]. Also, these signatures can be used to filter the traffic directed towards the honeymoon, in order to reduce the amount of traffic needed to be processed by the honeymoon sensors.Fig. 1- Honeyed and proposed system 2. Data and materials 2.
1 . Honeymoon As mentioned in [2], honeymoon is a special machine on the network which used as a trap for attackers. Deliberately, operating systems infected by Trojan, backdoor or weak servers are installed on it to interact and engage attackers. 0 Types of honeymoons[5,6] 0 Honeymoons in terms of reality o Physical honeymoons A physical honeymoon is a real machine in network which has a particular IP address.
O Virtual honeymoons A virtual honeymoon is simulated by another machine. 0 Honeymoons in terms of interaction by attacker o Low interaction honeymoonsA low-interaction honeymoon will typically run or emulate a small number of services on a real or emulated operating system. O High interaction honeymoons A high-interaction honeymoon is often a real computer running a real operating system. 2.
2. Honeyed Honeyed is an Pounces low-interaction honeymoon implemented for UNIX and Windows Operating Systems (SO) [1]. Every attacker intends to communicate network with useless Internet Protocol (P) Address, honeyed disconnects this connection and interacts with him. Honeyed is a framework for virtual honeymoons which allows hosannas of IP addresses communicate with virtual machines.Thus, it should be able to simulate network topology. According to Figure 2, honeyed is a central machine which captures the traffic directed towards the virtual honeymoons and simulates appropriate responses [7].
Fig. 2- honeyed as a central machine 2. 3. Longest Common Substring of Two Strings [10] The longest common substring of two strings SSL, SO will be denoted by LLC(IS, SO).
= {contumaciously}, SO = {contumaciously}. Their LLC(IS , SO) is the set formed Let SSL by strings {centum} and {joyously}, both with 6 characters each.When there is no moon substring, LLC(IS , SO) is {null}. Consider the following example to realize LLC algorithm: Example. Given three strings SSL = {abaca}, SO = {bad} and SO = {acid}. The set of terminal symbols will be {$,#}; symbol % is the terminal symbol needed for constructing the suffix tree.
The resulting suffix tree T (SSL $1 SO#SO) = T (abaca $bad#acid) is shown in Figure 3. Fig. 3- Generalized suffix tree of a set of strings In order to solve the LLC problem, we Just build the generalized tree of strings SSL and SO, T (SSL $SO).When constructing it, mark each internal node with a label 1 or 2, pending on what string the current suffix is from.
For example, in Figure 3 there is an internal node marked with three labels, 1, 2, and 3, showing a common substring to SSL, SO and SO, namely, string {a}. The leaves of the substrate rooted at that internal node posses numbers from the 76 Suffix Trees and its Applications three strings SSL, SO and SO. Other internal nodes are Just marked with two numbers such as the corresponding to string {baa} or string {c}.Therefore, a path-label composed of internal nodes marked with both numbers will spell out a common substring to SSL and SO. Finding LLC (SSL, SO) is achieved by Just outputting the deepest string in the tree whose edges are both marked by 1 and 2. 2.
4. Syncing [4] Syncing is a UNIX-compatible environment that runs on Windows systems. It consists of syncing . Doll, a library that takes POSIX calls and translates them into Win calls; a shell (GNU BASH, the shell used on most Linux systems, is the default); an implementation of the X Window System and, of course, ICC.Fig.
4- Syncing 3. Research Methodology 3. 1 . System Architecture The proposed system architecture consists of following parts: 0 Local Control Unit Analysis Unit 0 Communication Unit 0 Database 0 Known-Attack Filter 0 Network Intrusion Prevention System 0 Global Control Unit Fig.
5- Proposed System Architecture 0 Local Control Unit This unit has a simplified version that is only able to receive signature updates from the Global Control Unit (GU) and use these in NIPS to protect the production network.But in a complicated version, LLC consists of behind units: 0 Analysis Unit - AU The Auk's main task is to correlate the incoming honeymoon events and create signatures for possible worms. When receiving new events from a honeymoon, the allowing procedure is executed: 0 Step 1: The incoming events are stored in the log database and correlated with older events. If a similar chain of events has been received a certain number of times before, it is assumed that the events are caused by a worm and step 2 is carried out. If not, the events are simply stored and the AU returns to idle state.
Step 2: The network packets causing the same chain of events are compared. If a common substring (larger than a given threshold) is found between these traffic traces, a signature is created. Step 3: Before storing the newly generated signature in the database, it is compared with the already existing ones. It can then either be stored directly in the database as a new entry or help to improve one of the older ones.
0 Communication unit - CUE The Cuss main purpose is to exchange signatures with the GU as well as issuing signature updates to the AKA filter and NIPS. Databases The signature database is used to store locally generated as well as received signatures. The log database is used to store the logged events along with relevant data. 0 Known-Attack Filter - AKA Filter The main purpose of the AKA filter is to look for known attacks (based on the signatures received from the LLC) in the traffic directed towards the honeymoons. Network Intrusion Prevention System - NIPS The NIPS is placed in the system to protect the production network.
It can filter traffic that is unwanted based on certain ports as specified by the network administrator, as well as traffic that have been declared malicious as a result of signature updates from the LLC. Similar to the AKA filter, it is also possible for the NIPS to report back to the LLC on the activity level of the received signatures. Global Control Unit - GU The GU serves as a central signature storage and distribution unit. It receives signature updates from the distributed Locus and is able to correlate received data from different locations to compose improved signatures.Based on the received data, it issues periodic updates to the Locus. As the GU is a potential single point-failure and the effects can be catastrophic if it is compromised, the requirements regarding security are strict.
All communication between the GU and Locus should be authenticated and encrypted in order to avoid forged signature updates. . 2. Implementation The implementation is based on traffic patterns, using LLC algorithm. Our system output is a file containing honeyed intrusion signatures in pseudo- snort format to filter unwanted production network traffic.
Also the proposed architecture introduces the use of a Known-Attack (AKA) filter. The main purpose of this filter is to remove known attacks from the traffic directed towards the honeymoons. This filter reduces the amount of traffic needed to be processed by the honeymoon sensors. Signature generation system implemented in Linux SO, but due to the common use f Windows SO, our implementation is in Windows SO, using C programming language.
According to [1, 8, 1 1], for implementing the system we use below items: 1 . Wingtip to capture packets 2. Syncing compiler 3.