Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots

Corrado Leita, Marc Dacier, Frederic Massicotte

Research output: Chapter in Book/Report/Conference proceedingConference contribution

26 Citations (Scopus)

Abstract

Spitzner proposed to classify honeypots into low, medium and high interaction ones. Several instances of low interaction exist, such as honeyd, as well as high interaction, such as GenII. Medium interaction systems have recently received increased attention. ScriptGen and RolePlayer, for instance, are as talkative as a high interaction system while limiting the associated risks. In this paper, we do build upon the work we have proposed on ScriptGen to automatically create honeyd scripts able to interact with attack tools without relying on any arpriori knowledge of the protocols involved. The main contributions of this paper are threefold. First, we propose a solution to detect and handle so-called intrarprotocol dependencies. Second, we do the same for inter-protocols dependencies. Last but not least, we show how, by modifying our initial refinement analysis, we can, on the fly, generate new scripts as new attacks, i.e. 0-day, show up. As few as 50 samples of attacks, i.e. less than one per platform we have currently deployed in the world, is enough to produce a script that can then automatically enrich all these platforms.

Original languageEnglish
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Pages185-205
Number of pages21
Volume4219 LNCS
Publication statusPublished - 2006
Externally publishedYes
Event9th International Symposium on Recent Advances in Intrusion Detection, RAID 2006 - Hamburg
Duration: 20 Sep 200622 Sep 2006

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume4219 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other9th International Symposium on Recent Advances in Intrusion Detection, RAID 2006
CityHamburg
Period20/9/0622/9/06

Fingerprint

Honeypot
Diptera
Attack
Interaction
Threefolds
Refinement
Limiting
Classify

ASJC Scopus subject areas

  • Computer Science(all)
  • Biochemistry, Genetics and Molecular Biology(all)
  • Theoretical Computer Science

Cite this

Leita, C., Dacier, M., & Massicotte, F. (2006). Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 4219 LNCS, pp. 185-205). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4219 LNCS).

Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots. / Leita, Corrado; Dacier, Marc; Massicotte, Frederic.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 4219 LNCS 2006. p. 185-205 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4219 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Leita, C, Dacier, M & Massicotte, F 2006, Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots. in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). vol. 4219 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4219 LNCS, pp. 185-205, 9th International Symposium on Recent Advances in Intrusion Detection, RAID 2006, Hamburg, 20/9/06.
Leita C, Dacier M, Massicotte F. Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 4219 LNCS. 2006. p. 185-205. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
Leita, Corrado ; Dacier, Marc ; Massicotte, Frederic. / Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 4219 LNCS 2006. pp. 185-205 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{5b95e288c8414237a0f453a11756dedf,
title = "Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots",
abstract = "Spitzner proposed to classify honeypots into low, medium and high interaction ones. Several instances of low interaction exist, such as honeyd, as well as high interaction, such as GenII. Medium interaction systems have recently received increased attention. ScriptGen and RolePlayer, for instance, are as talkative as a high interaction system while limiting the associated risks. In this paper, we do build upon the work we have proposed on ScriptGen to automatically create honeyd scripts able to interact with attack tools without relying on any arpriori knowledge of the protocols involved. The main contributions of this paper are threefold. First, we propose a solution to detect and handle so-called intrarprotocol dependencies. Second, we do the same for inter-protocols dependencies. Last but not least, we show how, by modifying our initial refinement analysis, we can, on the fly, generate new scripts as new attacks, i.e. 0-day, show up. As few as 50 samples of attacks, i.e. less than one per platform we have currently deployed in the world, is enough to produce a script that can then automatically enrich all these platforms.",
author = "Corrado Leita and Marc Dacier and Frederic Massicotte",
year = "2006",
language = "English",
isbn = "354039723X",
volume = "4219 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "185--205",
booktitle = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

}

TY - GEN

T1 - Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots

AU - Leita, Corrado

AU - Dacier, Marc

AU - Massicotte, Frederic

PY - 2006

Y1 - 2006

N2 - Spitzner proposed to classify honeypots into low, medium and high interaction ones. Several instances of low interaction exist, such as honeyd, as well as high interaction, such as GenII. Medium interaction systems have recently received increased attention. ScriptGen and RolePlayer, for instance, are as talkative as a high interaction system while limiting the associated risks. In this paper, we do build upon the work we have proposed on ScriptGen to automatically create honeyd scripts able to interact with attack tools without relying on any arpriori knowledge of the protocols involved. The main contributions of this paper are threefold. First, we propose a solution to detect and handle so-called intrarprotocol dependencies. Second, we do the same for inter-protocols dependencies. Last but not least, we show how, by modifying our initial refinement analysis, we can, on the fly, generate new scripts as new attacks, i.e. 0-day, show up. As few as 50 samples of attacks, i.e. less than one per platform we have currently deployed in the world, is enough to produce a script that can then automatically enrich all these platforms.

AB - Spitzner proposed to classify honeypots into low, medium and high interaction ones. Several instances of low interaction exist, such as honeyd, as well as high interaction, such as GenII. Medium interaction systems have recently received increased attention. ScriptGen and RolePlayer, for instance, are as talkative as a high interaction system while limiting the associated risks. In this paper, we do build upon the work we have proposed on ScriptGen to automatically create honeyd scripts able to interact with attack tools without relying on any arpriori knowledge of the protocols involved. The main contributions of this paper are threefold. First, we propose a solution to detect and handle so-called intrarprotocol dependencies. Second, we do the same for inter-protocols dependencies. Last but not least, we show how, by modifying our initial refinement analysis, we can, on the fly, generate new scripts as new attacks, i.e. 0-day, show up. As few as 50 samples of attacks, i.e. less than one per platform we have currently deployed in the world, is enough to produce a script that can then automatically enrich all these platforms.

UR - http://www.scopus.com/inward/record.url?scp=33750320499&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33750320499&partnerID=8YFLogxK

M3 - Conference contribution

SN - 354039723X

SN - 9783540397236

VL - 4219 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 185

EP - 205

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

ER -