Journal article

BARABAS Maroš, DROZD Michal and HANÁČEK Petr. Behavioral signature generation using shadow honeypot. World Academy of Science, Engineering and Technology. 2012, vol. 2012, no. 65, pp. 829-833. ISSN 2010-376X. Available from: http://www.waset.org/journals/waset/v65/v65-163.pdf
Publication language:english
Original title:Behavioral signature generation using shadow honeypot
Title (cs):Generace signatur chování použitím shadow honeypotu
Pages:829-833
Place:US
Year:2012
URL:http://www.waset.org/journals/waset/v65/v65-163.pdf
Journal:World Academy of Science, Engineering and Technology, Vol. 2012, No. 65, US
ISSN:2010-376X
Files: 
+Type Name Title Size Last modified
iconICCNSS_2012.pdf414 KB2012-01-05 13:42:15
^ Select all
With selected:
Keywords
behavioral signatures, metrics, network, security design
Annotation
The main goal is to present new method of detection zero-day buffer overflow vulnerabilities. This method is based on signature generation from network traffic. We provide the detection model that generates detection profiles by honeypot systems. In this article we show 112 metrics that will be used for malware characterization in network traffic and we show the use of this method on two examples: abused buffer overflow vulnerability in FTP server and use of public known internet worm - Conficker.
Abstract
A novel behavioral detection framework is proposed to detect zero day buffer overflow vulnerabilities (based on network behavioral signatures) using zero-day exploits, instead of the signature-based or anomaly-based detection solutions currently available for IDPS techniques. At first we present the detection model that uses shadow honeypot. Our system is used for the online processing of network attacks and generating a behavior detection profile. The detection profile represents the dataset of 112 types of metrics describing the exact behavior of malware in the network. In this paper we present the examples of generating behavioral signatures for two attacks - a buffer overflow exploit on FTP server and well known Conficker worm. We demonstrated the visualization of important aspects by showing the differences between valid behavior and the attacks. Based on these metrics we can detect attacks with a very high probability of success, the process of detection is, however, very expensive.
BibTeX:
@ARTICLE{
   author = {Maro{\v{s}} Barabas and Michal Drozd and Petr
	Han{\'{a}}{\v{c}}ek},
   title = {Behavioral signature generation using shadow honeypot},
   pages = {829--833},
   journal = {World Academy of Science, Engineering and Technology},
   volume = {2012},
   number = {65},
   year = {2012},
   ISSN = {2010-376X},
   language = {english},
   url = {http://www.fit.vutbr.cz/research/view_pub.php?id=9852}
}

Your IPv4 address: 54.81.195.240
Switch to IPv6 connection

DNSSEC [dnssec]