Efficient signature production using ftp based virtual honeypot

Abstract

Zero-day attacks are on the rise especially after the widespread availability of online services that can provide attackers a way to send malicious files over the internet. Honeypots are used to isolate malicious traffic and to capture zero day attacks. Signature based network intrusion detection systems (NIDS) are used to identify and analyze malicious activity over the network. Signatures are patterns or strings within the malware that can be used to detect or identify its existence within network traffic. It is extremely difficult and time consuming to generate manual signatures becasue for generating correct signature dynamic analysis is required. Moreover, technical skills required include indepth knowledge of network protocols, operating systems, web, backend and mobile programming. As a result, automating this process can reduce significant time and technical human resource. Major focus of exisiting signature generation is to generate signatures that can be later verified and tested by security experts. Hence, the efficiency or quality of automated signatures is low, as they have high false positive rate, length of the signatures is not optimal and some cases signature generation time is large. Another interesting issue is that research in this domain is mostly theoretical or simulation based and latest open source tools are not available. Most of the anit-malware solution providers like Kaspersky, MacAfee etc. provide subscription based signatures for latest malwares. This research proposes a methodology and test bed to generate automatic and efficient signature using simple string matching algorithm. Efficient signatures are generated using Longest Common Substring (LCS) with spamsum hash to avoid complete string comparing that takes a lot of computations and time. Positional information is added in the signature to increase accuracy and performance. Generalized Suffix Tree (GST) is created and an algorithm traverses the tree and searches for the substrings that are present in all inputs. GST helps in detecting the positions of substrings present in the input string which can be used to for sequence assembling. The complete extraction mechanism is independent of comparing strings. Length of the signature is reduced by using an iterative algorithm that eliminates unnecessary substrings from the signature. To validate the proposed methodology, it is tested on data generated by a honeypot called Honeytrap. Honeytrap is a File Transfer Protocol (FTP) based honeypot that involves less interconnections and can collect suspected malware files. Performance of proposed signature generation methods is compared with existing techniques and promising results are achieved.