Improving Honeyd for Automatic Generation of Attack Signatures
International Journal of Intelligent Information Systems
Volume 3, Issue 6-1, December 2014, Pages: 23-27
Received: Oct. 7, 2014; Accepted: Oct. 11, 2014; Published: Oct. 20, 2014
Views 3677      Downloads 159
Motahareh Dehghan, Department of Computer Engineering and Information Technology, Amirkabir University of Technology (AUT), Tehran, Iran
Babak Sadeghiyan, Department of Computer Engineering and Information Technology, Amirkabir University of Technology (AUT), Tehran, Iran
Article Tools
Follow on us
In this paper, we design and implement a new Plugin to Honeyd which generates attack signature, automatically. Current network intrusion detection systems work on misuse detectors, where the packets in the monitored network are compared against a repository of signatures. But, we focus on automatic signature generation from malicious network traffic. Our proposed system inspects honeypot traffic and generates intrusion signatures for unknown traffic.The signature is based on traffic patterns, using Longest Common Substring (LCS) algorithm. It is noteworthy that our system is a plugin to honeyd - a low interaction honeypot. The system's output is a file containing honeypot intrusion signatures in pseudo-snort format. Signature generation system has been implemented for Linux Operating System (OS) but due to the common use of Windows OS, we implement for Windows OS, using C programming language.
Honeypot, Honeyd, Signature, Intrusion Detection System (IDS), Longest Common Substring (LCS) Algorithm
To cite this article
Motahareh Dehghan, Babak Sadeghiyan, Improving Honeyd for Automatic Generation of Attack Signatures, International Journal of Intelligent Information Systems. Special Issue: Research and Practices in Information Systems and Technologies in Developing Countries. Vol. 3, No. 6-1, 2014, pp. 23-27. doi: 10.11648/j.ijiis.s.2014030601.14
Vusal Aliyev, “Using honeypots to study skill level of attackers based on the exploited vulnerabilities in the network”. Master of Science Thesis in the Master Degree Programme, Secure and Dependable Computer Systems, Department of Computer Science and Engineering Division of Computer Security. Goteborg, Sweden, 2010.
Grønland, Vidar Ajaxon. "Building IDS rules by means of a honeypot". Master’s Thesis, Master of Science in Information Security, Department of Computer Science and Media Technology Gjøvik University College, 2006.
Noordin, Yusuff, Mohamed. "HONEYPOTS REVEALED". IT Security Officer. Specialist Dip. Info Security, MA. Internet Security Mgmt.
Mark Meijerink, Jonel Spellen. "Intrusion Detection System honeypots". Master Program System and Network Administration, University of Amsterdam, 2006.
Baumann, Reto. "Honeyd – A low involvement Honeypot in Action". Originally published as part of the GCIA (GIAC Certified Intrusion Analyst) practical, 2003.
Provos, Niels. "Honeyd- A Virtual Honeypot Daemon". Center for Information Technology Integration, University of Michigan. 2003.
Sung, Wing-Kin; Melvin, Zhang Zhiyong. "Suffix Tree and Suffix Array". Knowledge Discovery and Data Mining Conference,2005.
Moody, George. "An Introduction To Cygwin". Harvard-MIT Division of Health Sciences and Technology.
Provos, Niels; Mathewson, Nick. "Libevent – an event notification library", 2011. URL:
Van Rossum, Guido; "Introduction to Python". LinuxWorld, New York City, Documented in 2002.
Libevent – an event notification library:
Christian Kreibich; libstree: libstree .
Roesch,Martin; Green, Chris. "SNORT Users Manual 2.8.5", The Snort Project (, 2009.
Science Publishing Group
1 Rockefeller Plaza,
10th and 11th Floors,
New York, NY 10020
Tel: (001)347-983-5186