< Diurnal models in botnet propagation | HoneyDVD - Bootable Honeypots on DVD >

ScriptGen: An Automated Script Generation Tool for honeyd

At the 21st Annual Computer Security Applications Conference (ACSAC 2005) back in December 2005, several people from Eurecom presented a paper about automated script generation for honeyd.

The paper entitled "ScriptGen: an automated script generation tool for honeyd" by Corrado Leita, Ken Mermoud, and Marc Dacier presents a tool to generate scripts that can then be used together with honeyd. The basic steps of the tools are:

  1. Deploy a honeypot and record all network traffic

  2. Build a state machine based on the captured data

  3. Simplify the state machine and generate a corresponding honeyd script


The results are promising and can presumably help to easily build new scripts for honeyd. In overall, this tool is similar to HoneyBee. Honeybee can also automatically create new honeyd scripts, but relies on a scanner to actively learn the characteristics of a protocol.

Abstract:
Honeyd is a popular tool developed by Niels Provos that offers a simple way to emulate services offered by several machines on a single PC. It is a so called low interaction honeypot. Responses to incoming requests are generated thanks to ad hoc scripts that need to be written by hand. As a result, few scripts exist, especially for services handling proprietary protocols. In this paper, we propose a method to alleviate these problems by automatically generating new scripts. We explain the method and describe its limitations. We analyze the quality of the generated scripts thanks to two different methods. On the one hand, we have launched known attacks against a machine running our scripts; on the other hand, we have deployed that machine on the Internet, next to a high interaction honeypot during two months. For those attackers that have targeted both machines, we can verify if our scripts have, or not, been able to fool them. We also discuss the various tuning parameters of the algorithm that can can be set to either increase the quality of the script or, at the contrary, to reduce its complexity. 


BibTeX:

@inproceedings{Leita:2005:SGA,

  author    = {Corrado Leita and Ken Mermoud and Marc Dacier},

  title     = {ScriptGen: an Automated Script Generation Tool for Honeyd},

  booktitle = {Proceedings of the 21st Annual Computer 

                      Security Applications Conference

                      (ACSAC 2005)},

  year      = {2005},

  month     = {December},

}
This entry was posted by Thorsten Holz on Friday, February 10. 2006 at 18:55. and is filed under paper. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry
  1. "Automatic Handling Of Protocol Dependencies And Reaction To 0-Day Attacks With ScriptGen Based Honeypots"

    At the 9th International Symposium On Recent Advances In Intrusion Detection (RAID'06), Corrado Leita, Marc Dacier, and Frederic Massicotte presented an update of their ScriptGen tool. In the paper "Automatic Handling Of Protocol Dependencies And Reaction

    Weblog: honeyblog
    Tracked: Jun 07, 14:48

Comments

Display comments as (Linear | Threaded)

  1. Dacier, says:
    #1 2006-09-29 08:36 (Reply)

    At RAID06 (September 2006), a follow up to this work has been presented. It explains how the tool is now able to handle intra- and inter- protocol dependencies without relying on any a priori knowledge of the emulated protocol. Experimental validation thanks to the testbed by F. Massicotte (CRC, Canada) is also provided.

    Together with G. Wicherski, we now have integrated scriptgen, argos (vu Amsterdam) and Nepenthes to capture malware without having to write any specific vuln. modules. We are in testing mode.

    Nepenthes, by the way, was also presented at RAID06 by M. Dornseif.

    ---

    @inproceedings{EURECOM+2023,
    doi = {10.1007/11856214_10},
    year = {2006},
    title = {{A}utomatic handling of protocol dependencies and reaction to 0-day attacks with {S}cript{G}en based honeypots},
    author = {{L}eita, {C}orrado and {D}acier, {M}arc and {M}assicotte, {F}r{\'e}d{\'e}ric},
    booktitle = {{RAID} 2006, 9th {I}nternational {S}ymposium on {R}ecent {A}dvances in {I}ntrusion {D}etection, {S}eptember 20-22, 2006, {H}amburg, {G}ermany - {A}lso published as {L}ecture {N}otes in {C}omputer {S}cience {V}olume 4219/2006},
    month = {Sep}
    }


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA