Learning stateful models for network honeypots
(Publication) Google search: [1]
Learning stateful models for network honeypots | |
---|---|
Botnet | |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / 2012 |
Editor/Conference | ACM |
Link | http://user.informatik.uni-goettingen.de/~krieck/docs/2012a-aisec.pdf user.informatik.uni-goettingen.de (user.informatik.uni-goettingen.de Archive copy) |
Author | Tammo Krueger, Hugo Gascon, Nicole Krämer, Konrad Rieck |
Type | Conference paper"Conference paper" is not in the list (Blogpost, White paper, Scientific paper, Press article, Conference paper or presentation, Threat entry, Press release, Tech report) of allowed values for the "Type" property. |
Abstract
“ Attacks like call fraud and identity theft often involve sophisticated stateful attack patterns which, on top of normal communication, try to harm systems on a higher semantic
level than usual attack scenarios. To detect these kind of threats via specially deployed honeypots, at least a minimal understanding of the inherent state machine of a specific service is needed to lure potential attackers and to keep a communication for a sufficiently large number of steps. To this end we propose PRISMA, a method for protocol inspection and state machine analysis, which infers a functional state machine and message format of a protocol from network traffic alone. We apply our method to three real-life network traces ranging from 10,000 up to 2 million messages of both binary and textual protocols. We show that PRISMA is capable of simulating complete and correct sessions based on the learned models. A case study on malware traffic reveals the different states of the execution, rendering PRISMA a valuable tool for malware analysis.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1363, editor = {ACM}, author = {Tammo Krueger, Hugo Gascon, Nicole Krämer, Konrad Rieck}, title = {Learning stateful models for network honeypots}, date = {02}, month = May, year = {2012}, howpublished = {\url{http://user.informatik.uni-goettingen.de/~krieck/docs/2012a-aisec.pdf user.informatik.uni-goettingen.de}}, }