HoneyAnalyzer – Analysis and Extraction of Intrusion Detection Patterns & Signatures Using Honeypot

A Honeypot is a security resource, which is intended to be attacked and compromised to gain more information about the attacker and his attack techniques. A honeypot can also indicate about how to perform forensics. The information gathered by watching a honeypot being probed is invaluable. It gives information about attacks and attack patterns. Currently, the creation of intrusion detection signatures is a tedious process that requires detailed knowledge of the traffic characteristics of the phenomenon to be detected. In this paper we address these issues. We have proposed, HoneyAnalyzer, a tool for analyzing honeyd-logs in a RDBMS with a webbased monitoring interface. The data collected from Honeypot is analyzed for possible attacks, scans, and viruses. The system displays the honeyd logs as well as traffic analyzer (e.g. Tcpdump) logs in a well-defined graphical manner so that a security administrator can filter the data of honeypot’s log. We also propose the use of a signature extraction algorithm such as LCS (Longest Common Substring) on the data filtered out by the administrator. Thus the security administrator gets the flexibility to apply the signature extraction algorithm on the data of his choice resulting in more precise attack signature extraction.