A Method to Obtain Signatures from Honeypots Data

  • Chi-Hung Chi
  • Ming Li
  • Dongxi Liu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3222)


Building intrusion detection model in an automatic and online way is worth discussing for timely detecting new attacks. This paper gives a scheme to automatically construct snort rules based on data captured by honeypots on line. Since traffic data to honeypots represent abnormal activities, activity patterns extracted from those data can be used as attack signatures. Packets captured by honeypots are unwelcome, but it appears unnecessary to translate each of them into a signature to use entire payload as activity pattern. In this paper, we present a way based on system specifications of honeypots. It can reflect seriousness level of captured packets. Relying on discussed system specifications, only critical packets are chosen to generate signatures and discriminating values are extracted from packet payload as activity patterns. After formalizing packet structure and syntax of snort rule, we design an algorithm to generate snort rules immediately once it meets critical packets.


Intrusion Detection System Production Network Machine Instruction Attack Signature Terminal Symbol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley, Reading (2002)Google Scholar
  2. 2.
    Honeynet Project, Know Your Enemy, Honeynets,
  3. 3.
    Roesch, M.: Snort-lightweight intrusion detection for networks. In: 1999 USENIX (1999)Google Scholar
  4. 4.
    Ilgun, K., et al.: IEEE T. on Software Eng. 21(3), 181–199 (1995)CrossRefGoogle Scholar
  5. 5.
    Paxson, V.: Computer Networks 31(23/24), 2435–2463 (1999)CrossRefGoogle Scholar
  6. 6.
    Li, M.: An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition. Computer & Security (2004) (to appear)Google Scholar
  7. 7.
    Kemmerer, R.A., Vigna, G.: Supplement to Computer 35(4), 27–30 (2002)Google Scholar
  8. 8.
    Eckmann, S.T.: Proc., RAID, LNCS, vol. 2212, pp. 69–84 (2001)Google Scholar
  9. 9.
    Kendall, K.: A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems, Master Thesis, MIT (1999)Google Scholar
  10. 10.
    Roesch, M., Green, C.: Snort users manual,
  11. 11.

Copyright information

© IFIP International Federation for Information Processing 2004

Authors and Affiliations

  • Chi-Hung Chi
    • 1
  • Ming Li
    • 2
  • Dongxi Liu
    • 1
  1. 1.School of ComputingNational University of SingaporeSingapore
  2. 2.School of Information Science & TechnologyEast China Normal UniversityShanghaiP.R. China

Personalised recommendations