Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots

  • Corrado Leita
  • Marc Dacier
  • Frederic Massicotte
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4219)


Spitzner proposed to classify honeypots into low, medium and high interaction ones. Several instances of low interaction exist, such as honeyd, as well as high interaction, such as GenII. Medium interaction systems have recently received increased attention. ScriptGen and RolePlayer, for instance, are as talkative as a high interaction system while limiting the associated risks. In this paper, we do build upon the work we have proposed on ScriptGen to automatically create honeyd scripts able to interact with attack tools without relying on any a-priori knowledge of the protocols involved. The main contributions of this paper are threefold. First, we propose a solution to detect and handle so-called intra-protocol dependencies. Second, we do the same for inter-protocols dependencies. Last but not least, we show how, by modifying our initial refinement analysis, we can, on the fly, generate new scripts as new attacks, i.e. 0-day, show up. As few as 50 samples of attacks, i.e. less than one per platform we have currently deployed in the world, is enough to produce a script that can then automatically enrich all these platforms.


Training Sample State Machine Client Request Content Dependency Server Answer 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Spitzner, L.: Honeypots: Tracking Hackers. Addison-Welsey, Boston (2002)Google Scholar
  2. 2.
    Provos, N.: A virtual honeypot framework. In: Proceedings of the 12th USENIX Security Symposium, pp. 1–14 (2004)Google Scholar
  3. 3.
    Dacier, M., Pouget, F., Debar, H.: Attack processes found on the internet. In: NATO Symposium IST-041/RSY-013, Toulouse, France (2004)Google Scholar
  4. 4.
    Dacier, M., Pouget, F., Debar, H.: Honeypots, a practical mean to validate malicious fault assumptions. In: Proceedings of the 10th Pacific Ream Dependable Computing Conference (PRDC 2004), Tahiti (2004)Google Scholar
  5. 5.
    Dacier, M., Pouget, F., Debar, H.: Honeypot-based forensics. In: Proceedings of AusCERT Asia Pacific Information Technology Security Conference 2004, Brisbane, Australia (2004)Google Scholar
  6. 6.
    Dacier, M., Pouget, F., Debar, H.: Towards a better understanding of internet threats to enhance survivability. In: Proceedings of the International Infrastructure Survivability Workshop 2004 (IISW 2004), Lisbonne, Portugal (2004)Google Scholar
  7. 7.
    Dacier, M., Pouget, F., Debar, H.: On the advantages of deploying a large scale distributed honeypot platform. In: Proceedings of the E-Crime and Computer Conference 2005 (ECCE 2005), Monaco (2005)Google Scholar
  8. 8.
    Dacier, M., Pouget, F., Debar, H.: Honeynets: foundations for the development of early warning information systems. In: Kowalik, J., Gorski, J., Sachenko, A. (eds.) Proceedings of the Cyberspace Security and Defense: Research Issues (2005)Google Scholar
  9. 9.
    CERT: Cert advisory ca-2003-20 w32/blaster worm (2003)Google Scholar
  10. 10.
    Leita, C., Mermoud, K., Dacier, M.: Scriptgen: an automated script generation tool for honeyd. In: Proceedings of the 21st Annual Computer Security Applications Conference (2005)Google Scholar
  11. 11.
    Needleman, S., Wunsch, C.: A general method applicable to the search for similarities in the amino acid sequence of two proteins. J. Mol. Biol. 48(3), 443–453 (1970)CrossRefGoogle Scholar
  12. 12.
    Cui, W., Vern, P., Weaver, N., Katz, R.H.: Protocol-independent adaptive replay of application dialog. In: The 13th Annual Network and Distributed System Security Symposium (NDSS) (2006)Google Scholar
  13. 13.
    Freiling, F.C., Holz, T., Wicherski, G.: Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. LNCS, pp. 319–335. Springer, Heidelberg (2005)Google Scholar
  14. 14.
    The Honeynet Project: Know your enemy: Tracking botnets. Know Your Enemy Whitepapers (2005)Google Scholar
  15. 15.
    Massicotte, F., Couture, M., De Montigny-Leboeuf, A.: Using a vmware network infrastructure to collect traffic traces for intrusion detection evaluation. In: Proceedings of the 21st Annual Computer Security Applications Conference (2005)Google Scholar
  16. 16.
    OSVDB: Microsoft windows lsass remote overflow (2006),
  17. 17.
    OSVDB: Microsoft pnp ms05-039 overflow (2005),

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Corrado Leita
    • 1
  • Marc Dacier
    • 1
  • Frederic Massicotte
    • 2
  1. 1.Institut EurecomSophia AntipolisFrance
  2. 2.Communications Research CentreOttawaCanada

Personalised recommendations