| With the increasing importance of network security, Intrusion Detection System (IDS) has become an active research topic in the field of network security. Now all kinds of IDS have common problems which are serious miss reports and wrong reports, insufficient response capacity.Honeypot is a security resource without any valuable products, which can transfer the attackers' attention and collect the attacking information. Compared to the firewall log, system log and early warning by IDS, the data generated by honeypot is much more less. These data has an important value on researching the new invasion.The aim of this paper is how to use honeypot to find unknown signature to improve the response capability and detection capability of IDS.This paper first introduces the basic concepts, advantages and disadvantages of IDS and honeypot, then designs a dynamic hybird honeypots model, use this model to improve IDS, and implementes its key technologies.The dynamic hybrid honeypot model proposed in this paper includes decoy module and camouflage service module. Through connection redirection, the two modules work cooperatively.Decoy module is composed by low interactive honeypots, simulating the operating system and network services. Its role is to attract intruders as more as possible to improve the probability of honeypot being attatcked, using true operating system and services with loopholes. Camouflage service module is composed by high interactive honeypots.Its role is to provide more real environment and fully mobilize the enthusiasm of the intruders, so to fully capture attacking information. Decoy module is simple to deploy and have low risk, so can be distributed to every corner of the network, trapping attackers in real and virtual network situation. Camouflage service module has high deployment-cost and high risk, so is deployed in a separated and highly controlled subnet, receiving connections redirected by more than one decoy module, capturing attacking information in the process of interacting with the attackers. This paper uses multi-data capture mechanism: network capture, honeypot capture and core capture. Using multi-capture mechanism to fully record the network data and host data and to ensure the completeness of the data. Core capture is mainly against the invasion of data encryption, and is implemented on high interaction honeypot in the camouflage service module.Using XML language design intrusion information description to format the invasion data.Based on analysis of common protocol such as IP, TCP, UDP and ICMP, proposed reference signature that can be extracted from data packets. Use attacking tree to reconstructe attacking process, extracting complex intrusion signature.Using SQL worm to test capabilities of system in data collection and analysis,experiments show that this model can expand the horizons of honeypot ,generate intrusion signature, reduce the rate of miss reports and improve the performance of intrusion detection system.This system also has some shortcomings.In future we should further study how to automatic setup and manage high interaction honeypots; how to achieve the standardization of attacking data, in order to exchange information with other security products. |
PDF Full Text Request