Signatures Extraction Based On Honeypot Technology

With the rapid development of Internet, network security issues are also increasingly serious, all kinds of new attacks emerge in endlessly. How to face these new attacks have become a research priority of network security. Existing measures of defensing hacker attacks is mainly rely on intrusion detection system based on the known facts and known attack patterns, and its protective capacity depends largely on the quantity and quality of signatures in the signature library. So, how to quickly extract attack signatures and add them into Intrusion Detection System, is the most important way to defense these new attacks.At present, the method that network security experts manually extract the signatures through ex post analysis has been unable to adapt to the current network environment. The disadvantage of manually extract the signatures is long process and slow speed. Attack signature automatical extraction technology is research how to rapidly extract signatures of a new attack in the case of without human help. Therefore, signatures extraction technology has a very important practical significance.Through research of the honeypot and honeynet technology, based on the data they capture have the characteristics of high value, the paper designed a signatures extraction model based on honeynet, analysed and achieved basic functions of the four modules of the model that the Honeynet systems, data collection, data processing and signatures extraction. This model used virtual machine software-VMWare to achieve a virtual honeynet system, combined the advantages of the virtual honeynet, lured intruders by the virtual honeynet, and then use tools TCPdump and Sebek to capture network flow data and the system kernel-level data respectively, the network data can be used to analyze signatures, system kernel-level data can be used to analyze the behavior of hackers. Model also achieved protocol analysis of the captured network data, got the data payload, and then the attack data samples after being treated uniformly stored in MySQL, it is beneficial for data analysis. Finally, the process of signatures extraction presented an iterative LCS algorithm, and verified the validity of the algorithm by experiment.