Graduate School and Research Center in Digital Sciences

ScriptGen: an automated script generation tool for honeyd

Leita, Corrado;Mermoud, Ken;Dacier, Marc

ACSAC 2005, 21st Annual Computer Security Applications Conference, December 5-9, 2005, Tucson, USA

Honeyd [14] is a popular tool developed by Niels Provos that offers a simple way to emulate services offered by severalmachines on a single PC. It is a so called low interaction honeypot. Responses to incoming requests are generated thanks to ad-hoc scripts that need to be written by hand. As a result, few scripts exist, especially for services handling proprietary protocols. In this paper, we propose a method to alleviate these problems by automatically generating new scripts. We explain the method and describe its limitations. We analyze the quality of the generated scripts thanks to two different methods. On the one hand, we have launched known attacks against a machine running our scripts; on the other hand, we have deployed that machine on the Internet, next to a high interaction honeypot during two months. For those attackers that have targeted both machines, we can verify if our scripts have, or not, been able to fool them. We also discuss the various tuning parameters of the algorithm that can be set to either increase the quality of the script or, at the contrary, to reduce its complexity.

Document Doi Bibtex

Title:ScriptGen: an automated script generation tool for honeyd
Department:Digital Security
Eurecom ref:1876
Copyright: © 2005 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
Bibtex: @inproceedings{EURECOM+1876, doi = {}, year = {2005}, title = {{S}cript{G}en: an automated script generation tool for honeyd}, author = {{L}eita, {C}orrado and {M}ermoud, {K}en and {D}acier, {M}arc}, booktitle = {{ACSAC} 2005, 21st {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference, {D}ecember 5-9, 2005, {T}ucson, {USA}}, address = {{T}ucson, {UNITED} {STATES}}, month = {12}, url = {} }
See also: