Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 31532
Behavioral Signature Generation using Shadow Honeypot

Authors: Maros Barabas, Michal Drozd, Petr Hanacek


A novel behavioral detection framework is proposed to detect zero day buffer overflow vulnerabilities (based on network behavioral signatures) using zero-day exploits, instead of the signature-based or anomaly-based detection solutions currently available for IDPS techniques. At first we present the detection model that uses shadow honeypot. Our system is used for the online processing of network attacks and generating a behavior detection profile. The detection profile represents the dataset of 112 types of metrics describing the exact behavior of malware in the network. In this paper we present the examples of generating behavioral signatures for two attacks – a buffer overflow exploit on FTP server and well known Conficker worm. We demonstrated the visualization of important aspects by showing the differences between valid behavior and the attacks. Based on these metrics we can detect attacks with a very high probability of success, the process of detection is however very expensive.

Keywords: behavioral signatures, metrics, network, security design

Digital Object Identifier (DOI):

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1798


[1] Garcia-Teodoro, P., Díaz-Verdejo, J. E., MaciáFernández, G., Vázquez, E., Anomaly-based network intrusion detection: Techniques, systems and challenges", p. 18-28, 2009.
[2] C. Cowan, P. Wagle, C. Pu, S. Beattie, J. Walpole, BufferOverflows: Attacks and Defenses for the Vulnerability of the Decade, Oasis, p.227, Foundations of Intrusion Tolerant Systems (OASIS'03)2003.
[3] Ke Wang, Salvatore J. Stolfo, Anomalous Payload-Based Network Intrusion Detection", 2004.
[4] L. Ertoz, E. Eilertson, A. Lazarevic, P.-Ning Tan, P. Dokas, V. Kumar, J. Srivastava, Detection and Summarization of Novel Network Attacks Using Data Mining", 2004.
[5] "NetFlow", Cisco Systems, Inc, 2011, URL: go/netflow.
[6] W. Lee and S. Stolfo, "A Framework for Constructing Features and Models for Intrusion Detection Systems", ACM Transactions on Information and System Security, 3(4), November 2000.
[7] M. Mahoney, P. K. Chan, "An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection", RAID 2003, 220-237.
[8] P. Porras and P. Neumann, "EMERALD: Event Monitoring Enabled Responses to Anomalous Live Disturbances", National Information Systems Security Conference, 1997.
[9] G. Vigna and R. Kemmerer, "NetSTAT: A Network-based intrusion detection approach", Computer Security Application Conference, 1998.
[10] M. Mahoney, P. K. Chan, "Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks", Proc. SIGKDD 2002, 376-385.
[11] G. Portokalidis, A. Slowinska, H. Bos, "Argos: an Emulator for Fingerprinting Zero-Day Attacks", in Proc. ACM SIGOPSEUROSYS'2006, 2006.
[12] J. Berg, E. Teran, S. Stover, "Investigating Argos", an Article in USENIX Magazine: ;login, 2008.
[13] KDD Cup 1999, October 2007, URL: databases/kddcup99/kddcup99.html.
[14] Stack-based buffer overflow in CesarFTP 0.99g, , URL:
[15] Server Service Vulnerability, URL: cvename.cgi?name=2008-4250.