RULE GENERATOR FOR IPS BY USING HONEYPOT DATA TO FIGHT POLYMORPHIC WORM
Nowadays, many network already protected by Intrusion Prevention System (IPS). However, most IPS are using signature based technique whereas signature update tends to be difficult and time consuming because it requires expert knowledge in the making. Therefore, signature based IPS has weakness on de...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Project |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/21567 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| id |
id-itb.:21567 |
|---|---|
| spelling |
id-itb.:215672017-10-09T10:28:08ZRULE GENERATOR FOR IPS BY USING HONEYPOT DATA TO FIGHT POLYMORPHIC WORM (NIM : 13511068), DANIEL Indonesia Final Project INSTITUT TEKNOLOGI BANDUNG https://digilib.itb.ac.id/gdl/view/21567 Nowadays, many network already protected by Intrusion Prevention System (IPS). However, most IPS are using signature based technique whereas signature update tends to be difficult and time consuming because it requires expert knowledge in the making. Therefore, signature based IPS has weakness on detecting latest attack. Honeypot can be used to help learn the latest attack. Honeypot is a tool which doesn’t have production value, so every connection attempt to it can be considered as attack. However, honeypot data need to be processed first before can be used by IPS. To process attack data into signature, some researcher has made research on signature generator. After comparing signature generators, this final work decided to use Polygraph because it has advantage on detecting polymorphic worm compared to Honeycomb. Polymorphic worm is a worm that vary its shape in every infection attempt so it becomes difficult to determine its signature. This final work determine the technique needed to transform attack data captured by chosen honeypot (Dionaea) into signature with the help of Polygraph. The generated signature then furthermore adapted to the form that can be used by chosen IPS (Snort). Snort with the help of the generated signature is hoped to be able to block the same attack with the one captured by Dionaea before. After doing testing on the proposed technique, Snort able to block the same attack with the one captured by Dionaea. However, there is a problem with performance because the generated signature is utilizing regex resulting in slower packet processing on IPS. Furthermore, there is a need to change pcre match limitations on Snort to block attack more optimally. text |
| institution |
Institut Teknologi Bandung |
| building |
Institut Teknologi Bandung Library |
| continent |
Asia |
| country |
Indonesia Indonesia |
| content_provider |
Institut Teknologi Bandung |
| collection |
Digital ITB |
| language |
Indonesia |
| description |
Nowadays, many network already protected by Intrusion Prevention System (IPS). However, most IPS are using signature based technique whereas signature update tends to be difficult and time consuming because it requires expert knowledge in the making. Therefore, signature based IPS has weakness on detecting latest attack. Honeypot can be used to help learn the latest attack. Honeypot is a tool which doesn’t have production value, so every connection attempt to it can be considered as attack. However, honeypot data need to be processed first before can be used by IPS. To process attack data into signature, some researcher has made research on signature generator. After comparing signature generators, this final work decided to use Polygraph because it has advantage on detecting polymorphic worm compared to Honeycomb. Polymorphic worm is a worm that vary its shape in every infection attempt so it becomes difficult to determine its signature. This final work determine the technique needed to transform attack data captured by chosen honeypot (Dionaea) into signature with the help of Polygraph. The generated signature then furthermore adapted to the form that can be used by chosen IPS (Snort). Snort with the help of the generated signature is hoped to be able to block the same attack with the one captured by Dionaea before. After doing testing on the proposed technique, Snort able to block the same attack with the one captured by Dionaea. However, there is a problem with performance because the generated signature is utilizing regex resulting in slower packet processing on IPS. Furthermore, there is a need to change pcre match limitations on Snort to block attack more optimally. |
| format |
Final Project |
| author |
(NIM : 13511068), DANIEL |
| spellingShingle |
(NIM : 13511068), DANIEL RULE GENERATOR FOR IPS BY USING HONEYPOT DATA TO FIGHT POLYMORPHIC WORM |
| author_facet |
(NIM : 13511068), DANIEL |
| author_sort |
(NIM : 13511068), DANIEL |
| title |
RULE GENERATOR FOR IPS BY USING HONEYPOT DATA TO FIGHT POLYMORPHIC WORM |
| title_short |
RULE GENERATOR FOR IPS BY USING HONEYPOT DATA TO FIGHT POLYMORPHIC WORM |
| title_full |
RULE GENERATOR FOR IPS BY USING HONEYPOT DATA TO FIGHT POLYMORPHIC WORM |
| title_fullStr |
RULE GENERATOR FOR IPS BY USING HONEYPOT DATA TO FIGHT POLYMORPHIC WORM |
| title_full_unstemmed |
RULE GENERATOR FOR IPS BY USING HONEYPOT DATA TO FIGHT POLYMORPHIC WORM |
| title_sort |
rule generator for ips by using honeypot data to fight polymorphic worm |
| url |
https://digilib.itb.ac.id/gdl/view/21567 |
| _version_ |
1821120498552012800 |