Rule generator for IPS by using honeypot to fight polymorphic worm

Abstract

Nowadays, most network is already protected by Intrusion Prevention System (IPS). But most of the IPS is using signature based detection techniques, whereas signature update tends to be difficult and time consuming because it requires expert knowledge in the making. Therefore, IPS signature based has a weakness in detecting latest attack. This paper present a signature-generating technique by using signature generator and honeypot. The signature generator used in this paper is Polygraph because has an advantage on detecting polymorphic worm. The honeypot used is Dionaea because the log can be converted into the forms required by Polygraph. This paper will discuss what steps are needed in transforming attack data from honeypot into a rule that can be used by IPS Snort.