Enhancing Intrusion Detection System (IDS) performance using Honeypot

Abstract

Intrusion Detection System (IDS) is to help detect unauthorized incursion, and alert the system administrator for the suspicious activities according the abnormal activity patterns. IDS rule for matching attack patterns is updated by a group of people when new attack signal is appeared. To update the IDS rules, network administrator should check and download the latest rule and upload to IDS manually. Therefore, new attacks may escape because of outdated information and the matching performance may slow down by a huge number of rules. To improve the performance of IDS, honeypot appeared. Honeypot is a computer system that pretends as a normal computer, to attract attacker to hack into the system. IDS will capture all the activities which connected to honeypot and using the rule set to detect and analysis the attack patterns. To study signature of attack pattern and discover the attack pattern through IDS, in order to reduce the resources lost by unauthorized attack of the system. However, if the alarming setting of honeypot is not enough, we may not discover all the attacks immediately. Attackers may actually break into a system and work with illegal activities. Closely monitoring to honeypot under attack is important. In this project, we will configure honeypot under monitor to avoid the unauthorized use by attacker. Besides, we will analyze the attack patterns and working with open source IDS SNORT, to re-organized the existing rules to reduce the duplicate rules in SNORT in order improve the performance of IDS. Also, we will analyze the attack patterns to honeypot, investigate how to implement a SNORT rule generator when attack pattern comes.