Defense Mechanism to Generate IPS Rules from Honeypot Logs and Its Application to Log4Shell Attack and Its Variants-Reference-Cited by-同舟云学术

Defense Mechanism to Generate IPS Rules from Honeypot Logs and Its Application to Log4Shell Attack and Its Variants

Published:2023-07-21 Issue:14 Volume:12 Page:3177
ISSN:2079-9292
Container-title:Electronics
language:en
Short-container-title:Electronics

Author:

Yamamoto Yudai¹,Yamaguchi Shingo¹^ORCID

Affiliation:

1. Graduate School of Sciences and Technology for Innovation, Yamaguchi University, 2-16-1 Tokiwadai, Ube 755-8611, Japan

Abstract

The vulnerability of Apache Log4j, Log4Shell, is known for its widespread impact; many attacks that exploit Log4Shell use obfuscated attack patterns, and Log4Shell has revealed the importance of addressing such variants. However, there is no research which focuses on the response to variants. In this paper, we propose a defense system that can protect against variants as well as known attacks. The proposed defense system can be divided into three parts: honeypots, machine learning, and rule generation. Honeypots are used to collect data, which can be used to obtain information about the latest attacks. In machine learning, the data collected by honeypots are used to determine whether it is an attack or not. It generates rules that can be applied to an IPS (Intrusion Prevention System) to block access that is determined to be an attack. To investigate the effectiveness of this system, an experiment was conducted using test data collected by honeypots, with the conventional method using Suricata, an IPS, as a comparison. Experimental results show that the discrimination performance of the proposed method against variant attacks is about 50% higher than that of the conventional method, indicating that the proposed method is an effective method against variant attacks.

Funder

JSPS KAKENHI

Publisher

MDPI AG

Subject

Electrical and Electronic Engineering,Computer Networks and Communications,Hardware and Architecture,Signal Processing,Control and Systems Engineering

Link

https://www.mdpi.com/2079-9292/12/14/3177/pdf

Reference35 articles.

1. Sophos (2022, December 12). Log4Shell Hell: Anatomy of an Exploit Outbreak—Sophos News. Available online: https://news.sophos.com/en-us/2021/12/12/log4shell-hell-anatomy-of-an-exploit-outbreak/.

2. Mitre (2023, June 10). CVE-CVE-2021-44228. Available online: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228.

3. Cisco (2023, June 10). Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021. Available online: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd.

4. Palo Alto Networks (2023, June 10). Apache log4j Vulnerability CVE-2021-44228: Analysis and Mitigations. Available online: https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/.

5. Emerging Threats (2022, July 08). Proofpoint Emerging Threats Rules. Available online: https://rules.emergingthreatspro.com/open/.

Cited by 1 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. A Rule Generation Method With High Understandability Against Obfuscated Attack Patterns in Log4Shell for IPS and IDS Based on Given Obfuscation Techniques;2023 IEEE 12th Global Conference on Consumer Electronics (GCCE);2023-10-10