HoneyStat: Local Worm Detection Using Honeypots.

Worm detection techniques for smaller local networks have not been fully explored. We consider how local networks can provide early detection and compliment global monitoring strategies. ... We describe HoneyStat, which uses modified honeypots to generate a highly accurate alert stream with low false positive rates. ... ., conflicts in data sharing, privacy, and coordinated responses), our detection mechanism is based on local networks, in particular, local honeypots for worm detection. ...

doi:10.1007/978-3-540-30143-1_3 fatcat:fkwgy66b4vcijh6gkgcighxq4u

We first identify worm characteristics through their behavior, and then classify worm detection algorithms based on the parameters used in the algorithms. ... After detecting the existence of worms, the next step is to contain them. This paper explores the current methods used to slow down or stop the spread of worms. ... Virtual Honeypot was used for worm detection [32] [36, 37] . ...

doi:10.1109/comst.2008.4483668 fatcat:p4jfwoz32vah3d3mjcnrjtfifm

Based on this basic detection principle, we present honeypot detection techniques to be used in both centralised botnets and Peer-to-Peer (P2P) structured botnets. ... Experiments show that current standard honeypots and honeynet programs are vulnerable to the proposed honeypot detection techniques. ... Dagon et al. (2004) presented the "HoneyStat" system to use coordinated honeypots to detect worm infections in local networks. ...

doi:10.1504/ijics.2010.031858 fatcat:rgl6wazoj5fnhjtn76fd6paqee

of their capability to detect novel attacks, signature generation method, suitability for multiple instances of worms, type of signature generated, attacks and worms covered, false alarm rates, and relative ... IDSs can use either anomaly-or signature-based techniques to detect intrusions. In anomaly-based techniques, any deviation from the system's normal behavior profile is recognized and reported. ... Honeyfarm-Based Defense against Internet Worms Pragya Jain and Anjali Sardana proposed a hybrid approach that integrates anomaly and signature detection with honeypots. 12 This system makes use of all ...

doi:10.1109/msp.2013.51 fatcat:qyfytdbutrgwpiinemorsxpdka

This enables local managers to detect worms that try to penetrate into their networks. The proposed system is evaluated using an off-line real network traffic that contains traces of worms. ... Internet Worms pose a serious threat to today's Internet. Signature matching is an important approach to detect worms. ... RELATED WORK To detect worms, a number of systems have been proposed in recent literature. Systems such as HoneyStat [6] and Honeycomb [7] use honeypots to detect worms. ...

doi:10.1109/icc.2006.255123 dblp:conf/icc/SimkhadaTWJKN06 fatcat:hft2wx2gnrgfdk2c2qjefizqmq

To provide a low response time, the signatures may be immediately distributed to network intrusion detection and prevention systems. ... We discuss the implementation of SweetBait, an automated protection system that employs low-and high-interaction honeypots to recognise and capture suspicious traffic. ... We are grateful to Intel for providing us with a set of Intel IXP1200 boards which were used for the cardguard HIP. ...

doi:10.1016/j.comnet.2006.09.005 fatcat:q3r2giwqhjdp7dtquqwydu2wgm

help determine worm signatures. ... We combine our defensive mechanism with a honeypot-like configuration to detect previously unknown attacks, automatically adapt an application's defensive posture at a negligible performance cost, and ... Although the system only protects against scanning worms, "active honeypot" techniques [96] may be used to make it more difficult for an automated attacker to differen-tiate between HoneyStats and real ...

doi:10.1007/s10207-006-0083-6 fatcat:6wtsvxahznbill35gog3pjm4lm

One class of techniques that attempts to achieve this balance involves hybrid systems that combine the scalable monitoring of unused address blocks (or darknets) with forensic honeypots (or honeyfarms) ... Each of the identified events during this period represented a major globally-scoped attack including the WINS vulnerability scanning, Veritas Backup Agent vulnerability scanning, and the MySQL Worm. ... Finally, in late January of 2005 IMS detected a worm/bot targeted at the MySQL database server [19] . ...

doi:10.1145/1330107.1330135 fatcat:xzwchu5osja4tf6sn6anx63el4

Related Work This section discusses prior work in honeypot design, security auditing, black hole router, and alert sharing networks. Honeypots. HoneyStat has been deployed for local worm detection. ... However, 1) it is deployed on local networks whereas ours is deployed on NCSA's global peer-to-peer sharing infrastructure; and 2) it only carries out logit analysis for worm detection, and thus lacks ...

dblp:conf/nsdi/CaoWBAWKI19 fatcat:c3dooud5kffkto7nvojiijux6u

Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. ... Distributed worm detection and immunization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. ... Although the system only protects against scanning worms, "active honeypot" techniques [85] may be used to make it more difficult for an automated attacker to differentiate between HoneyStats and real ...

doi:10.1007/s10207-007-0032-z fatcat:xtybu2v76rdwje2kbhtjxkqwki

We propose a new worm signature, called the position-aware distribution signature (PADS), which fills the gap between traditional signatures and anomaly-based intrusion detection systems. ... This paper attempts to answer an important question: How can we distinguish polymorphic worms from normal background traffic? ... Dagon et al. developed HoneyStat [28] to detect worm behaviors in small networks. ...

doi:10.1109/tpds.2007.1050 fatcat:i66h5tbf3nbevlapxbh3gtzki4

Then, based on the idea of "detecting the trend, not the burst" of monitored illegitimate traffic, we present a "trend detection" methodology to detect a worm at its early propagation stage by using Kalman ... Facing this great security threat, we need to build an early detection system that can detect the presence of a worm in the Internet as quickly as possible in order to give people accurate early warning ... [11] presented a "honeystat" worm detection method by correlating infection statistics provided by local honeypots when a worm tries to infect them. ...

doi:10.1109/tnet.2005.857113 fatcat:4savbhtmozcujjtore2lvcmsam

While signature based worm detection and containment are effective in detecting and containing known worms, they are inherently ineffective against previously unknown worms and polymorphic worms. ... In order to stop a fast spreading worm, we need the capability to detect and contain worms automatically in real-time. ... More broadly, some other attack detection and signature extraction rely on the honeypots that cover dark or unused IP addresses, such as Backscatter [22] , honeyd [27] , honeyComb [17] , and HoneyStat ...

doi:10.1145/1185347.1185371 dblp:conf/ancs/ChenWLZ06 fatcat:3vrvqzi25zasdhfbvuk5v76pey

of intrusion detection system (IDS) using virtual honeypots (Honeypot) last generation Honeynet GenIII (Autograph, PADS, PAYL, COVERS, DIRA, DOME, Minos, Paid, Vigilante, HoneyStat etc.), which have different ... , honeypot systems, analyze vulnerabilities systems, exploits, operating systems, different applications (including specialized detection systems of cyberincidents with type SIEM), anti-virus and anti-spam ...

doi:10.5815/ijcnis.2017.06.04 fatcat:mf3pwwjohbapjmifqlzmmlfzzm

Open Access

We also explore the notion of using Shadow Honeypots in Application Communities in order to amortize the cost of instrumentation and detection across a number of autonomous hosts. ... anomaly detection. ... HoneyStat [13] runs sacrificial services inside a virtual machine, and monitors memory, disk, and network events to detect abnormal behavior. ...

doi:10.1007/978-0-387-44599-1_10 dblp:series/ais/SidiroglouK07 fatcat:cck5xyx63feinpyfwyk27eclde

HoneyStat: Local Worm Detection Using Honeypots [chapter]

Preserved Fulltext

A survey of internet worm detection and containment

Preserved Fulltext

Honeypot detection in advanced botnet attacks

Preserved Fulltext

Automatic attack signature generation systems: A review

Preserved Fulltext

An Efficient Signature-Based Approach for Automatic Detection of Internet Worms over Large-Scale Networks

Preserved Fulltext

SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots

Preserved Fulltext

Execution transactions for defending against software failures: use and evaluation

Preserved Fulltext

Data reduction for the scalable automated analysis of distributed darknet traffic

Preserved Fulltext

CAUDIT: Continuous Auditing of SSH Servers To Mitigate Brute-Force Attacks

Preserved Fulltext

COVERAGE: detecting and reacting to worm epidemics using cooperation and validation

Preserved Fulltext

An Automated Signature-Based Approach against Polymorphic Internet Worms

Preserved Fulltext

The monitoring and early detection of Internet worms

Preserved Fulltext

WormTerminator

Preserved Fulltext

Method for Cyberincidents Network-Centric Monitoring in Critical Information Infrastructure

Preserved Fulltext

Composite Hybrid Techniques For Defending Against Targeted Attacks [chapter]

Preserved Fulltext