SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots
Long-distance flights have the advantage that you have lots of time to read papers. On the other hand, the drawback of such a trip is that you have to take some time in order to catch up on the work at home... In the next few days I will present a couple of papers I read on my last trip, most of them focussing on bots/botnets and worm detection.
The technical report "SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots" by Portokalidis and Bos from Vrije Universiteit, Amsterdam, describes a system to automatically generate worm signatures. The system uses some well-known tools:
All individual pieces are already there and by interconnecting them (together with some new tools like honeybounce and CBFilter), the system is capable of automatically generating and distributing worm signatures. So nothing really new, but a nice engineering solution. Be sure to also take a look at "Autograph: Toward Automated, Distributed Worm Signature Detection", one of the state of the art systems in worm detection.
A complete write-up of SweetBait is also available as the M.Sc. thesis of Georgios Portokalidis entitled "Zero-Hour Worm Detection And Containment Using Honeypots"
Abstract:
As next-generation computer worms may spread within minutes to million of hosts, protection via human intervention is no longer an option. We discuss the implementation of SweetBait, an automated protection system that employs low-interaction honeypots to capture suspicious trafic. After discarding whitelisted patterns, it automatically generates worm signatures. To provide a low response time, the signatures may be immediately distributed to network intrusion detection and prevention systems. At the same time the signatures are continuously refined for increased accuracy and lower false identification rates. By monitoring signature activity and predicting ascending or descending trends in worm virulence, we are able to sort signatures in order of urgency. As a result, the set of signatures to be monitored or filtered is managed in such a way that new and very active worms are always included in the set, while the size of the set is bounded. SweetBait is deployed on medium sized academic networks across the world and is able to react to zero-day worms within minutes. Furthermore, we demonstrate how globally sharing signatures can help immunise parts of the Internet.
The technical report "SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots" by Portokalidis and Bos from Vrije Universiteit, Amsterdam, describes a system to automatically generate worm signatures. The system uses some well-known tools:
- honeyd to emulate hosts
- honeycomb to automatically generate NID signatures (paper on honeycomb)
- honeybounce, a honeyd plugin to whitelist traffic
- netfilter, the Linux netfilter/iptables subsystem, to react on the traffic and a Linux kernel module called CBFilter to perform content based filtering
- A Control Center (CC) based on PostgreSQl to correlate signatures and alerts
All individual pieces are already there and by interconnecting them (together with some new tools like honeybounce and CBFilter), the system is capable of automatically generating and distributing worm signatures. So nothing really new, but a nice engineering solution. Be sure to also take a look at "Autograph: Toward Automated, Distributed Worm Signature Detection", one of the state of the art systems in worm detection.
A complete write-up of SweetBait is also available as the M.Sc. thesis of Georgios Portokalidis entitled "Zero-Hour Worm Detection And Containment Using Honeypots"
Abstract:
As next-generation computer worms may spread within minutes to million of hosts, protection via human intervention is no longer an option. We discuss the implementation of SweetBait, an automated protection system that employs low-interaction honeypots to capture suspicious trafic. After discarding whitelisted patterns, it automatically generates worm signatures. To provide a low response time, the signatures may be immediately distributed to network intrusion detection and prevention systems. At the same time the signatures are continuously refined for increased accuracy and lower false identification rates. By monitoring signature activity and predicting ascending or descending trends in worm virulence, we are able to sort signatures in order of urgency. As a result, the set of signatures to be monitored or filtered is managed in such a way that new and very active worms are always included in the set, while the size of the set is bounded. SweetBait is deployed on medium sized academic networks across the world and is able to react to zero-day worms within minutes. Furthermore, we demonstrate how globally sharing signatures can help immunise parts of the Internet.
BibTeX:
@techreports{,
author = {Georgios Portokalidis and Herbert Bos},
title = {SweetBait: Zero-Hour Worm Detection and
Containment Using Honeypots},
year = {2005},
month = {May},
institution = {Vrije Universiteit, Amsterdam, The Netherlands},
number = {IR-CS-015},
note = {Internet: \url{http://www.cs.vu.nl/%7Eherbertb/papers/sweetbait-ir-cs-015.pdf}},
}
".
Bruce Schneier, "An Economic Analysis of Airport Security Screening"Pete Herzog, "Open source security testing methodology"Lista di paper del progetto di monitoraggio di Leurre.comAelphaeis Mangarae, "Steganography FAQ"(IN)Se
Tracked: Apr 02, 15:26