< Public Web Interface to CWSandbox | Philippine Honeynet Project: "Hackers in the House" >

The Nepenthes Platform: An Efficient Approach to Collect Malware

At the RAID'06 conference taking place in Hamburg between September 20 and 22, we published a paper on nepenthes. It describes nepenthes in detail and gives an overview of preliminary results. I had published excerpt from the paper previously here at this blog, but now also the final paper is available.

Abstract:
Up to now, there is little empirically backed quantitative and qualitative knowledge about self-replicating malware publicly available. This hampers research in these topics because many counter-strategies against malware, e.g., network- and host-based intrusion detection systems, need hard empirical data to take full effect.
We present the nepenthes platform, a framework for large-scale collection of information on self-replicating malware in the wild. The basic principle of nepenthes is to emulate only the vulnerable parts of a service. This leads to an efficient and effective solution that offers many advantages compared to other honeypot-based solutions. Furthermore, nepenthes offers a flexible deployment solution, leading to even better scalability. Using the nepenthes platform we and several other organizations were able to greatly broaden the empirical basis of data available about self-replicating malware and provide thousands of samples of previously unknown malware to vendors of host-based IDS/anti-virus systems. This greatly improves the detection rate of this kind of threat. 


@InProceedings{Baecher:2006:NPA,

  author     = {Paul Baecher and Markus Koetter and Thorsten Holz 

                       and Maximillian Dornseif and Felix Freiling},

  title      = {{The Nepenthes Platform: An Efficient Approach to 

                     Collect Malware}},

  booktitle = {9th International Symposium On Recent Advances 

                     In Intrusion Detection, RAID06, Hamburg, Germany, 

                     September 20-22, 2006, Proceedings},

  year       = {2006},

  series     = {Lecture Notes in Computer Science 4219},

  publisher  = {Springer},

}
This entry was posted by Thorsten Holz on Thursday, September 21. 2006 at 13:52. and is filed under honeynets, paper. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.