SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots

Computer Networks

Volumn 51, Issue 5, 2007, Pages 1256-1274

  Portokalidis, Georgios ^a   Bos, Herbert ^a  

^a VU UNIVERSITY AMSTERDAM   (Netherlands)

Author keywords

Emulators; Honeypots; Intrusion detection prevention; Security

Indexed keywords

COMPUTER VIRUSES; COMPUTER WORMS; ELECTRONIC DOCUMENT IDENTIFICATION SYSTEMS; INTERNET; SECURITY SYSTEMS; TELECOMMUNICATION TRAFFIC;

EMULATORS; FALSE IDENTIFICATION RATES; HONEYPOTS; INTRUSION DETECTION/PREVENTION;

COMPUTER NETWORKS;

EID: 33846251940     PISSN: 13891286     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.comnet.2006.09.005     Document Type: Article

References (53)

1. S. Staniford, V. Paxson, N. Weaver, How to own the internet in your spare time, in: Proc. of the 11th USENIX Security Symposium, 2002.
2. Staniford S., Moore D., Paxson V., and Weaver N. The top speed of flash worms. Proc. of the 2004 ACM Workshop on Rapid malcode (WORM'04) (2004), ACM Press, New York 33-42
3. Cisco, Cisco secure intrusion detection system, version 2.2.0, User guide (netranger), 2003.
4. N. Provos, A virtual honeypot framework, CITI, Technical Report 03-1, 2003.
5. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, Can we contain internet worms? in: Third Workshop on Hot Topics in Networks (HOTNETS-III), San Diego, CA, November 2004.
6. D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levin, H. Owen, HoneyStat: Local worm detection using honeypots, in: Proc. of RAID2004, Sophia Antipolis, France, September 2004.
7. Kreibich C., and Crowcroft J. Honeycomb - creating intrusion detection signatures using honeypots. ACM SIGCOMM Computer Communication Review 34 1 (2004) 51-56
8. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, P. Barham, Vigilante: End-to-end containment of internet worms, in: SOSP'05, Brighton, UK, October 2005.
9. H. Bos, K. Huang, Towards software-based signature detection for intrusion prevention on the network card, in: Proc. of Eighth International Symposium on Recent Advances in Intrusion Detection (RAID2005), Seattle, WA, September 2005 [Online] .
10. J. Newsome, D. Song, Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software, in: Proc. of the 12th Annual Network and Distributed System Security Symposium (NDSS), 2005.
11. Levine J., Grizzard J., and Owen H. Using honeynets to protect large enterprise networks. IEEE Security and Privacy 2 6 (2004) 73-75 November/December
12. Jiang X., and Xu D. Collapsar: A vm-based architecture for network attack detention center. USENIX Security Symposium (2004), USENIX 15-28
13. N. Provos, A virtual honeypot framework, in: 13th USENIX Security Symposium, San Diego, CA, August 2004.
14. N. Vanderavero, X. Brouckaert, O. Bonaventure, B.L. Charlier, The honeytank: a scalable approach to collect malicious Internet traffic, in: Proc. of IISW04, December 2004.
15. M. Dornseif, T. Holz, C. Klein, Nosebreak - attacking honeynets, in: Proc. of the 5th Annual IEEE Information Assurance Workshop, 2004 [Online] .
16. O. Arkin, F. Yarochkin, Xprobe v2.0: A "fuzzy" approach to remote active operating systems fingerprinting, August 2002 .
17. F. Yarochkin, Remote OS Detection via TCP/IP Stack Fingerprinting, October 1998 .
18. G. Portokalidis, A. Slowinska, H. Bos, Argos: an emulator for fingerprinting zero-day attacks, in: Proc. ACM SIGOPS EUROSYS'2006, Leuven, Belgium, April 2006.
19. F. Bellard, Qemu, a fast and portable dynamic translator, in: USENIX 2005 Annual Technical Conference, FREENIX Track, Anaheim, CA, April 2005, pp. 41-46.
20. M. Roesch, Snort lightweight intrusion detection for networks, in: Proc. of USENIX LISA '99: 13th Systems Administration Conference, 1999.
21. W. de Bruijn, A. Slowinska, K. van Reeuwijk, T. Hruby, L. Xu, H. Bos, Safecard: a gigabit IPS on the network card, in: Proc. of 9th International Symposium on Recent Advances in Intrusion Detection (RAID'06), Hamburg, Germany, September 2006.
22. A.V. Aho, M.J. Corasick, Efficient string matching: An aid to bibliographic search, in: G. Manacher (Ed.), Communications of the ACM, vol. 18, June 1975.
23. M. Dacier, F. Pouget, H. Debar, Honeypots: Practical means to validate malicious fault assumptions, in: 10th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC 2004), Papeete, Tahiti, March 2004.
24. Symantec, "CodeRedII," August 2001 http://www.symantec.com/avcenter/venc/data/codered.ii.html.
25. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver, Inside the slammer worm, IEEE Security & Privacy, July/August 2003.
26. Symantec, "w32.blaster.worm', August 2003 .
27. CERT, CERT Advisory CA-2001-26 Nimda Worm, September 2001 .
28. SecuriTeam, Veritas backup exec agent browser registration request exploit, January 2005 .
29. K-Otik, Microsoft wins remote code execution exploit, December 2004 .
30. Symantec, January 2004, W32.mydoom.a@mm, .
31. Symantec, w32.sasser.worm, 2004 .
32. M. Ligh, Attack signatures and internet traffic analysis, 2004 .
33. M. Project, Metasploit Framework, .
34. S.E. Smaha, Haystack: An intrusion detection system, in: IEEE Fourth Aerospace Computer Security Applications Conference, Orlando, FL, USA, December 1988.
35. L. Oudot, Fighting internet worms with honeypots, October 2003 .
36. T. Liston, Welcome to my tarpit: the tactical and strategic use of LaBrea, 2001 .
37. S.S. Service, A Walk Through "Sombria": a network surveillance system, July 2003 .
38. H.-A. Kim, B. Karp, Autograph: toward automated, distributed worm signature detection, in: Proc. of the 13th USENIX Security Symposium, San Diego, CA, August 2004.
39. N. Joukov, T. cker Chiueh, Internet worms as internet-wide threat, Experimental Computer Systems Lab, Technical Report TR-143, September 2003.
40. C.C. Zou, L. Gao, W. Gong, D. Townsley, Monitoring and early warning for internet worms, in: Proc. of the 10th ACM Conference on Computer and Communication Security, 2003, pp. 190-199.
41. S. Singh, C. Estan, G. Varghese, S. Savage, The EarlyBird system for real-time detection of unknown worms, in: Operating System Design and Implementation (OSDI), San Francisco, CA, December 2004.
42. C. Clark, W. Lee, D. Schimmel, D. Contis, M. Koné, A. Thomas, A hardware platform for network intrusion detection and prevention, in: Third Workshop on Network Processors and Applications, Madrid, Spain, February 2004.
43. H. Bos, W. de Bruijn, M. Cristea, T. Nguyen, G. Portokalidis, FFPF: fairly fast packet filters, in: Proc. of OSDI'04, San Francisco, CA, December 2004.
44. N. Weaver, S. Staniford, V. Paxson, Very fast containment of scanning worms, in: 13th USENIX Security Symposium, San Diego, August 2004, pp. 29-44.
45. K.G. Anagnostakis, M.B. Greenwald, S. Ioannidis, A.D. Keromytis, D. Li, A cooperative immunization system for an untrusting Internet, in: Proc. of the 11th IEEE International Conference on Networking (ICON), September/October 2003.
46. S. Sidiroglou, A.D. Keromytis, A network worm vaccine architecture, in: 12th International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, June 2003.
47. T. Toth, C. Kruegel, Connection-history based anomaly detection, in: Proc. of the IEEE Workshop on Information Assurance and Security, West Point, NY, June 2002 [Online]. .
48. K. Wang, S.J. Stolfo, Anomalous payload-based network intrusion detection, in: Proc. of RAID2004, Sophia Antipolis, France, September 2004.
49. C. Kruegel, G. Vigna, Anomaly detection of web-based attacks, in: Proc. of ACM CCS, Washington, DC, October 2003, pp. 251-261.
50. S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, J. Rowe, S. Staniford, R. Yip, D. Zerkle, The design of GrIDS: A graph-based intrusion detection system, UC Davis, Technical Report, CSE-99-2, January 1999.
51. J.E. Just, J.C. Reynolds, L.A. Clough, M. Danforth, K.N. Levitt, R. Maglich, J. Rowe, Learning unknown attacks - a start, in: RAID, 2002, pp. 158-176.
52. Paxson V. Bro: A system for detecting network intruders in real-time. ComputerNetworks 31 23-24 (1999) 2435-2463
53. J.R. Crandall, F.T. Chong, Minos: Control data attack prevention orthogonal to memory model, in: Proc. of the 37th annual International Symposium on Microarchitecture, 2004, pp. 221-232.