The HoneyTank: A scalable approach to collect malicious internet traffic

International Journal of Critical Infrastructures

Volumn 4, Issue 1-2, 2008, Pages 185-205

  Vanderavero, Nicolas ^a   Brouckaert, Xavier ^a   Bonaventure, Olivier ^a   Le Charlier, Baudouin ^a  

^a UNIVERSITÉ CATHOLIQUE DE LOUVAIN   (Belgium)

Author keywords

Honeypots; Intrusion detection systems; Worms

Indexed keywords

COMPUTATIONAL METHODS; COMPUTER WORMS; INTERNET PROTOCOLS; INTRUSION DETECTION;

INTRUSION DETECTION SYSTEMS; STATELESS EMULATION;

TELECOMMUNICATION TRAFFIC;

EID: 37848999037     PISSN: 14753219     EISSN: None     Source Type: Journal    
DOI: 10.1504/IJCIS.2008.016100     Document Type: Article

References (43)

1. Berk, V., Bakos, G. and Morris, R. (2003) 'Designing a framework for active worm detection on global networks', Proceedings of the First IEEE International Workshop on Information Assurance (IWIA'03), IEEE Computer Society, Fraunhofer-IGD, Darmstadt, Germany, March 24th, p. 13.
2. Cisco (1999) NetFlow Services and Applications, White Paper, Available from http://www.cisco.com/warp/public/732/netflow.
3. Datier, M., Pouget, F. and Debar, H. (2004a) 'Honeypots: practical means to validate malicious fault assumptions', Proceedings of the 10th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC'04), IEEE Computer Society, March 3-5 Tahiti, French Polynesia, pp.383-388.
4. Dacier, M., Pouget, F. and Debar, H. (2004b) 'Attack processes found on the internet', NATO Symposium IST-041/RSY-013, Toulouse, April, http://www.eurecom.fr/people/dacier.fr.htm.
5. Fielding, R., Irvine, U.C., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and Berners-Lee, T. (1982) RFC 2616: Hypertext Transfer Protocol - HTTP/1.1, http://www.ietf.org/rfc/rfc2616.txt, August.
6. Freier, A., Karlton, P. and Kocher, P. (1996) TheSSL Protocol- Version 3.0, Internet Draft, Draft-Freier-ssl-Version3-02.txt, Work in Progress, November.
7. Gauthier, E. (2004) 'Life on a university network: an architecture for automatically detecting, isolating and cleaning infected hosts', NANOG30, http://www.nanog.org/mtg-0402/gauthier.html, February.
8. Habra, N., Le Charlier, B., Mounji, A. and Mathieu, I. (1992) 'ASAX: software architecture and rule-based language for Universal audit trail analysis', Proceedings of the third European Symposium on Research in Security (ESORICS'92), Lecture Notes in Computer Science, Springer-Verlag, November, Toulouse, pp.435-450.
9. Huston, G. (2004) BGP Table Report, http://bgp.potaroo.net.
10. IPMON (2004) Packet Trace Analysis, http://ipmon.sprint.com/ packstat/packetoverview.php.
11. Jacobson, V., Braden, R. and Borman, D. (1992) 'TCP extensions for high performance', Request for Comments 1323, Internet Engineering Task Force, May.
12. Kienzle, D.M. and Elder, M.C. (2003) 'Recent worms: a survey and trends', Proceedings of the 2003 ACM Workshop on Rapid Malcode, Washington DC, USA, Vol. 40, pp. 1-10.
13. Kohler, E., Morris, R., Chen, B., Jannotti, J. and Kaashoek, F. (2000) 'The click modular router', ACM Transactions on Computer Systems,Vol. 18, No. 3, August, pp.263-297.
14. Kreibich, C. and Crowcroft, J. (2003) 'Honeycomb - creating intrusion detection signatures using honeypots', 2nd Workshop on Hot Topics in Networks (HotNets-II), November 20-21, Cambridge, MA USA, pp.51-56.
15. Moore, D. (CAIDA) (2002) Network Telescopes: Observing Small Or Distant Security Events, http://www.caida.org/outreach/presentations/2002/ usenix_sec/, August.
16. Moore, D., Voelker, G.M. and Savage, S. (2001) 'Inferring internet denial-of-service activity', Proceedings of the 2001 USENIX Security Symposium, Washington DC, pp.9-22.
17. Mounji, A. (1997) Languages and Tools for Rule-based Distributed Intrusion Detection, PhD Thesis, Institute of Computer Science, September, University of Namur, Belgium.
18. Mounji, A., Le Charlier, B., Habra, N. and Zampuniéris, D. (1995) 'Distributed audit trail analysis', Proceedings of the Internet Society Symposium on Network and Distributed System Security (ISOC95), IEEE, February, San Diego, California, pp.102-112.
19. Perkins, C. (2002) RFC 3344: IP Mobility Support for IPv4, http://www.ietf.org/rfc/rfc3344.txt, August.
20. Postel, J. (1981) 'Transmission control protocol', Request for Comments 793, Internet Engineering Task Force, September.
21. Postel, J. (1982) 'Simple mail transfer protocol', Request for Comments 821, Internet Engineering Task Force, August.
22. Provos, N. (2004) 'A virtual honeypot framework', 13th USENIX Security Symposium, San Diego, CA, August, http://www.citi.umich.edu/u/provos/ honeyd/.
23. Srinivasan, R. (1995a) 'RPC: remote procedure call protocol specification version 2', Request for Comments 1831, Internet Engineering Task Force, August.
24. Srinivasan, R. (1995b) 'Binding protocols for ONC RPC version 2', Request for Comments 1833, Internet Engineering Task Force, August.
25. The Honeynet Project (2002) Know Your Enemy: Revealing the Security Tools, Tactics and Motives of the Blackhat Community, http://www.honeynet. org/.
26. The Team Cymru (2004) The Team Cymru Darbtet Project, June, http://www.cymru.com/Darknet/index.html.
27. Vanderavero, N. and Le Charlier, B. (2006) 'Towards a more stateful and accurate HoneyTank', Proceedings of the 5th Conference on Security and Network Architectures (SAR 2006), June, Seignosse, France, pp. 13-27.
28. Weaver, N., Paxson, V., Staniford, S. and Cunningham, R. (2003) 'A taxonomy of computer worms', Proceedings of the 2003 ACM Workshop on Rapid Malcode, Washington DC, USA, Vol. 40, pp.11-18.
29. Yegneswaran, V., Barford, P. and Ullrich, J. (2003) 'Internet intrusions: global characteristics and prevalence', Proceedings of the 2003 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, San Diego, California, ACM Press, pp.138-147.
30. Yegneswaran, V., Barford, P. and Plonka, D. (2004) 'On the design and use of internet sinks for network abuse monitoring', RAID 2004 Symposium, Sophia Antipolis, France, September.
31. Ylonen, T. and Lonvick, C. (2006) The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, January.
32. APWG, Anti Phishing Working Group, http://www.antiphishing.org/.
33. Bleeding Snort Ruleset, http://www.bleedingsnort.com.
34. CERT, CERT Advisory CA-2001-19 'Code Red' Worm Exploiting Buffer Overflow in IIS Indexing Service DLL, http://www.cert.org/advisories/CA- 2001-19.html.
35. CERT, CERT Advisory CA-2001-26Nimda Worm, http://www.cert.org/ advisories/ca-2001-26.html.
36. CERT, Code Red II: Another Worm Exploiting Buffer Overflow in IIS Indexing Service DLLAdvisory CA-2001-26 Nimda Worm, http://www.cert.org/ incident_notes/in-2001-09.html.
37. DShield-team, Distributed Intrusion Detection System, http://www.dshield.org/.
38. Fyodor, Remote OS Detection via TCP/IP Stack Fingerprinting, http://www.insecure.org/nmap/osdetect/.
39. Tcpdump-team, TCPdump, http://www.tcpdump.org/.
40. www.secdev.org/projects/scapy/.
41. www.snort.org/.
42. www.splintered.net/sw/flow-tools/docs/fiow-dscan.html.
43. www.packetfactory.net/libnet/.