Proceedings of the 2003 ACM workshop on Rapid malcode
Honeycomb: creating intrusion detection signatures using honeypots
ACM SIGCOMM Computer Communication Review
Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots
Computer Networks: The International Journal of Computer and Telecommunications Networking
Detecting targeted attacks using shadow honeypots
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
ITNG '08 Proceedings of the Fifth International Conference on Information Technology: New Generations
Detecting and Defending against Worm Attacks Using Bot-honeynet
ISECS '09 Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01
CANS'07 Proceedings of the 6th international conference on Cryptology and network security
Behavior-based worm detectors compared
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
A survey of internet worm detection and containment
IEEE Communications Surveys & Tutorials
| Hi-index | 0.00 |
With new worms appearing at fast pace off late, conventional classification and defense techniques are not adequate to cover wide spectrum of recent worm attacks like stuxnet (2010), morto (June 2011), and DuQu (Oct 2011). Honeypots have been found to be effective for zero day threats, and recent trend for defending against worms leverages the advantages of honeypot alone, or honeypots combined with either signature or anomaly based detection. Although such honeypot based techniques are effective, they become resource intensive when multiple honeypot sensors are used. Moreover, the techniques suffer from one or more limitations of high false positives, false negatives, reduced sensitivity and specificity. In this paper we discuss a classification of worms which is more exhaustive compared to the earlier classifications. It includes recent worm attacks as well as gives a better and quicker understanding of the recent worm behavior aiding in the design of accurate defense mechanisms. Further a novel hybrid scheme is proposed that integrates anomaly and signature detection with honeypots. At first level we used Signature based detection, for known worm attacks, that makes the system operate in real time. Any deviation from the normal behavior can be easily detected by anomaly detector in second level. Last level is honeypots which helps in detecting zero day attacks. We leverage the advantage of honeyfarm by deploying honeypots and both the detectors in a resource efficient advantage. Controller redirects the traffic to the respective honeypots. To ensure the security of controller, the role of controller is alternated among the honeypots periodically. We validate the proposed scheme by deploying a realistic setup in local environment. Metasploit has been used to generate attack traffic. We compare our proposed scheme against various existing honeypot based defense mechanisms and observe an increase of 32.78% in the detection rate as well as a reduction of 33.3% in the false alarm rate. Our proposed model combines detection scheme (i.e. signature based and anomaly based) with containment scheme, taking the advantages of both and hence developing an effective defense against Internet worms.