Flow-based Worm Detection using Correlated Honeypot Logs
نویسندگان
چکیده
Attack detection in high-speed networks is a hot research topic. While the performance of packet oriented signature-based approaches is questionable, flow-based anomaly detection shows high false positive rates. We tried to combine both techniques. In this paper, we study the applicability of flow-based attack detection. We installed a lab environment consisting of a monitoring infrastructure and a wellcontrolled honeypot. Using correlated honeypot logs and flow signatures, we created a first set of attack pattern. The evaluation of the approach was done within our university network. On the positive side, we were able to prove the successful detection of worm attacks. Problems can occur if incomplete monitoring data is used.
منابع مشابه
Boundary Detection and Containment of Local Worm Infections
We propose a system for detecting scanning-worm infected machines in a local network. Infected machines are detected after a few unsuccesful connection attempts, and in cooperation with the border router, their traffic is redirected to a honeypot for worm identification and capture. We discuss the architecture of the system and present a sample implementation based on a Linux router. We discuss...
متن کاملHoneyAnalyzer – Analysis and Extraction of Intrusion Detection Patterns & Signatures Using Honeypot
A Honeypot is a security resource, which is intended to be attacked and compromised to gain more information about the attacker and his attack techniques. A honeypot can also indicate about how to perform forensics. The information gathered by watching a honeypot being probed is invaluable. It gives information about attacks and attack patterns. Currently, the creation of intrusion detection si...
متن کاملSecuring Wmn Using Hybrid Honeypot System
Wireless Mesh Network (WMN) has been a field of active research in the recent years. Lot of research has focused various routing mechanism but very little effort has been made towards attack detection or intrusion detection. In this paper, we propose an attack detection approach for wireless mesh network using Honeypot technique. A Honeypot is a security resource whose value lies in being probe...
متن کاملSecuring Wmn Using Honeypot Technique
WMN has been a field of active research in the recent years. Lot of research has focused various routing mechanism but very little effort has been made towards attack detection or intrusion detection. In this paper, we propose an attack detection approach for wireless mesh network using Honeypot technique. A Honeypot is a security resource whose value lies in being probed, attacked or compromis...
متن کاملIs Host-Based Anomaly Detection + Temporal Correlation = Worm Causality?
Epidemic-spreading attacks (e.g., worm and botnet propagation) have a natural notion of attack causality – a single network flow causes a victim host to get infected and subsequently spread the attack. This paper is motivated by a simple question regarding the diagnosis of such attacks – is it possible to establish attack-causality through network-level monitoring, without relying on signatures...
متن کامل