Tartarus: A honeypot based malware tracking and mitigation framework

On a daily basis many of the hosts connected to the Internet experience continuous probing and attack from malicious entities. Detection and defence from these malicious entities has primarily been the concern of Intrusion Detection Systems, Intrusion Prevention Systems and Anti-Virus software. These systems rely heavily on known signatures to detect nefarious traffic. Due to the reliance on known malicious signatures, these systems have been at a serious disadvantage when it comes to detecting new, never before seen malware. This paper will introduce Tartarus which is a malware tracking and mitigation framework that makes use of honeypot technology in order to detect malicious traffic. Tartarus implements a dynamic quarantine technique to mitigate the spread of self propagating malware on a production network. In order to better understand the spread and impact of internet worms Tartarus is used to construct a detailed demographic of potentially malicious hosts on the internet. This host demographic is in turn used as a blacklist for firewall rule creation. The sources of malicious traffic is then illustrated through the use of a geolocation based visualisation.