Sciweavers

RAID
2004
Springer

HoneyStat: Local Worm Detection Using Honeypots

14 years 5 months ago
HoneyStat: Local Worm Detection Using Honeypots
Worm detection systems have traditionally used global strategies and focused on scan rates. The noise associated with this approach requires statistical techniques and large data sets (e.g., ¢¤£¦¥ monitored machines) to avoid false positives. Worm detection techniques for smaller local networks have not been fully explored. We consider how local networks can provide early detection and compliment global monitoring strategies. We describe HoneyStat, which uses modified honeypots to generate a highly accurate alert stream with low false positive rates. Unlike traditional honeypots, HoneyStat nodes are minimal, script-driven and cover a large IP space. The HoneyStat nodes generate three classes of alerts: memory alerts (based on buffer overflow detection and process management), disk write alerts (such as writes to registry keys and critical files) and network alerts. Data collection is automated, and once an alert is issued, a time segment of previous traffic to the node is anal...
David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, Ju
Added 02 Jul 2010
Updated 02 Jul 2010
Type Conference
Year 2004
Where RAID
Authors David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, Julian B. Grizzard, John G. Levine, Henry L. Owen
Comments (0)