worm blog: The HoneyTank: a scalable approach to collect malicious Internet traffic

« MINDS - Minnesota Intrusion Detection System | Main | Packetfence - GPL Worm Defense Tool »

The HoneyTank: a scalable approach to collect malicious Internet traffic

A slight departure from the normal worm centric papers in favor of one that focuses on anomaly and intrusion detection technologies. These are readily applied to worm detection.

During the last few years, the amount of malicious traffic on the Internet has increased due to the spreading of worms, various port scanning activities, intrusion attempts or spammers. Collecting and analyzing this malicious traffic is an important issue. It can teach us what are the latest trends in computer misuse, it can help us discovering new kinds of attacks or it can be used to automatically generate signatures for network-based intrusion detection systems. In this paper, we propose an efficient method for collecting large amounts of malicious traffic running over TCP. The key advantage of our method is that it does not need to maintain any state to emulate TCP services running on a large number of emulated end-systems. We implemented a prototype on the ASAX IDS and provide in this paper several examples of the malicious activities which were collected on a campus network attached to the Internet. We explain how we implemented various protocols in a stateless way and we discuss limitations of our approach. We also discuss how our method can be improved to make an accurate but still stateless emulation of stateful protocols.

Source: The HoneyTank : a scalable approach to collect malicious Internet traffic, Nicolas Vanderavero, Xavier Brouckaert, Olivier Bonaventure, and Baudouin Le Charlier. This paper appeared at IISW04 in December, 2004.

Looking over this paper shows that they have extended the normal IDS techniques to be far more flexible, and appearantly met with some success. In doing so, one can detect novel worm outbreaks if the services that are abused are sufficiently well instrument and analyzed. This does provide a means to measure Internet "waste" traffic, however, and quantify worm outbreaks.

January 24, 2005 in sasser | Permalink
Tell others: digg submit | del.icio.us this | Reddit