« Simulation and Analysis on the Resiliency and Efficiency of Malnets | Main | Recon worms on the way, experts say »
How to Hook Worms (IEEE Spectrum)
IBM researchers have an article in a recent issue of IEEE's magazine Spectrum. Their article covers "Billy Goat", their honeypot system used to detect worms. The system is less revolutionary than they seem to present it as at times, unless I'm missing something entirely. The descriptions I've seen so far don't make it any more impressive than a commercial tool like WormScout or a free tool like Honeyd. I welcome the opportunity for a demo if one arises (this holds true for any worm detection tools I post about on wormblog, I post what I can, especially with tools that I have some familiarity with, but I don't get access to commercial tools frequently).At IBM Zurich Research Laboratory, we're working on a remedy for worms that differs from other approaches in targeting worms specifically rather than trying to prevent all breaches of computer security. Our system, called Billy Goat, does just one thing but does it extremely accurately.Source: How to Hook Worms, by James Riordan, Andreas Wespi & Diego Zamboni.Protection of a computer system begins with good locks, in the form of hardware and software barriers. But just as homeowners often keep watchdogs to sniff out a burglar even after he has gotten past a locked door, so do many of today's systems monitor suspicious activities that take place inside a computer.
More technical information can be found in this research report from the IBM website. They describe the architecture and some of the algorithms they use, along with the SQL methods they use (which are interesting) to perform data analysis.
This paper describes some of the lessons, insights and constructions stemming from the creation, deployment, and operation of the Billy Goat worm detection system. The most important feature of Billy Goat is its reliability in terms of accuracy, resilience and rapidity in detection and identification of worms without false positives. It is widely deployed throughout IBM and several other corporate networks. We discuss the features and requirements of worm detection systems in general, and how they are addressed by Billy Goat. We also describe some experiences and findings from our deployments of the system.Lessons Learned from Billy Goat, an Accurate Worm-Detection System, by James Riordan, Diego Zamboni, Yann Duponchel, publication number RZ3609, published in 2005.
Finally, the research team is described in this article, More on the team, by Michael Waidner. IBM has a sizable research staff, and this is only one of their projects.
June 17, 2005 in detection, honeypots, tools | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.
Sarah
http://www.craigslistposter.info
Posted by: Sarah | Apr 7, 2009 6:45:45 AM
The comments to this entry are closed.
