worm blog: A Hybrid Honeypot Architecture for Scalable Network Monitoring

« Microsoft Malware Removal Tool Updates (July, 2005) | Main | A physiological decomposition of virus and worm programs »

A Hybrid Honeypot Architecture for Scalable Network Monitoring

One of those classics. Recall that Bailey, Cooke and Watson are behind the IMS project, and Provos is the main author of Honeyd.

To provide scalable, early warning and analysis of new Internet threats like worms or automated attacks, we propose a globally distributed, hybrid monitoring architecture that can capture and analyze new vulnerabilities and exploits as they occur. To achieve this, our architectures increases the exposure of high-interaction honeypots to these threats by employing low-interaction honeypots as frontend content filters. Host-based techniques capture relevant details such as packet payload of attacks while network monitoring provides wide coverage for quick detection and assessment. To reduce the load of the backends, we filter prevalent content at the network frontends and use a novel handoff mechanism to enable interactions between network and host components. We use measurements from live networks over five months to demonstrate the effectiveness of content prevalence as a filtering mechanism. Combining these observations with laboratory measurements, we demonstrate that our hybrid architecture is effective in preserving the detail of a specific threat while still achieving performance and scalability. We illustrate the benefits of this framework by showing how it enables earlier, higher-confidence detection, more detailed forensics, and robust signatures for mitigation of threats.

Source: A Hybrid Honeypot Architecture for Scalable Network Monitoring, Michael Bailey, Evan Cooke, David Watson, Farnam Jahanian, and Niels Provos.

July 14, 2005 in detection, honeypots, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

I have at least two viruses on my laptop. One is indicated by a beetle type bug on the monitor with legs that move, as if it is crawling. The other is indicated by a orange flower on a stem that opens and closes. Do you know which viruses these represent. So far, I've been unable to remove them with Symantec, Ad Aware, or Spybot.

Posted by: Dick Rodvold | Jul 14, 2005 11:55:55 AM

I totally agree with what you're saying. I wish more people felt this way and took the time to express themselves. Keep up the great work.
Tom Goodman
http://www.networkmonitoringdirection.com

Posted by: Tom Goodman | Jan 14, 2006 11:44:04 PM

I hope everyone has enjoyed the blog as much as I have enjoyed writing it.

George Hamlet
http://www.networkmonitoringdirection.com

Posted by: George Hamlet | May 5, 2006 8:15:58 AM

Thank you for sharing a pdf about scalable network monitoring. It's rather old but still useful.

Posted by: Artem | Jun 23, 2009 5:43:30 AM

The comments to this entry are closed.