research-article

Defending against internet worms using honeyfarm

Authors:
Pragya Jain

Indian Institute of Technology Roorkee, Roorkee, Uttarakhand, India

Indian Institute of Technology Roorkee, Roorkee, Uttarakhand, India
View Profile

,
Anjali Sardana

Indian Institute of Technology Roorkee, Roorkee, Uttarakhand, India

Indian Institute of Technology Roorkee, Roorkee, Uttarakhand, India
View Profile

CUBE '12: Proceedings of the CUBE International Information Technology ConferenceSeptember 2012Pages 795–800https://doi.org/10.1145/2381716.2381867

Published:03 September 2012Publication History

CUBE '12: Proceedings of the CUBE International Information Technology Conference

Pages 795–800

ABSTRACT

With new worms appearing at fast pace off late, conventional classification and defense techniques are not adequate to cover wide spectrum of recent worm attacks like stuxnet (2010), morto (June 2011), and DuQu (Oct 2011). Honeypots have been found to be effective for zero day threats, and recent trend for defending against worms leverages the advantages of honeypot alone, or honeypots combined with either signature or anomaly based detection. Although such honeypot based techniques are effective, they become resource intensive when multiple honeypot sensors are used. Moreover, the techniques suffer from one or more limitations of high false positives, false negatives, reduced sensitivity and specificity.

In this paper we discuss a classification of worms which is more exhaustive compared to the earlier classifications. It includes recent worm attacks as well as gives a better and quicker understanding of the recent worm behavior aiding in the design of accurate defense mechanisms. Further a novel hybrid scheme is proposed that integrates anomaly and signature detection with honeypots. At first level we used Signature based detection, for known worm attacks, that makes the system operate in real time. Any deviation from the normal behavior can be easily detected by anomaly detector in second level. Last level is honeypots which helps in detecting zero day attacks. We leverage the advantage of honeyfarm by deploying honeypots and both the detectors in a resource efficient advantage. Controller redirects the traffic to the respective honeypots. To ensure the security of controller, the role of controller is alternated among the honeypots periodically. We validate the proposed scheme by deploying a realistic setup in local environment. Metasploit has been used to generate attack traffic. We compare our proposed scheme against various existing honeypot based defense mechanisms and observe an increase of 32.78% in the detection rate as well as a reduction of 33.3% in the false alarm rate.

Our proposed model combines detection scheme (i.e. signature based and anomaly based) with containment scheme, taking the advantages of both and hence developing an effective defense against Internet worms.

References

Li, P., Salour, M. and Su, X. A survey of internet worm detection and containment, Communications Surveys & Tutorials, IEEE, vol. 10, pp. 20--35, 2008. Google ScholarDigital Library
Nicholas, W., Vern, P., Stuart, S. and Robert, C. A taxonomy of computer worms, presented at the Proceedings of the 2003 ACM workshop on Rapid malcode, Washington, DC, USA, 2003. Google ScholarDigital Library
Qing, S. and Wen, W. A survey and trends on Internet worms, Computers & Security, vol. 24, pp. 334--346, 2005.Google ScholarDigital Library
Jai.n, P. and Sardana, A. A hybrid honeyfarm based technique for defense against worm attacks, in Information and Communication Technologies (WICT), 2011 World Congress on, 2011, pp. 1084--1089.Google Scholar
Oudot, L. Fighting internet worms with honeypots, WWW-Seite, http://www.securityfocus.com/infocus/1740, 2003.Google Scholar
Stafford, S. and Li, J. Behavior-Based Worm Detectors Compared Recent Advances in Intrusion Detection. vol. 6307, S. Jha, R. Sommer, and C. Kreibich, Eds., ed: Springer Berlin/Heidelberg, 2010, pp. 38--57. Google ScholarDigital Library
Garuba, M., Chunmei, L. and Washington, N. A Comparative Analysis of Anti-Malware Software, Patch Management, and Host-Based Firewalls in Preventing Malware Infections on Client Computers, in Information Technology: New Generations, 2008. ITNG 2008. Fifth International Conference on, 2008, pp. 628--632. Google ScholarDigital Library
Kreibich, C. and Crowcroft, J. Honeycomb: creating intrusion detection signatures using honeypots, ACM SIGCOMM Computer Communication Review, vol. 34, pp. 51--56, 2004. Google ScholarDigital Library
Thakar, U., Varma, S. and Ramani, A. HoneyAnalyzer--analysis and extraction of intrusion detection patterns & signatures using honeypot, The Second International Conference on Innovations in Information Technology (IIT'05), 2005.Google Scholar
Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levine, J. and Owen, H Honeystat: Local worm detection using honeypots, Recent Advances in Intrusion Detection, vol. 3224, ed: Springer Berlin, 2004, pp. 39--58.Google ScholarCross Ref
Mohammed, M. M. Z. E., Chan, H. A. and Ventura, N. Honeycyber: Automated signature generation for zero-day polymorphic worms, in Military Communications Conference, 2008. MILCOM 2008. IEEE, 2008, pp. 1--6.Google ScholarCross Ref
Portokalidis, G. and Bos, H. SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots, Computer Networks, vol. 51, pp. 1256--1274, 2007. Google ScholarDigital Library
Portokalidis, G., Slowinska, A. and Bos, H. Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation, ACM SIGOPS Operating Systems Review, vol. 40, pp. 15--27, 2006. Google ScholarDigital Library
Yu, Y., Jun-wei, L., Fu-xiang, G., Ge, Y. and Qing-xu, D. Detecting and Defending against Worm Attacks Using Bot-honeynet, in Electronic Commerce and Security, 2009. ISECS '09. Second International Symposium on, 2009, pp. 260--264. Google ScholarDigital Library
Anagnostakis, K. G., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E. and Keromytis, A. D. Detecting targeted attacks using shadow honeypots, presented at the Proceedings of the 14th conference on USENIX Security Symposium - Volume 14, Baltimore, MD, 2005. Google ScholarDigital Library
Kreibich, C., Weaver, N., Kanich, C., Cui, W. and Paxson, V. GQ: Practical Containment for Measuring Modern Malware Systems, Technical Report TR-11-002, International Computer Science Institute2011.Google ScholarDigital Library
Shamsuddin, S. and Woodward, M. Modeling protocol based packet header anomaly detector for network and host intrusion detection systems, Cryptology and Network Security, pp. 209--227, 2007. Google ScholarDigital Library

Index Terms

Defending against internet worms using honeyfarm
1. Networks
  1. Network protocols
    1. Transport protocols
  2. Network types
    1. Public Internet
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Defending against internet worms
Read More
Scalability, fidelity, and containment in the potemkin virtual honeyfarm
SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principles

The rapid evolution of large-scale worms, viruses and bot-nets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the ...
Read More
Defending against hitlist worms using network address space randomization

Worms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CUBE '12: Proceedings of the CUBE International Information Technology Conference
September 2012
879 pages
ISBN:9781450311854
DOI:10.1145/2381716
General Chair:
Vidyasagar Potdar
Curtin University, Australia
,
Program Chair:
Debajyoti Mukhopadhyay
Maharashtra Institute of Technology, India
Copyright © 2012 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 September 2012
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
anomaly base detection
honeyfarm
honeypots
signature base detection
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 24
  Total Citations
  View Citations
- 451
  Total Downloads
- Downloads (Last 12 months)13
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Defending against internet worms using honeyfarm

CUBE '12: Proceedings of the CUBE International Information Technology Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

Defending against internet worms

Scalability, fidelity, and containment in the potemkin virtual honeyfarm

Defending against hitlist worms using network address space randomization