Skip to main content

HoneyStat: Local Worm Detection Using Honeypots

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNCS,volume 3224)

Abstract

Worm detection systems have traditionally used global strategies and focused on scan rates. The noise associated with this approach requires statistical techniques and large data sets (e.g., 220 monitored machines) to yield timely alerts and avoid false positives. Worm detection techniques for smaller local networks have not been fully explored.

We consider how local networks can provide early detection and compliment global monitoring strategies. We describe HoneyStat, which uses modified honeypots to generate a highly accurate alert stream with low false positive rates. Unlike traditional highly-interactive honeypots, HoneyStat nodes are script-driven, automated, and cover a large IP space.

The HoneyStat nodes generate three classes of alerts: memory alerts (based on buffer overflow detection and process management), disk write alerts (such as writes to registry keys and critical files) and network alerts. Data collection is automated, and once an alert is issued, a time segment of previous traffic to the node is analyzed. A logit analysis determines what previous network activity explains the current honeypot alert. The result can indicate whether an automated or worm attack is present.

We demonstrate HoneyStat’s improvements over previous worm detection techniques. First, using trace files from worm attacks on small networks, we demonstrate how it detects zero day worms. Second, we show how it detects multi vector worms that use combinations of ports to attack. Third, the alerts from HoneyStat provide more information than traditional IDS alerts, such as binary signatures, attack vectors, and attack rates. We also use extensive (year long) trace files to show how the logit analysis produces very low false positive rates.

Keywords

  • Honeypots
  • Intrusion Detection
  • Alert Correlation
  • Worm Detection

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-540-30143-1_3
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-540-30143-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.00
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, D., Frivold, T., Valdes, A.: Next-generation intrusion detection expert system (NIDES): A summary. Technical Report SRI-CSL-95-07, Computer Science Laboratory, SRI International, Menlo Park, California (May 1995)

    Google Scholar 

  2. Berk, V.H., Gray, R.S., Bakos, G.: Using sensor networks and data fusion for early detection of active worms. In: Proceedings of the SPIE AeroSense (2003)

    Google Scholar 

  3. Chen, Z., Gao, L., Kwiat, K.: Modeling the spread of active worms. In: Proceedings of the IEEE INFOCOM 2003 (March 2003)

    Google Scholar 

  4. Cheung, S., Lindqvist, U., Fong, M.W.: Modeling multistep cyber attacks for scenario recognition. In: Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C. (April 2003)

    Google Scholar 

  5. Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA, May 2002, pp. 202–215 (2002)

    Google Scholar 

  6. Corey, J.: Advanced honey pot identification and exploitation. (fake) Phrack, No. 63 (2004)

    Google Scholar 

  7. Debar, H., Wespi, A.: The intrusion-detection console correlation mechanism. In: 4th International Symposium on Recent Advances in Intrusion Detection (RAID) (October 2001)

    Google Scholar 

  8. Goldman, R.P., Heimerdinger, W., Harp, S.A.: Information modleing for intrusion report aggregation. In: DARPA Information Survivability Conference and Exposition (DISCEX II) (June 2001)

    Google Scholar 

  9. Gu, G., Sharif, M., Qin, X., Dagon, D., Lee, W., Riley, G.: Worm detection, early warning and response based on local victim information. Submitted for review (2004)

    Google Scholar 

  10. Hosmer, D.W., Lemeshow, S.: Applied Logistic Regression. Wiley-Interscience, Hoboken (2000)

    MATH  CrossRef  Google Scholar 

  11. Immunix Inc. Stackguard, http://www.immunix.org/stackguard.html (2003)

  12. SANS Institute, http://www.sans.org

  13. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: 2004 IEEE Symposium on Security and Privacy (2004)

    Google Scholar 

  14. Jiang, X., Xu, D.: Collapsar: A vm-based architecture for network attack detention center, http://www.cs.purdue.edu/homes/jiangx/collapsar/ (2004)

  15. Kalman, R.E.: A new approach to linear filtering and prediction problems. Transaction of the ASME–Journal of Basic Engineering (March 1960)

    Google Scholar 

  16. Kephart, J.O., Chess, D.M., White, S.R.: Computers and epidemiology (1993)

    Google Scholar 

  17. Kortchinsky, K.: Vmware fingerprinting counter measures. The French Honeynet Project (2004)

    Google Scholar 

  18. Kreibich, C.: Honeycomb automated ids signature creation using honeypots, http://www.cl.cam.ac.uk/cpk25/honeycomb/ (2003)

  19. Kephart, J.O., White, S.R.: Measuring and modeling computer virus prevalence. In: Proceedings of IEEE Symposium on Security and Privacy (1993)

    Google Scholar 

  20. Lemon, J.: Kqueue: A generic and scalable event notification facility, pp. 141–154 (2001)

    Google Scholar 

  21. Levine, J., LaBella, R., Owen, H., Contis, D., Culver, B.: The use of honeynets to detect exploited systems across large enterprise networks. In: Proceedings of the 2003 IEEE Workshop on Information Assurance (2003)

    Google Scholar 

  22. LURHQ. Msblast case study, http://www.lurhq.com/blaster.html (2003)

  23. LURHQ. Witty worm analysis, http://www.lurhq.com/witty.html (2004)

  24. Mukherjee, B., Heberlein, L.T., Levitt, K.N.: Network intrusion detection. IEEE Network (May/June 1994)

    Google Scholar 

  25. Morin, B., Mé, L., Debar, H., Ducassé, M.: M2d2: A formal data model for ids alert correlation. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID) (October 2002)

    Google Scholar 

  26. Moore, D.: Code-red: A case study on the spread and victims of an internet worm, http://www.icir.org/vern/imw-2002/imw2002-papers/209.ps.gz (2002)

  27. Moore, D.: Network telescopes: Observing small or distant security events, http://www.caida.org/outreach/presentations/2002/usenix_sec/ (2002)

  28. Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of the IEEE INFOCOM (March 2003)

    Google Scholar 

  29. Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: 9th ACM Conference on Computer and Communications Security (November 2002)

    Google Scholar 

  30. Parekh, J.J.: Columbia ids worminator project, http://worminator.cs.columbia.edu/ (2004)

  31. Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: National Information Systems Security Conference, Baltimore MD (October 1997)

    Google Scholar 

  32. Provos, N.: A virtual honeypot framework, http://www.citi.umich.edu/techreports/reports/citi-tr-03-1.pdf (2003)

  33. Qin, X., Dagon, D., Gu, G., Lee, W., Warfield, M., Allor, P.: Technical report

    Google Scholar 

  34. Qin, X., Lee, W.: Statistical causality analysis of infosec alert data. In: Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA (September 2003)

    Google Scholar 

  35. Qu, D., Vetter, B., Wang, F., Wu, S.F.: Statistical-based intrusion detection for OSPF routing protocol. In: Proceedings of the 6th IEEE International Conference on Network Protocols, Austin, TX (October 1998)

    Google Scholar 

  36. Seifried, K.: Honeypotting with vmware - basics (2002)

    Google Scholar 

  37. Skoudis, E.: Counter Hack. Prentice Hall PTR, Upper Saddle River, NJ (2002)

    Google Scholar 

  38. Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley, Reading (2003)

    Google Scholar 

  39. Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Proceedings of 2002 Usenix Security Symposium (2002)

    Google Scholar 

  40. Staniford, S.: Code red analysis pages: July infestation analysis, http://www.silicondefense.com/cr/july.html (2001)

  41. Inc. VMWare. Gsx server 3, http://www.vmware.com/products/server (2004)

  42. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID (October 2001)

    Google Scholar 

  43. Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. Technical report (2002), HPL-2002-172

    Google Scholar 

  44. Williamson, M.M., Léveillé, J.: An epidemiological model of virus spread and cleanup. Technical report (2003), HPL-2003-30

    Google Scholar 

  45. Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: 2003 ACM Workshop on Rapid Malcode (WORM 2003), ACM SIGSAC (October 2003)

    Google Scholar 

  46. Wu, J., Vangala, S., Gao, L., Kwiat, K.: An efficient architecture and algorithm for detecting worms with various scan techniques. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS 2004) (February 2004) (to appear)

    Google Scholar 

  47. Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the domino overlay system. In: Proceedings of NDSS (2004)

    Google Scholar 

  48. Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for internet worms. In: Proceedings of 10th ACM Conference on Computer and Communications Security (CCS 2003) (October 2003)

    Google Scholar 

  49. Zou, C.C., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: Proceedings of 9th ACM Conference on Computer and Communications Security (CCS 2002) (October 2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dagon, D. et al. (2004). HoneyStat: Local Worm Detection Using Honeypots. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-30143-1_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23123-3

  • Online ISBN: 978-3-540-30143-1

  • eBook Packages: Springer Book Archive