SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots

Georgios Portokalidis, Herbert Bos

Research output: Contribution to journalArticlepeer-review

43 Scopus citations

Abstract

As next-generation computer worms may spread within minutes to millions of hosts, protection via human intervention is no longer an option. We discuss the implementation of SweetBait, an automated protection system that employs low- and high-interaction honeypots to recognise and capture suspicious traffic. After discarding whitelisted patterns, it automatically generates worm signatures. To provide a low response time, the signatures may be immediately distributed to network intrusion detection and prevention systems. At the same time the signatures are continuously refined for increased accuracy and lower false identification rates. By monitoring signature activity and predicting ascending or descending trends in worm virulence, we are able to sort signatures in order of urgency. As a result, the set of signatures to be monitored or filtered is managed in such a way that new and very active worms are always included in the set, while the size of the set is bounded. SweetBait is deployed on medium sized academic networks across the world and is able to react to zero-day worms within minutes. Furthermore, we demonstrate how globally sharing signatures can help immunise parts of the Internet.

Original languageEnglish
Pages (from-to)1256-1274
Number of pages19
JournalComputer Networks
Volume51
Issue number5
DOIs
StatePublished - 11 Apr 2007

Keywords

  • Emulators
  • Honeypots
  • Intrusion detection/prevention
  • Security

Fingerprint

Dive into the research topics of 'SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots'. Together they form a unique fingerprint.

Cite this