• DocumentCode
    1641762
  • Title

    Experiences with the NoAH Honeynet Testbed to Detect new Internet Worms

  • Author

    Kohlrausch, Jan

  • Author_Institution
    DFN-CERT Services GmbH, Hamburg, Germany
  • fYear
    2009
  • Firstpage
    13
  • Lastpage
    26
  • Abstract
    Recently, major advances have been made in the area of honeypot technologies. These include the development of very accurate and reliable detection methods for unknown attacks targeted at memory corruption vulnerabilities and the design of efficient network architectures. These architectures allow to monitor a large network of IP addresses applying advanced detection methods for zero-day exploits and new Internet worms. Such an advanced architecture and detection method was developed by the NoAH research project funded by the Sixth EUpsilas Framework Programme for Research and Technological Development. A pilot testbed was set up to demonstrate its effectiveness to detect well-known as well as new attacks on the Internet. While the technical components are well-understood, the interpretation and analysis of the resulting information is to the best of our knowledge still not fully explored by research projects. For the NoAH pilot testbed, a critical test to demonstrate its effectiveness arose with the appearance of the W32.Conficker worm in November 2008. In this paper we present the experimental results of this testbed focusing on the detection and analysis of the W32.Conficker worm which is still widely spread and an ongoing threat to the Internet. In detail, we introduce the detection process starting with the first suspicion of a new Internet worm towards its analysis and capture of malware.
  • Keywords
    IP networks; Internet; invasive software; IP addresses; Internet worms detection; NoAH honeynet testbed; Sixth EU Framework Programme; W32.Conficker; advanced detection methods; malware; network architectures; Automata; Computer worms; Conference management; Emulation; Forensics; Monitoring; Security; Technology management; Testing; Web and internet services; Monitoring and Early Warning; Techniques; Tools in Procedures IT Forensics;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    IT Security Incident Management and IT Forensics, 2009. IMF '09. Fifth International Conference on
  • Conference_Location
    Stuttgart
  • Print_ISBN
    978-0-7695-3807-5
  • Type

    conf

  • DOI
    10.1109/IMF.2009.9
  • Filename
    5277839