Research on Cooperative Anti-Worm System Model Based on Distributed Honeypots

This paper presents a cooperative anti-worm system model based on distributed honeypots for local area network(LAN). This model deployes honeypot systems in DMZ, at the back of firewall and in the internal subnets respectively. Honeypot systems cooperate with intrusion detection system (IDS) and firewall to prevent the worm attack from outside or inside LAN by the monitor center. Honeypots are not only able to lure a variety of network worms and collect new worm data, but also able to take measures to prevent worms from further spreading. The monitoring center is mainly responsible for further analyzing the suspicious data send back by each honeypot system and extracting new type of worm attack patterns and then sending them to the firewall and ID agents. The firewall and ID agents accept the feedback from the monitoring center to update their own rules, so they are able to respond to the new type of worms. By collaborating between honeypots and other security systems, the system is able to quickly respond to a variety of worm attacks from outside or inside LAN and provide a lot of evidence for administrators.