Flow-based Worm Detection using Correlated Honeypot Logs
Konferenz: KiVS 2007 - Kommunikation in Verteilten Systemen - 15. ITG/GI-Fachtagung
26.02.2007 - 02.03.2007 in Bern, Schweiz
Tagungsband: KiVS 2007
Seiten: 6Sprache: EnglischTyp: PDFPersönliche VDE-Mitglieder erhalten auf diesen Artikel 10% Rabatt
Dressler, Falko; Jaegers, Wolfgang; German, Reinhard (Computer Networks and Communication Systems, University of Erlangen, Martensstr. 3, 91058 Erlangen, Germany)
Attack detection in high-speed networks is a hot research topic. While the performance of packet oriented signature-based approaches is questionable, flow-based anomaly detection shows high false positive rates. We tried to combine both techniques. In this paper, we study the applicability of flow-based attack detection. We installed a lab environment consisting of a monitoring infrastructure and a well-controlled honeypot. Using correlated honeypot logs and flow signatures, we created a first set of attack pattern. The evaluation of the approach was done within our university network. On the positive side, we were able to prove the successful detection of worm attacks. Problems can occur if incomplete monitoring data is used.