Flow-based Worm Detection using Correlated Honeypot Logs

Konferenz: KiVS 2007 - Kommunikation in Verteilten Systemen - 15. ITG/GI-Fachtagung
26.02.2007 - 02.03.2007 in Bern, Schweiz

Tagungsband: KiVS 2007

Seiten: 6Sprache: EnglischTyp: PDF

Persönliche VDE-Mitglieder erhalten auf diesen Artikel 10% Rabatt

Dressler, Falko; Jaegers, Wolfgang; German, Reinhard (Computer Networks and Communication Systems, University of Erlangen, Martensstr. 3, 91058 Erlangen, Germany)

Attack detection in high-speed networks is a hot research topic. While the performance of packet oriented signature-based approaches is questionable, flow-based anomaly detection shows high false positive rates. We tried to combine both techniques. In this paper, we study the applicability of flow-based attack detection. We installed a lab environment consisting of a monitoring infrastructure and a well-controlled honeypot. Using correlated honeypot logs and flow signatures, we created a first set of attack pattern. The evaluation of the approach was done within our university network. On the positive side, we were able to prove the successful detection of worm attacks. Problems can occur if incomplete monitoring data is used.