Flow-based Worm Detection using Correlated Honeypot Logs

Conference: KiVS 2007 - Kommunikation in Verteilten Systemen - 15. ITG/GI-Fachtagung
02/26/2007 - 03/02/2007 at Bern, Schweiz

Proceedings: KiVS 2007

Pages: 6Language: englishTyp: PDF

Personal VDE Members are entitled to a 10% discount on this title

Dressler, Falko; Jaegers, Wolfgang; German, Reinhard (Computer Networks and Communication Systems, University of Erlangen, Martensstr. 3, 91058 Erlangen, Germany)

Attack detection in high-speed networks is a hot research topic. While the performance of packet oriented signature-based approaches is questionable, flow-based anomaly detection shows high false positive rates. We tried to combine both techniques. In this paper, we study the applicability of flow-based attack detection. We installed a lab environment consisting of a monitoring infrastructure and a well-controlled honeypot. Using correlated honeypot logs and flow signatures, we created a first set of attack pattern. The evaluation of the approach was done within our university network. On the positive side, we were able to prove the successful detection of worm attacks. Problems can occur if incomplete monitoring data is used.