A HYBRID HONEYFARM BASED DEFENSE AGAINST WORM ATTACKS

Abstract

With new worms appearing at fast pace off late, conventional classification and defense techniques are not adequate to cover wide spectrum of recent worm attacks like stuxnet (2010), morto (June 2011), and Duqu (Oct 2011). Honeypots have been found to be effective for zero day threats, and recent trend for defending against worms leverages the advantages of honeypot alone, or honeypots combined with either signature or anomaly based detection. Although such honeypot based techniques are effective, they become resource intensive when multiple honeypot sensors are used. Moreover, the techniques suffer from one or more limitations of high false positives, false negatives, reduced sensitivity and specificity. In this work, a novel hybrid scheme is proposed that integrates anomaly and signature detection with honeypots. At first level we used Signature based detection, for known worm attacks, that makes the system operate in real time. Any deviation from the normal behavior can be easily detected by anomaly detector in second level. Last level is honeypots which, helps in detecting zero day attacks. We leverage the advantage of honeyfarm by deploying honeypots and both the detectors in a single location. Controller redirects the traffic to the respective honeypots. To ensure the security of controller, the role of controller is alternated among the honeypots periodically. Our proposed model combines detection scheme (i.e. signature based and anomaly based) with containment scheme develops an effective defense against Internet worms by taking the advantages of both and minimizing disadvantages of each.