Worm Detection Using Honeypots

Abstract

This thesis describes a project that utilizes honeypots to detect worms. A detailed description of existing worm detection techniques using honeypots is given, as well as a study of existing worm propagation models. Simulations using some of these worm propagation models are also conducted. Although the results of the simulations coincide with the collected data from the actual outbreak of a network worm, they also conclude that it is difficult to produce realistic results prior to a worm outbreak. A worm detection mechanism called HoneyComb is incorporated in the honeypot setup installed at NTNU, and experiments are conducted to evaluate its effectiveness and reliability. The mechanism generated a large amount of false positives in these experiments, possibly due to an error discovered in the implementation of the detection algorithm. An architecture using honeypots for detection of unknown worms is proposed. This architecture is based on a combination of two recently published systems with the extension referred to as a Known-Attack (KA) filter. By using this filter, it is believed that the amount of traffic needed to be processed by the honeypot sensors will be considerably reduced.