[转载]Zero-Hour Worm Detection and Containment Using Honeypots

信息来源：http://www.cs.vu.nl/~herbertb/

As next-generation computer worms may spread within min- utes to million of hosts, protection via human intervention is no longer an option. We discuss the implementation of SweetBait, an automated protection system that employs low-interaction honeypots to capture suspicious trac. After discarding whitelisted patterns, it automatically generates worm signatures. To provide a low response time, the signa- tures may be immediately distributed to network intrusion detection and prevention systems. At the same time the signatures are continuously re- ned for increased accuracy and lower false identi cation rates. By mon- itoring signature activity and predicting ascending or descending trends in worm virulence, we are able to sort signatures in order of urgency. As a result, the set of signatures to be monitored or ltered is managed in such a way that new and very active worms are always included in the set, while the size of the set is bounded. SweetBait is deployed on medium sized academic networks across the world and is able to react to zero-day worms within minutes. Furthermore, we demonstrate how globally sharing signatures can help immunise parts of the Internet.