A proactive approach to intrusion detection and malware collection

Chia Mei Chen, Sheng Tzong Cheng, Ruei Yu Zeng

Research output: Contribution to journalArticle

7 Citations (Scopus)

Abstract

Network continues to be under various attacks every day. One common attack is to use password guessing to intrude a machine and then to inject malware or botnet for future control. To develop counter measures, honeypot technique, which simulates a real system, is often used for capturing attack patterns, malware or botnet, and malware download sites. However, neither low-interaction nor medium-interaction honeypot could simulate well the behaviors in a true system as a result of the inborn restrictions in the technology so that the honeypot might be discovered by an attacker or malware. This study proposes a new honeypot system, Jingu, which is constructed with a true environment plus protection mechanism from being circumvented. The proposed high-interactive honeypot system, Jingu, can achieve the following goals: (1) not be perceived by attackers; (2) to protect against being attacked; (3) to record and learn attack behaviors; (4) to capture malware; and (5) to collect valuable information for detection purpose. Jingu has been deployed on a real network for 2years. Comparing with the low-interactive honeypot, honeyd, Jingu can successfully catch attack behaviors as well as can capture malware. The results show that the proposed system is able to block real attacks and to collect valuable information for future detection and malware analysis.

Original languageEnglish
Pages (from-to)844-853
Number of pages10
JournalSecurity and Communication Networks
Volume6
Issue number7
DOIs
Publication statusPublished - 2013 Jul

Fingerprint

Intrusion detection
Malware

All Science Journal Classification (ASJC) codes

  • Information Systems
  • Computer Networks and Communications

Cite this

@article{44b04872fd2c47f39995315819047310,
title = "A proactive approach to intrusion detection and malware collection",
abstract = "Network continues to be under various attacks every day. One common attack is to use password guessing to intrude a machine and then to inject malware or botnet for future control. To develop counter measures, honeypot technique, which simulates a real system, is often used for capturing attack patterns, malware or botnet, and malware download sites. However, neither low-interaction nor medium-interaction honeypot could simulate well the behaviors in a true system as a result of the inborn restrictions in the technology so that the honeypot might be discovered by an attacker or malware. This study proposes a new honeypot system, Jingu, which is constructed with a true environment plus protection mechanism from being circumvented. The proposed high-interactive honeypot system, Jingu, can achieve the following goals: (1) not be perceived by attackers; (2) to protect against being attacked; (3) to record and learn attack behaviors; (4) to capture malware; and (5) to collect valuable information for detection purpose. Jingu has been deployed on a real network for 2years. Comparing with the low-interactive honeypot, honeyd, Jingu can successfully catch attack behaviors as well as can capture malware. The results show that the proposed system is able to block real attacks and to collect valuable information for future detection and malware analysis.",
author = "Chen, {Chia Mei} and Cheng, {Sheng Tzong} and Zeng, {Ruei Yu}",
year = "2013",
month = "7",
doi = "10.1002/sec.619",
language = "English",
volume = "6",
pages = "844--853",
journal = "Security and Communication Networks",
issn = "1939-0114",
publisher = "John Wiley and Sons Inc.",
number = "7",

}

A proactive approach to intrusion detection and malware collection. / Chen, Chia Mei; Cheng, Sheng Tzong; Zeng, Ruei Yu.

In: Security and Communication Networks, Vol. 6, No. 7, 07.2013, p. 844-853.

Research output: Contribution to journalArticle

TY - JOUR

T1 - A proactive approach to intrusion detection and malware collection

AU - Chen, Chia Mei

AU - Cheng, Sheng Tzong

AU - Zeng, Ruei Yu

PY - 2013/7

Y1 - 2013/7

N2 - Network continues to be under various attacks every day. One common attack is to use password guessing to intrude a machine and then to inject malware or botnet for future control. To develop counter measures, honeypot technique, which simulates a real system, is often used for capturing attack patterns, malware or botnet, and malware download sites. However, neither low-interaction nor medium-interaction honeypot could simulate well the behaviors in a true system as a result of the inborn restrictions in the technology so that the honeypot might be discovered by an attacker or malware. This study proposes a new honeypot system, Jingu, which is constructed with a true environment plus protection mechanism from being circumvented. The proposed high-interactive honeypot system, Jingu, can achieve the following goals: (1) not be perceived by attackers; (2) to protect against being attacked; (3) to record and learn attack behaviors; (4) to capture malware; and (5) to collect valuable information for detection purpose. Jingu has been deployed on a real network for 2years. Comparing with the low-interactive honeypot, honeyd, Jingu can successfully catch attack behaviors as well as can capture malware. The results show that the proposed system is able to block real attacks and to collect valuable information for future detection and malware analysis.

AB - Network continues to be under various attacks every day. One common attack is to use password guessing to intrude a machine and then to inject malware or botnet for future control. To develop counter measures, honeypot technique, which simulates a real system, is often used for capturing attack patterns, malware or botnet, and malware download sites. However, neither low-interaction nor medium-interaction honeypot could simulate well the behaviors in a true system as a result of the inborn restrictions in the technology so that the honeypot might be discovered by an attacker or malware. This study proposes a new honeypot system, Jingu, which is constructed with a true environment plus protection mechanism from being circumvented. The proposed high-interactive honeypot system, Jingu, can achieve the following goals: (1) not be perceived by attackers; (2) to protect against being attacked; (3) to record and learn attack behaviors; (4) to capture malware; and (5) to collect valuable information for detection purpose. Jingu has been deployed on a real network for 2years. Comparing with the low-interactive honeypot, honeyd, Jingu can successfully catch attack behaviors as well as can capture malware. The results show that the proposed system is able to block real attacks and to collect valuable information for future detection and malware analysis.

UR - http://www.scopus.com/inward/record.url?scp=84879522513&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84879522513&partnerID=8YFLogxK

U2 - 10.1002/sec.619

DO - 10.1002/sec.619

M3 - Article

AN - SCOPUS:84879522513

VL - 6

SP - 844

EP - 853

JO - Security and Communication Networks

JF - Security and Communication Networks

SN - 1939-0114

IS - 7

ER -