Home Articles List Article Information
JES. Journal of Engineering Sciences
Journal Archive
Volume Volume 52 (2024)
Volume Volume 51 (2023)
Volume Volume 50 (2022)
Volume Volume 49 (2021)
Volume Volume 48 (2020)
Volume Volume 47 (2019)
Volume Volume 46 (2018)
Volume Volume 45 (2017)
Volume Volume 44 (2016)
Volume Volume 43 (2015)
Volume Volume 42 (2014)
Volume Volume 41 (2013)
Volume Volume 40 (2012)
Volume Volume 39 (2011)
Volume Volume 38 (2010)
Volume Volume 37 (2009)
Volume Volume 36 (2008)
Volume Volume 35 (2007)
Volume Volume 34 (2006)
Alqubati, M., Mahdy, Y., Ibrahim, H. (2010). WORM DETECTION USING HONEYPOTS FOR WINDOWS ENVIRONMENT. JES. Journal of Engineering Sciences, 38(No 4), 1013-1025. doi: 10.21608/jesaun.2010.125560
Mansour Ali H Alqubati; Yousef B Mahdy; Hosny M. Ibrahim. "WORM DETECTION USING HONEYPOTS FOR WINDOWS ENVIRONMENT". JES. Journal of Engineering Sciences, 38, No 4, 2010, 1013-1025. doi: 10.21608/jesaun.2010.125560
Alqubati, M., Mahdy, Y., Ibrahim, H. (2010). 'WORM DETECTION USING HONEYPOTS FOR WINDOWS ENVIRONMENT', JES. Journal of Engineering Sciences, 38(No 4), pp. 1013-1025. doi: 10.21608/jesaun.2010.125560
Alqubati, M., Mahdy, Y., Ibrahim, H. WORM DETECTION USING HONEYPOTS FOR WINDOWS ENVIRONMENT. JES. Journal of Engineering Sciences, 2010; 38(No 4): 1013-1025. doi: 10.21608/jesaun.2010.125560

WORM DETECTION USING HONEYPOTS FOR WINDOWS ENVIRONMENT

Article 10, Volume 38, No 4, July and August 2010, Page 1013-1025  XML PDF (470.38 K)
Document Type: Research Paper
DOI: 10.21608/jesaun.2010.125560
View on SCiNiTO View on SCiNiTO
Authors
Mansour Ali H Alqubati1; Yousef B Mahdy2; Hosny M. Ibrahim3
1Student from Yemen NIAS
2Vice Dean of Faculty of Computers & Information
3Dean of Faculty of Computers & Information
Abstract
Recent cybersecurity incidents suggest that internet worms can spread so fast that in-time human-mediated reaction is not possible, and therefore initial response to cyberattacks has to be automated. In this paper we present a system for detecting known and unknown worms using honeypots. The proposed system detects worms by monitoring connection activity and watching for patterns of traffic that are expressions of some of the essential characteristics of worm behavior. The implementation is a signature-based detection as a first tier and an anomaly-based as a second tier in the detection process. At a network's gateway, the proposed system runs a vantage point from which all traffic into and out of the network is visible. The system employs a honeypot to capture traffic, after discarding whitelisted patterns; as it automatically generates worm signatures which are matched with the signatures of the known worms stored in original database. When a signature is matched, the system reports it by issuing an alert that also includes the IP addresses involved in the transaction. Otherwise, the system monitors the changes in the performance of CPU, RAM and changes in files in the gateway which are considered as indicators to the presence of worms. The proposed system was evaluated using a dataset collected from internet for several days, and potentially showed good results for detecting and collecting information about worms from local network. It was noticed that the performance was increased up to 23% more than other systems that uses honeypots.
Keywords
honeypot; worm; network security
Main Subjects
Electrical Engineering, Computer Engineering and Electrical power and machines engineering.
Statistics
Article View: 101
PDF Download: 422