DeWorm


Important information:

  • DeWorm was sponsored by the Dutch (NWO/STW/EZ) Sentinels project.
  • DeWorm collaborates closely with the EU FP6 NoAH project.
  • Within these projects, the Vrije Universiteit Amsterdam developed the Argos honeypot system.
  • DeWorm has a user committee consisting of: SURFnet, GOVCERT, Univ. of Twente, NBV, and TNO.

    Deworm: detecting and fingerprinting attack

    DeWorm is aimed at developing an automated response system that is capable of (1) detecting zero-day worms on the Internet, (2) generating signatures for the attacks, and (3) using these signatures to block malicious traffic. Originally, the project was targetted solely on the detection of fast-spreading worms, but two phenomena moti- vated us to widen the scope: (1) methods similar to the two-tier approach proposed by deworm are already employed by other projects, and (2) fast-spreading attacks are no longer common. As a result, the project refocused and now targets (also) attacks that spread slowly but stealthily. The project has delivered advanced intrusion detection technology in the past few years and will continue to do so in the remainder of the project.

    In the second year, we implemented and tested an architecture known as Argos that can automatically detect attacks, as well as generate basic signatures for the attack. We have worked towards making the system (a) stabile, so that it can be used by the members of the user committee and others, (b) accurate (few false positives and negatives), and (c) rich in information, so that as much information about the attack as possible can be obtained from the system. The code is available from the Argos website.

    In 2007 we have worked on more reliable signature generation and on client-side protection. Specifically, we aimed at generating signatures that yield few, if any, false positives. One approach, which we dubbed Prospector, was carried out by the Vrije Universiteit in the context of the European Noah project (in close collaboration with the Deworm project). Another approach, built on accurate data-flow analysis, is now under development in the context of Deworm. We have further focused on some of the ground work for implementing techniques to bring Argos-like honeypot technology to the desktop of normal users. In other words: client-side protection. This is a major challenge as the emulator that imple- ments all the required instrumentation to detect attacks incurs a slowdown of a factor 15-20. As a result, running a desktop PC in instrumented mode constantly is probably not acceptable. Instead, the idea is to take over running processes and force them to continue run- ning in honeypot mode when needed or when possible. For instance, in the former case we may run a browser in honeypot mode when we click on a URL in an email message for the first time. The browser is then protected against browser attacks by malicious server content. In the latter case, we may switch all of the user's networking applications to honeypot mode when the machine is idle. For instance, we may switch to honeypot mode as a screensaver.

    Publications


    Papers about the Argos system have appeared in various publications:
    *
    (ACM SIGOPS EUROSYS 2008) Eudaemon: Involuntary and On-Demand Emulation Against Zero-Day Exploits [PDF] [Bibtex]
    *
    (ACM SIGOPS EUROSYS 2006) Argos: an Emulator for Fingerprinting Zero-Day Attacks [PDF]
    [Bibtex]
    *
    (Elsevier Computer Networks, Special Issue on Security through Self-Protecting and Self-Healing Systems)
    SweetBait: Zero-Hour Worm Detection and Containment Using Low- and High-Interaction Honeypots
    [Bibtex]

    Contact details


    For more information about the DeWorm project, contact Herbert Bos.

    Acknowledgments

    DeWorm is sponsored by the NWO/STW/EZ research program Sentinels.