SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots
As next-generation computer worms may spread within minutes to millions of hosts, protection via human intervention is no longer an option. The authors discuss the implementation of SweetBait, an automated protection system that employs low-interaction honeypots to capture suspicious traffic. After discarding whitelisted patterns, it automatically generates worm signatures. To provide a low response time, the signatures may be immediately distributed to network intrusion detection and prevention systems. At the same time the signatures are continuously refined for increased accuracy and lower false identification rates. By monitoring signature activity and predicting ascending or descending trends in worm virulence, they are able to sort signatures in order of urgency.