Title: The HoneyTank: a scalable approach to collect malicious internet traffic

Authors: Nicolas Vanderavero, Xavier Brouckaert, Olivier Bonaventure, Baudouin Le Charlier

Addresses: Department of Computing Science and Engineering, Universite catholique de Louvain (UCL), Belgium. ' Department of Computing Science and Engineering, Universite catholique de Louvain (UCL), Belgium. ' Department of Computing Science and Engineering, Universite catholique de Louvain (UCL), Belgium. ' Department of Computing Science and Engineering, Universite catholique de Louvain (UCL), Belgium

Abstract: In this paper, we propose an efficient method for collecting large amounts of malicious internet traffic. The key advantage of our method is that it does not need to maintain any state to emulate TCP services running on a large number of emulated end-systems. We implemented a prototype on the ASAX intrusion detection system and we provide several examples of the malicious activities that were collected on a campus network attached to the internet. We explain how we implemented various protocols in a stateless way. We also discuss how our method can be improved to make an accurate but still stateless emulation of stateful protocols.

Keywords: honeypots; intrusion detection systems; worms; malicious internet traffic; internet attacks; critical infrastructures.

DOI: 10.1504/IJCIS.2008.016100

International Journal of Critical Infrastructures, 2008 Vol.4 No.1/2, pp.185 - 205

Published online: 05 Dec 2007 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article