Agent-based honeynet framework for protecting servers in campus networks

Abstract

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) that use signatures cannot protect servers from new types of internet worms. Therefore it is important to collect information about new attacks because the detection rules employed by IDSs and IPSs are formulated using this information. Honeypots are valuable security resources that act as baits for attackers. They can monitor intrusions by being probed, attacked or compromised and can detect zero-day attacks and provide researchers intending to improve security with information about the attacks. However, it is almost impossible to immediately generate detection rules from the information collected by honeypots. This study presents an agent-based honeynet framework for protecting servers in a campus network. In this framework, agents remove malicious processes and executable files on servers infected by zero-day attacks as soon as the honeynet detects them. The proposed framework provides a novel defense mechanism that protects servers from new types of internet worms effectively, without the use of signatures.