Advanced Honeypot-based Intrusion Detection

Jan Göbel, Jens Hektor, Thorsten Holz

USE­NIX ;login:, Vo­lu­me 31, Issue 6, Pages 18-23, De­cem­ber 2006


At RWTH Aachen University, with about 40,000 computer-using people to support, we have built a system to detect infected machines based on honeypots. One important building block of Blast-oMat is Nepenthes, which we use both to detect malware-infected systems and to collect malware. Nepenthes is a low-interaction honeypot that appears as vulnerable software but instead decodes attack code and downloads malware.We have been successful at uncovering and quarantining infected systems with sensors listening at 0.1% of our address space. Investigation of collected malware has led to discovery of many infected systems and even a huge cache of stolen identity information.

[Link] [pdf]

Tags: honeypots, IDS