Building and deploying Billy Goat , a Worm-Detection System

Billy Goat is a worm detection system widely deployed throughout IBM and several other corporate networks. We describe the tools and constructions that we have used in the implementation and deployments of the system, and discuss contributions which could be useful in the implementation of other similar systems. We also discuss the features and requirements of worm detection systems in general, and how they are addressed by Billy Goat, allowing it to perform reliably in terms of scalability, accuracy, resilience and rapidity in detection and identification of worms without false positives.

[1]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[2]  Sophie Engle,et al.  AN INTRODUCTION TO ARP SPOOFING , 2001 .

[3]  Marshall T. Rose BEEP - the definitive guide: developing new applications for the internet , 2002 .

[4]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[5]  Jose Nazario,et al.  Defense and Detection Strategies against Internet Worms , 2003 .

[6]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[7]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[8]  Lance Spitzner,et al.  The Honeynet Project: Trapping the Hackers , 2003, IEEE Secur. Priv..

[9]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[10]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[11]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[12]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[13]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[14]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[15]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Worm Detection and Signature Generation , 2005, RAID.