Abstract—Over the past several years, honeynets have proven invaluable for understanding the characteristics of unwanted Internet traffic from misconfigurations and malicious attacks. In this paper, we address the problem of defending honeynets against systematic mapping by malicious parties, so we can ensure that honeynets remain viable in the long term. Our approach is based on two ideas: (i) counting the number of probes received in the honeynet, and (ii) shuffling the location of live systems with those that comprise the honeynet in a larger address space after the probe count has exceeded a threshold. We describe four different strategies for randomizing the location of the honeynet. Each strategy is defined in terms of the degree of defense that it provides and its associated computational and state requirements. We implement a prototype middlebox that we call Kaleidoscope to gain practical insight on the feasibility of these strategies. Through a series of tests we show that the system is capable of effectively defending honeynets in large networks with limited impact on normal traffic, and that it continues to respond well in the face of large resource attacks. I.

Abstract. Sophisticated worms that use precomputed hitlists of vulnerable targets are especially hard to contain, since they are harder to detect, and spread at rates where even automated defenses may not be able to react in a timely fashion. Recent work has examined a proactive defense mechanism called Network Address Space Randomization (NASR) whose objective is to harden networks specifically against hitlist worms. The idea behind NASR is that hitlist information could be rendered stale if nodes are forced to frequently change their IP addresses. However, the originally proposed DHCP-based implementation may induce passive failures on hosts that change their addresses when connections are still in progress. The risk of such collateral damage also makes it harder to perform address changes at the timescales necessary for containing fast hitlist generators. In this paper we examine an alternative approach to NASR that allows both more aggressive address changes and also eliminates the problem of connection failures, at the expense of increased implementation and deployment cost. Rather than controlling address changes through a DHCP server, we explore the design and performance of transparent address obfuscation (TAO). In TAO, network elements transparently change the external address of internal hosts, while ensuring that existing connections on previously used addresses are preserved without any adverse consequences. In this paper we present the TAO approach in more detail and examine its performance.

Abstract — Internet worms are a growing menace due to their increasing sophistication and speed of propagation. Although there have been many different detection schemes proposed, none of them can detect hitlist worms, which only scan active addresses, in linear time. Hence, we present a new worm detection scheme, History-based IP Worm Detection, that can detect these hitlist worms. It uses the difference in the distribution of source addresses between regular users and scanning hosts to distinguish between worm probes and normal accesses. This property is used to implement a weighted source address counting scheme, and a change point detection technique is used to detect surges in the rate of source addresses seen. I.

Artificial intelligence is a technology to make the machines human compatible. Various techniques like- heuristic search (Generate and test, Hill climbing, BFS, DFS, Problem reduction, constraint satisfaction, means-ends analysis etc.),