{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,28]],"date-time":"2025-12-28T20:31:36Z","timestamp":1766953896720},"publisher-location":"Berlin, Heidelberg","reference-count":49,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"type":"print","value":"9783540231233"},{"type":"electronic","value":"9783540301431"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2004]]},"DOI":"10.1007\/978-3-540-30143-1_3","type":"book-chapter","created":{"date-parts":[[2010,9,18]],"date-time":"2010-09-18T23:59:24Z","timestamp":1284854364000},"page":"39-58","source":"Crossref","is-referenced-by-count":88,"title":["HoneyStat: Local Worm Detection Using Honeypots"],"prefix":"10.1007","author":[{"given":"David","family":"Dagon","sequence":"first","affiliation":[]},{"given":"Xinzhou","family":"Qin","sequence":"additional","affiliation":[]},{"given":"Guofei","family":"Gu","sequence":"additional","affiliation":[]},{"given":"Wenke","family":"Lee","sequence":"additional","affiliation":[]},{"given":"Julian","family":"Grizzard","sequence":"additional","affiliation":[]},{"given":"John","family":"Levine","sequence":"additional","affiliation":[]},{"given":"Henry","family":"Owen","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"3_CR1","unstructured":"Anderson, D., Frivold, T., Valdes, A.: Next-generation intrusion detection expert system (NIDES): A summary. Technical Report SRI-CSL-95-07, Computer Science Laboratory, SRI International, Menlo Park, California (May 1995)"},{"key":"3_CR2","doi-asserted-by":"crossref","unstructured":"Berk, V.H., Gray, R.S., Bakos, G.: Using sensor networks and data fusion for early detection of active worms. In: Proceedings of the SPIE AeroSense (2003)","DOI":"10.1117\/12.500849"},{"key":"3_CR3","doi-asserted-by":"crossref","unstructured":"Chen, Z., Gao, L., Kwiat, K.: Modeling the spread of active worms. In: Proceedings of the IEEE INFOCOM 2003 (March 2003)","DOI":"10.1109\/INFCOM.2003.1209211"},{"key":"3_CR4","doi-asserted-by":"crossref","unstructured":"Cheung, S., Lindqvist, U., Fong, M.W.: Modeling multistep cyber attacks for scenario recognition. In: Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C. (April 2003)","DOI":"10.1109\/DISCEX.2003.1194892"},{"key":"3_CR5","doi-asserted-by":"crossref","unstructured":"Cuppens, F., Mi\u00e8ge, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA, May 2002, pp. 202\u2013215 (2002)","DOI":"10.1109\/SECPRI.2002.1004372"},{"key":"3_CR6","unstructured":"Corey, J.: Advanced honey pot identification and exploitation. (fake) Phrack, No. 63 (2004)"},{"key":"3_CR7","doi-asserted-by":"crossref","unstructured":"Debar, H., Wespi, A.: The intrusion-detection console correlation mechanism. In: 4th International Symposium on Recent Advances in Intrusion Detection (RAID) (October 2001)","DOI":"10.1007\/3-540-45474-8_6"},{"key":"3_CR8","unstructured":"Goldman, R.P., Heimerdinger, W., Harp, S.A.: Information modleing for intrusion report aggregation. In: DARPA Information Survivability Conference and Exposition (DISCEX II) (June 2001)"},{"key":"3_CR9","unstructured":"Gu, G., Sharif, M., Qin, X., Dagon, D., Lee, W., Riley, G.: Worm detection, early warning and response based on local victim information. Submitted for review (2004)"},{"key":"3_CR10","doi-asserted-by":"publisher","DOI":"10.1002\/0471722146","volume-title":"Applied Logistic Regression","author":"D.W. Hosmer","year":"2000","unstructured":"Hosmer, D.W., Lemeshow, S.: Applied Logistic Regression. Wiley-Interscience, Hoboken (2000)"},{"key":"3_CR11","unstructured":"Immunix Inc. Stackguard, http:\/\/www.immunix.org\/stackguard.html (2003)"},{"key":"3_CR12","unstructured":"SANS Institute, http:\/\/www.sans.org"},{"key":"3_CR13","doi-asserted-by":"crossref","unstructured":"Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: 2004 IEEE Symposium on Security and Privacy (2004)","DOI":"10.1109\/SECPRI.2004.1301325"},{"key":"3_CR14","unstructured":"Jiang, X., Xu, D.: Collapsar: A vm-based architecture for network attack detention center, http:\/\/www.cs.purdue.edu\/homes\/jiangx\/collapsar\/ (2004)"},{"key":"3_CR15","doi-asserted-by":"crossref","unstructured":"Kalman, R.E.: A new approach to linear filtering and prediction problems. Transaction of the ASME\u2013Journal of Basic Engineering (March 1960)","DOI":"10.1115\/1.3662552"},{"key":"3_CR16","doi-asserted-by":"crossref","unstructured":"Kephart, J.O., Chess, D.M., White, S.R.: Computers and epidemiology (1993)","DOI":"10.1109\/6.275061"},{"key":"3_CR17","unstructured":"Kortchinsky, K.: Vmware fingerprinting counter measures. The French Honeynet Project (2004)"},{"key":"3_CR18","unstructured":"Kreibich, C.: Honeycomb automated ids signature creation using honeypots, http:\/\/www.cl.cam.ac.uk\/cpk25\/honeycomb\/ (2003)"},{"key":"3_CR19","doi-asserted-by":"crossref","unstructured":"Kephart, J.O., White, S.R.: Measuring and modeling computer virus prevalence. In: Proceedings of IEEE Symposium on Security and Privacy (1993)","DOI":"10.1109\/RISP.1993.287647"},{"key":"3_CR20","unstructured":"Lemon, J.: Kqueue: A generic and scalable event notification facility, pp. 141\u2013154 (2001)"},{"key":"3_CR21","doi-asserted-by":"crossref","unstructured":"Levine, J., LaBella, R., Owen, H., Contis, D., Culver, B.: The use of honeynets to detect exploited systems across large enterprise networks. In: Proceedings of the 2003 IEEE Workshop on Information Assurance (2003)","DOI":"10.1109\/SMCSIA.2003.1232406"},{"key":"3_CR22","unstructured":"LURHQ. Msblast case study, http:\/\/www.lurhq.com\/blaster.html (2003)"},{"key":"3_CR23","unstructured":"LURHQ. Witty worm analysis, http:\/\/www.lurhq.com\/witty.html (2004)"},{"key":"3_CR24","doi-asserted-by":"crossref","unstructured":"Mukherjee, B., Heberlein, L.T., Levitt, K.N.: Network intrusion detection. IEEE Network (May\/June 1994)","DOI":"10.1109\/65.283931"},{"key":"3_CR25","doi-asserted-by":"crossref","unstructured":"Morin, B., M\u00e9, L., Debar, H., Ducass\u00e9, M.: M2d2: A formal data model for ids alert correlation. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID) (October 2002)","DOI":"10.1007\/3-540-36084-0_7"},{"key":"3_CR26","doi-asserted-by":"crossref","unstructured":"Moore, D.: Code-red: A case study on the spread and victims of an internet worm, http:\/\/www.icir.org\/vern\/imw-2002\/imw2002-papers\/209.ps.gz (2002)","DOI":"10.1145\/637201.637244"},{"key":"3_CR27","unstructured":"Moore, D.: Network telescopes: Observing small or distant security events, http:\/\/www.caida.org\/outreach\/presentations\/2002\/usenix_sec\/ (2002)"},{"key":"3_CR28","doi-asserted-by":"crossref","unstructured":"Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of the IEEE INFOCOM (March 2003)","DOI":"10.1109\/INFCOM.2003.1209212"},{"key":"3_CR29","doi-asserted-by":"crossref","unstructured":"Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: 9th ACM Conference on Computer and Communications Security (November 2002)","DOI":"10.1145\/586110.586144"},{"key":"3_CR30","unstructured":"Parekh, J.J.: Columbia ids worminator project, http:\/\/worminator.cs.columbia.edu\/ (2004)"},{"key":"3_CR31","unstructured":"Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: National Information Systems Security Conference, Baltimore MD (October 1997)"},{"key":"3_CR32","unstructured":"Provos, N.: A virtual honeypot framework, http:\/\/www.citi.umich.edu\/techreports\/reports\/citi-tr-03-1.pdf (2003)"},{"key":"3_CR33","unstructured":"Qin, X., Dagon, D., Gu, G., Lee, W., Warfield, M., Allor, P.: Technical report"},{"key":"3_CR34","doi-asserted-by":"crossref","unstructured":"Qin, X., Lee, W.: Statistical causality analysis of infosec alert data. In: Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA (September 2003)","DOI":"10.1007\/978-3-540-45248-5_5"},{"key":"3_CR35","unstructured":"Qu, D., Vetter, B., Wang, F., Wu, S.F.: Statistical-based intrusion detection for OSPF routing protocol. In: Proceedings of the 6th IEEE International Conference on Network Protocols, Austin, TX (October 1998)"},{"key":"3_CR36","unstructured":"Seifried, K.: Honeypotting with vmware - basics (2002)"},{"key":"3_CR37","volume-title":"Counter Hack","author":"E. Skoudis","year":"2002","unstructured":"Skoudis, E.: Counter Hack. Prentice Hall PTR, Upper Saddle River, NJ (2002)"},{"key":"3_CR38","volume-title":"Honeypots: Tracking Hackers","author":"L. Spitzner","year":"2003","unstructured":"Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley, Reading (2003)"},{"key":"3_CR39","unstructured":"Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Proceedings of 2002 Usenix Security Symposium (2002)"},{"key":"3_CR40","unstructured":"Staniford, S.: Code red analysis pages: July infestation analysis, http:\/\/www.silicondefense.com\/cr\/july.html (2001)"},{"key":"3_CR41","unstructured":"Inc. VMWare. Gsx server 3, http:\/\/www.vmware.com\/products\/server (2004)"},{"key":"3_CR42","doi-asserted-by":"crossref","unstructured":"Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID (October 2001)","DOI":"10.1007\/3-540-45474-8_4"},{"key":"3_CR43","unstructured":"Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. Technical report (2002), HPL-2002-172"},{"key":"3_CR44","unstructured":"Williamson, M.M., L\u00e9veill\u00e9, J.: An epidemiological model of virus spread and cleanup. Technical report (2003), HPL-2003-30"},{"key":"3_CR45","doi-asserted-by":"crossref","unstructured":"Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: 2003 ACM Workshop on Rapid Malcode (WORM 2003), ACM SIGSAC (October 2003)","DOI":"10.1145\/948187.948190"},{"key":"3_CR46","unstructured":"Wu, J., Vangala, S., Gao, L., Kwiat, K.: An efficient architecture and algorithm for detecting worms with various scan techniques. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS 2004) (February 2004) (to appear)"},{"key":"3_CR47","unstructured":"Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the domino overlay system. In: Proceedings of NDSS (2004)"},{"key":"3_CR48","doi-asserted-by":"crossref","unstructured":"Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for internet worms. In: Proceedings of 10th ACM Conference on Computer and Communications Security (CCS 2003) (October 2003)","DOI":"10.1145\/948109.948136"},{"key":"3_CR49","doi-asserted-by":"crossref","unstructured":"Zou, C.C., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: Proceedings of 9th ACM Conference on Computer and Communications Security (CCS 2002) (October 2002)","DOI":"10.1145\/586110.586130"}],"container-title":["Lecture Notes in Computer Science","Recent Advances in Intrusion Detection"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-540-30143-1_3.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,11,19]],"date-time":"2020-11-19T04:44:52Z","timestamp":1605761092000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-540-30143-1_3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2004]]},"ISBN":["9783540231233","9783540301431"],"references-count":49,"URL":"https:\/\/doi.org\/10.1007\/978-3-540-30143-1_3","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2004]]}}}