By Topic

HoneyIM: Fast Detection and Suppression of Instant Messaging Malware in Enterprise-Like Networks

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Mengjun Xie ; Coll. of William & Mary, Williamsburg ; Zhenyu Wu ; Haining Wang

Instant messaging (IM) has been one of most frequently used malware attack vectors due to its popularity. Distinct from other malware, it is straightforward for IM malware to find and hit the next victim by exploiting the current victim's contact list and playing social engineering tricks. Thus, the spread of IM malware is much harder to detect and suppress through conventional approaches. The previous solutions are ineffective to defend against IM malware in an enterprise-like network environment, mainly because of high false positive rate and the requirement of the IM server being inside the protected network. In this paper, we propose a novel IM malware detection and suppression mechanism, HoneyIM, which guarantees almost zero false positive on detecting and blocking IM malware in an enterprise-like network. The detection of HoneyIM is based on the concept of honeypot. HoneyIM uses decoy accounts to trap IM malware by leveraging malware spreading characteristics. Fed with accurate detection results, the suppression of HoneyIM can conduct a network-wide blocking. In addition, HoneyIM delivers attack information to network administrators in real-time so that system quarantine and recovery can be quickly performed. The core design of HoneyIM is generic, and can be applied to the scenarios that either enterprise IM services or public IM services are used in the protected network. Based on open-source IM client Pidgin and client honeypot Capture, we build a prototype of HoneyIM and validate its efficacy through both simulations and real experiments. Our results show that HoneyIM provides effective protection against IM malware in enterprise-like networks.

Published in:

Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual

Date of Conference:

10-14 Dec. 2007