[1] K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis. Detecting targeted attacks using shadow honeypots. In Proceedings of 14th USENIX Security Symposium, pp. 129–144, 2005.
[2] Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson. The Internet motion sensor: A distributed blackhole monitoring system. In NDSS '05: Proceedings of the 12th Annual Network and Distributed System Security Symposium, 2005.
[3] Edward Balas and Camilo Viecco. Towards a third generation data capture architecture for honeynets. In Proceeedings of the 6th IEEE Information Assurance Workshop, West Point, 2005. IEEE.
[4] David M. Beazley. Python Essential Reference. New Riders, 2nd edition, 2001.
[5] Rainer Böhme and Thorsten Holz. The effect of stock spam on financial markets. In Proceedings of 5th Workshop on the Economics of Information Security (WEIS 2006), June 2006.
[6] Caida, the cooperative association for Internet data analysis. http://www.caida.org/.
[7] Carl-Mitchell Smoot and John S. Quarterman. Using ARP to implement transparent subnet gateways. RFC 1027, October 1987.
[8] Douglas E. Comer. Internetworking with TCP/IP: Principles, Protocols, and Architecture. Prentice Hall, 4th edition, 2000.
[9] Computer Emergency Response Team. CERT advisory CA-1996-21 TCP SYN flooding attacks. http://www.cert.org/advisories/CA-1996-21.html, 1996.
[10] Evan Cooke, Michael Bailey, Z. Morley Mao, David Watson, Farnam Jahanian, and Danny McPherson. Toward understanding distributed blackhole placement. In WORM '04: Proceedings of the 2004 ACM Workshop on Rapid Malcode, pp. 54–64, New York, 2004. ACM Press.
[11] Evan Cooke, Farnam Jahanian, and Danny McPherson. The zombie roundup: Understanding, detecting, and disrupting botnets. In Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), pp. 39–44, June 2005.
[12] Joseph Corey. Local honeypot identification, September 2003. http://www.ouah.org/p62-0x07.txt.
[13] Joseph Corey. Advanced honeypot identification, January 2004. http://www.ouah.org/p63-0x09.txt.
[14] M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of Internet worms. In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), October 2005.
[15] Weidong Cui, Vern Paxson, Nicholas Weaver, and Randy H. Katz. Protocol-independent adaptive replay of application dialog. In Proceedings of the 2006 Network and Distributed System Security Symposium, February 2006.
[16] Team Cymru. The darknet project. http://www.cymru.com/Darknet/, 2004.
[17] David Dagon, Cliff Zou, and Wenke Lee. Modeling botnet propagation using time zones. In NDSS, 2006.
[18] Robert Danford. Second generation honeyclients. https://handlers.dshield.org/rdanford/pub/Honeyclients_Danford_SANSfire%06.pdf.
[19] Symantec decoy server. http://www.symantec.com.
[20] G. Delalleau. Mesure locale des temps d'execution: application au controle d'integrite et au fingerprinting. In SSTIC 2004, 2004. http://actes.sstic.org/SSTIC04/Fingerprinting_integrite_par_timing/.
[21] Dave Dittrich. Distributed denial of service (DDoS) attacks/tools resource page. http://staff.washington.edu/dittrich/misc/ddos/.
[22] F-Secure. F-Secure virus descriptions: Santy. http://www.f-secure.com/vdescs/santy_a.shtml, December 2004.
[23] Kevin Fall. Network emulation in the VINT/NS simulator. In Proceedings of the Fourth IEEE Symposium on Computers and Communications, July 1999.
[24] Holy Father. Hooking Windows API — technics of hooking API functions on Windows. Code Breakers Journal, 1(2), 2004.
[25] FBI. Report on Operation Cyberslam. http://www.reverse.net/operationcyberslam.pdf, February 2004. http://www.securityfocus.com/news/9411http://www.fbi.gov/mostwant/fugitive/jan2005/janechouafni.htm.
[26] Peter Ferrie. Attacks on virtual machine emulators. In Proceedings of the 9th Annual AVAR International Conference, December 2006.
[27] Tom Fischer. Botnetze. In Proceedings of 12th DFN-CERT Workshop, March 2005.
[28] Felix Freiling, Thorsten Holz, and Georg Wicherski. Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. In 10th European Symposium on Research in Computer Security, ESORICS'05, Lecture Notes in Computer Science. Springer, 2005.
[29] Lee Garber. Denial-of-service attacks rip the Internet. Computer, 33(4):12–17, April 2000.
[30] LURHQ Threat Intelligence Group. Sinit p2p trojan analysis. http://www.lurhq.com/sinit.html, 2003.
[31] LURHQ Threat Intelligence Group. Bobbax worm analysis. http://www.lurhq.com/bobax.html, 2004.
[32] LURHQ Threat Intelligence Group. Phatbot trojan analysis. http://www.lurhq.com/phatbot.html, 2004.
[33] grugq. Fist! fist! fist! its all in the wrist: Remote exec. http://www.phrack.org/archives/62/p62-0x08_Remote_Exec.txt.
[34] S. Hanks, T. Li, D. Farinacci, and P. Traina. Generic routing encapsulation (GRE). RFC 1701, October 1994.
[35] S. Hanks, T. Li, D. Farinacci, and P. Traina. Generic routing encapsulation over IPv4 networks. RFC 1702, October 1994.
[36] Thorsten Holz and Laurent Oudot. Defeating honeypots: Network issues. http://www.securityfocus.com/infocus/1803 and http://www.security-focus.com/infocus/1805.
[37] Honeypot procfs. http://user-mode-linux.sourceforge.net/hppfs.html.
[38] Galen C. Hunt and Doug Brubacker. Detours: Binary interception of Win32 functions. In Proceedings of the 3rd USENIX Windows NT Symposium, pp. 135–143. Advanced Computing Systems Association, 1999.
[39] IEEE. IEEE standards. http://standards.ieee.org/regauth/oui/oui.txt.
[40] The SANS Institute. Distributed intrusion detection system. http://dshield.org/.
[41] The SANS Institute. Internet storm center. http://isc.sans.org/.
[42] Ivo Ivanov. API Hooking Revealed. The Code Project, 2002.
[43] X. Jiang and D. Xu. Collapsar: A VM-based architecture for network attack detention center. In Proceedings of the USENIX Security Symposium, August 2004. http://citeseer.ist.psu.edu/jiang04collapsar.html.
[44] M. St. Johns. Identification protocol, February 1993. Request for Comments: RFC 1413.
[45] Andrew Kalafut, Abhinav Acharya, and Minaxi Gupta. A study of malware in peer-to-peer networks. In Internet Measurement Conference, pp. 327–332, 2006.
[46] Ken Kato. VMware backdoor I/O port. http://chitchat.at.infoseek.co.jp/vmware/backdoor.html.
[47] Tan Chew Keong. Kproccheck, Win2k kernel hidden process/module checker. http://www.security.org.sg/code/kproccheck.html.
[48] Tobias Klein. Scoopy doo: VMware fingerprint suite. http://www.trapkit.de/research/vmm/scoopydoo/, July 2003.
[49] Tadayoshi Kohno, Andre Broido, and K. C. Claffy. Remote physical device fingerprinting. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pp. 211–225, Washington, DC, USA, 2005. IEEE Computer Society.
[50] Kostya Kortchinsky. Patch for VMware, 2004. http://honeynet.rstack.org/tools/vmpatch.c.
[51] C. Kreibich and J. Crowcroft. Honeycomb — creating intrusion detection signatures using honeypots. In Proceedings of the 2nd Workshop on Hot Topic in Networks (HotNets-II), Boston, MA, 2003.
[52] Tom Liston and Ed Skoudis. On the cutting edge: Thwarting virtual machine detection. http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf.
[53] Madsys. Finding hidden kernel modules (the extreme way). http://www.phrack.org/archives/61/p61-0x03_Linenoise.txt.
[54] TIME magazine. The invasion of the Chinese cyberspies (and the man who tried to stop them). http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html, August 2005.
[55] Bred McDanel. TCP timestamping and remotely gathering uptime information, March 2001.
[56] David Moore, Geoffrey M. Voelkeroffrey, and Stefan Savage. Inferring Internet denial-of-service activity. In Proceedings of the 10th USENIX Security Symposium, August 2001.
[57] Alex Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy. A crawler-based study of spyware on the web. In NDSS, 2006.
[58] Daniel Myers and Adam Bazinet. Intercepting arbitrary functions on Windows, Unix, and Macintosh OS X platforms. Technical Report CS-TR-4585, University of Maryland, 2004.
[59] Jose Nazario. Nugache: TCP port 8 bot. http://asert.arbor-networks.com/2006/05/nugache-tcp-port-8-bot/, 2006.
[60] S. B. Needleman and C. D. Wunsch. A general method applicable to the search for similarities in the amino acid sequences of two proteins. Journal of Molecular Biology, 48:443–453, 1970.
[61] BBC News. Hacker threats to bookies probed. http://news.bbc.co.uk/1/hi/technology/3513849.stm, February 2004.
[62] James Newsome, Brad Karp, and Dawn Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pp. 226–241, Washington, DC, 2005. IEEE Computer Society.
[63] Norman SandBox, whitepaper, 2003. http://sandbox.norman.no/pdf/03_sandbox%20whitepaper.pdf.
[64] Vern Paxson. Bro: A system for detecting network intruders in real-time. In Proceedings of the 7th USENIX Security Symposium, January 1998.
[65] Gerald J. Popek and Robert P. Goldberg. Formal requirements for virtualizable third generation architectures. Commun. ACM, 17(7):412–421, 1974.
[66] Jonathan B. Postel. Simple Mail Transfer Protocol. RFC 821, August 1982.
[67] Niels Provos. A virtual honeypot framework. In Proceedings of 13th USENIX Security Symposium, pp. 1–14. USENIX, 2004.
[68] Niels Provos, Joe McClain, and Ke Wang. Search worms. In WORM '06: Proceedings of the 4th ACM Workshop on Recurring Malcode, pp. 1–8, New York, 2006. ACM Press.
[69] Niels Provos, Joe McClain, and Ke Wang. Search worms. In WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode, pp. 1–8, New York, 2006. ACM Press.
[70] Thomas Ptacek and Timothy Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Secure Networks Whitepaper, August 1998.
[71] Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. A multifaceted approach to understanding the botnet phenomenon. In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet Measurement, pp. 41–52. ACM Press, 2006.
[72] Marcus Ranum. Bait and switch with Honeyd. http://infosecuritymag.techtarget.com/2003/feb/baitswitch.shtml, February 2003.
[73] J. Robin and C. Irvine. Analysis of the Intel Pentium's ability to support a secure virtual machine monitor. In Proceedings of the 9th USENIX Security Symposium, August 2000.
[74] Joanna Rutkowska. Red Pill . . . or how to detect VMM using (almost) one CPU instruction. http://invisiblethings.org/papers/redpill.html, November 2004.
[75] Jan K. Rutkowski. Execution path analysis: Finding kernel-based rootkits. http://www.phrack.org/archives/59/p59-0x13.
[76] SANS. Top-20 Internet security attack targets. http://www.sans.org/top20/, 2006.
[77] Christoph L. Schuba, Ivan V. Krsul, Markus G. Kuhn, Eugene H. Spafford, Aurobindo Sundaram, and Diego Zamboni. Analysis of a denial of service attack on TCP. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, pp. 208–223. IEEE Computer Society, IEEE Computer Society Press, May 1997.
[78] sd and devik. Linux on-the-fly kernel patching without lkm. http://phrack.org/archives/58/p58-0x07.
[79] Seungwon Shin, Jaeyeon Jung, and Hari Balakrishnan. Malware prevalence in the kazaa file-sharing network. In Internet Measurement Conference, pp. 333–338, 2006.
[80] Yoichi Shinoda, Ko Ikai, and Motomu Itoh. Vulnerabilities of passive Internet threat monitors. In Proceedings of 14th USENIX Security Symposium, pp. 209–224, 2005.
[81] John F. Shoch and Jon A. Hupp. The "worm" programs, early experience with a distributed computation. Commun. ACM, 25(3):172–180, 1982.
[82] Separate kernel address space & uml. http://user-mode-linux.source-forge.net/skas.html.
[83] Snort — the de facto standard for intrusion detection/prevention. http://www.snort.org/.
[84] snort-inline. http://snort-inline.sourceforge.net/.
[85] Doug Song, Rob Malan, and Robert Stone. A global snapshot of Internet worm activity, 2001. http://research.arbor.net/downloads/snapshot_worm_activity.pdf.
[86] Doug Song, Robert Malan, and Robert Stone. A snapshot of global worm activity. Technical report, Arbor Networks, November 2001.
[87] Specter intrusion detection system. http://www.specter.com.
[88] Lance Spitzner. Honeypots: Tracking Hackers. Addison-Wesley, 2002.
[89] Sankalp Singh, Srikanth Kandula, and Dheeraj Sanghi. Argus — a distributed network intrusion detection system. In Proceedings of USENIX SANE 2002, 2002.
[90] Stuart Staniford, David Moore, Vern Paxson, and Nicholas Weaver. The top speed of flash worms. In Proceedings of ACM CCS WORM, 2004.
[91] Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to own the Internet in your spare time. In Proceedings of the 11th USENIX Secuirty Symposium, August 2002.
[92] W. R. Stevens. TCP/IP Illustrated, Volume 1. Addison-Wesley, 1994.
[93] Joe Stewart. Storm worm DDoS attack. http://www.secureworks.com/research/threats/storm-worm, 2007.
[94] Jeremy Sugerman, Ganesh Venkitachalam, and Beng-Hong Lim. Virtualizing I/O devices on VMware workstation's hosted virtual machine monitor. In Proceedings of the Annual USENIX Technical Conference, pp. 25–30, June 2001.
[95] Symantec. Security Response Center. http://securityresponse.symantec.com/.
[96] Greg Taleck. SYNSCAN: Towards complete TCP/IP fingerprinting. http://synscan.sourceforge.net/, Mar 2004.
[97] Andrew S. Tanenbaum. Computer Networks. Prentice Hall, 4th edition, 2002.
[98] The Honeynet Project. Know your enemy: Learning with user-mode Linux, December 2002. http://www.honeynet.org/papers/uml/.
[99] The Honeynet Project. Know your enemy: Sebek, November 2003. http://www.honeynet.org/papers/sebek.pdf.
[100] The Honeynet Project. Know your enemy: Phishing, May 2005. http://www.honeynet.org/papers/phishing/.
[101] J. Twycross and M. M. Williamson. Implementing and testing a virus throttle. In Proceedings of the 12th USENIX Security Symposium, August 2003.
[102] The User-Mode Linux kernel home page. http://user-mode-linux.sourceforge.net/.
[103] VMware. Virtual infrastructure software. http://www.vmware.com/.
[104] Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage. Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In SOSP '05: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, pp. 148–162, New York, 2005. ACM Press.
[105] David Wagner and Paolo Soto. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the 9th ACM Conference on Computer and Communications Security, November 2002.
[106] Kathy Wang. Honeyclient development project. http://honeyclient.org.
[107] Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Samuel T. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In NDSS, 2006.
[108] Yi-Min Wang, Doug Beck, Jeffrey Wang, Chad Verbowski, and Brad Daniels. Strider typo-patrol: Discovery and analysis of systematic typo-squatting. In Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), July 2006.
[109] The xampp security console. http://www.apachefriends.org/en/xamppwindows.html#1221.
[110] Vinod Yegneswaran, Paul Barford, and Somesh Jha. Global intrusion detection in the DOMINO overlay system. In NDSS '04: Proceedings of the 11th Annual Network and Distributed System Security Symposium, 2004.
[111] Vinod Yegneswaran, Paul Barford, and David Plonka. On the design and use of Internet sinks for network abuse monitoring. In RAID, pp. 146–165, 2004.
[112] Diego Zamboni, James Riordan, and Yann Duponchel. Building and deploying billy goat: a worm-detection system. In Proceedings of 18th FIRST Conference, June 2006.