About the efficiency of malware monitoring via server-side honeypots

Abstract

Gathering information on malware activity is based on two sources of information: trap systems (Honeypots) and program agents in the AntiVirus tools. Both of them deliver only fragmentary picture of malware population, visible from trap systems or from users systems on corporate or home networks. Due to this fragmentation, there is no uniform overall picture of malware state, and various sources present different, often quite different approximations thereof, depending on the their ability of gathering samples of various types of threats and operating locally malware. Another question is how complete is this picture and whether the tools used do not lose some important informations. The paper compares current available informations about malware with data gathered by a set of honeypot systems and discusses usability of some types of malware traps at current state of malware expansion.