Future Work, cont.

Similar analysis for non-port 80 traffic
Sampled responses
Only catch new automated exploit tools
UMD-CERT/CC "Trend Analysis of Exploitations"
Lightweight host/service emulation via honeyd
http://www.citi.umich.edu/u/provos/honeyd/
Differentiate between exploit tools
Correlate scan sources and targets
Wide-area stepping-stone detection?