Graduate School and Research Center in Digital Sciences

Honeypot-based forensics

Pouget, Fabien;Dacier, Marc

AusCERT2004, AusCERT Asia Pacific Information technology Security Conference 2004, 23rd - 27th May 2004, Brisbane, Australia

Some attacks on honeypots are very frequent and repetitive. In addition, such repetitive attacks generate a very large amount of data. In this paper, we show that it might be misleading to consider general statistics obtained on these data without carrying an in depth analysis of the various processes that have led to their creation. We show that such analysis can be done by means of a simple clustering approach. We present an algorithm to characterize the root causes of these attacks. This algorithm enables us to obtain precious and non trivial information to identify the various attacks targeting our environment. We use this algorithm to identify root causes of the data collected from our honeypot environment. We demonstrate that identifying the root causes is a prerequisite for a better understanding of malicious activity observed thanks to honeypots environments. Finally, we hope this work will open new avenues for the ongoing work related to honeynets.

Document Doi Bibtex

Title:Honeypot-based forensics
Keywords:Log analysis;attack forensics;alert correlation;quantitative risk assessment;honeypots;root cause analysis
Type:Conference
Language:English
City:Brisbane
Country:AUSTRALIA
Date:
Department:Digital Security
Eurecom ref:1417
Bibtex: @inproceedings{EURECOM+1417, doi = {http://www.isi.qut.edu.au/events/conferences/auscert2004/papers/pouget04honeypot.pdf}, year = {2004}, title = {{H}oneypot-based forensics}, author = {{P}ouget, {F}abien and {D}acier, {M}arc}, booktitle = {{A}us{CERT}2004, {A}us{CERT} {A}sia {P}acific {I}nformation technology {S}ecurity {C}onference 2004, 23rd - 27th {M}ay 2004, {B}risbane, {A}ustralia}, address = {{B}risbane, {AUSTRALIA}}, month = {05}, url = {http://www.eurecom.fr/publication/1417} }
See also: