Graduate School and Research Center in Digital Sciences

Honeypot traces forensics : the observation view point matters

Pham, Van-Hau;Dacier, Marc

NSS 2009, 3rd International Conference on Network and System Security, October 19-21, 2009, Gold Cost, Australia

Best paper award

In this paper, we propose a method to identify and group together traces left on low interaction honeypots by  machines belonging to the same botnet(s) without having any a priori information at our disposal regarding these botnets. In  other terms, we offer a solution to detect new botnets thanks  to very cheap and easily deployable solutions. The approach is validated thanks to several months of data collected with the  worldwide distributed Leurr´ system. To distinguish the  relevant traces from the other ones, we group them according  to either the platforms, i.e. targets hit or the countries of  origin of the attackers. We show that the choice of one of these two observation viewpoints dramatically influences the  results obtained. Each one reveals unique botnets. We explain why. Last but not least, we show that these botnets remain  active during very long periods of times, up to 700 days, even if the traces they left are only visible from time to time.    

Document Doi Bibtex

Title:Honeypot traces forensics : the observation view point matters
Keywords:honeypot; attack trace analysis; botnet detection
City:Gold Cost
Department:Digital Security
Eurecom ref:2873
Copyright: © 2009 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
Bibtex: @inproceedings{EURECOM+2873, doi = { }, year = {2009}, title = {{H}oneypot traces forensics : the observation view point matters}, author = {{P}ham, {V}an-{H}au and {D}acier, {M}arc}, booktitle = {{NSS} 2009, 3rd {I}nternational {C}onference on {N}etwork and {S}ystem {S}ecurity, {O}ctober 19-21, 2009, {G}old {C}ost, {A}ustralia}, address = {{G}old {C}ost, {AUSTRALIA}}, month = {10}, url = {} }
See also: