Graduate School and Research Center in Digital Sciences

Honeypot traces forensics by means of attack event identification

Pham, Van Hau


Internet security is a major issue nowadays. Several research initiatives have been carried out to understand the Internet security threats. Recently, a domain has emerged called attack attribution that aims at studying the modus operandi of the attacks and at identifying the characteristics of the groups responsible for the observed attacks. The work presented in this thesis participates to the efforts in this area.We show in this work that, starting from network traces collected over two years on a distributed system of low interaction honeypots, one can extract meaningful and useful knowledge about the attackers. To reach this goal, the thesis makes several important contributions. First of all, we show that attack traces can be automatically grouped into three distinct classes, corresponding to different attack phenomena.We have defined, implemented and validated algorithms to automatically group large amount of traces per category. Secondly, we show that, for two of these classes, so called micro and macro attack events can be identified that span a limited amount of time. These attack events represent a key element to help identifying specific activities that would, otherwise, be lost in the so called attack background radiation noise. Here too, a new framework has been defined, implemented and validated over 2 years of traces. Hundreds of significant attack events have been found in our traces. Last but not least, we showed that, by grouping attack events together, it was possible to highlight the modus operandi of the organizations responsible for the attacks. The experimental validation of our approach led to the identification of dozens of so called zombie armies. Their main characteristics are presented in the thesis and they reveal new insights on the dynamics of the attacks carried out over the Internet.

Document Bibtex

Title:Honeypot traces forensics by means of attack event identification
Department:Digital Security
Eurecom ref:2882
Copyright: © EURECOM. Personal use of this material is permitted. The definitive version of this paper was published in Thesis and is available at :
Bibtex: @phdthesis{EURECOM+2882, year = {2009}, title = {{H}oneypot traces forensics by means of attack event identification}, author = {{P}ham, {V}an {H}au}, school = {{T}hesis}, month = {09}, url = {} }
See also: