Honeypot traces forensics by means of attack event identification

Pham, Van Hau

Internet security is a major issue nowadays. Several research initiatives have

been carried out to understand the Internet security threats. Recently, a domain

has emerged called attack attribution that aims at studying the modus operandi of

the attacks and at identifying the characteristics of the groups responsible for the

observed attacks. The work presented in this thesis participates to the efforts in this

area.We show in this work that, starting from network traces collected over two years

on a distributed system of low interaction honeypots, one can extract meaningful and

useful knowledge about the attackers. To reach this goal, the thesis makes several

important contributions. First of all, we show that attack traces can be automatically

grouped into three distinct classes, corresponding to different attack phenomena.We

have defined, implemented and validated algorithms to automatically group large

amount of traces per category. Secondly, we show that, for two of these classes, so

called micro and macro attack events can be identified that span a limited amount

of time. These attack events represent a key element to help identifying specific

activities that would, otherwise, be lost in the so called attack background radiation

noise. Here too, a new framework has been defined, implemented and validated

over 2 years of traces. Hundreds of significant attack events have been found in our

traces. Last but not least, we showed that, by grouping attack events together, it

was possible to highlight the modus operandi of the organizations responsible for

the attacks. The experimental validation of our approach led to the identification of

dozens of so called zombie armies. Their main characteristics are presented in the

thesis and they reveal new insights on the dynamics of the attacks carried out over

the Internet.



Sécurité numérique
Eurecom Ref:
© TELECOM ParisTech. Personal use of this material is permitted. The definitive version of this paper was published in Thesis and is available at :
See also:

PERMALINK : https://www.eurecom.fr/publication/2882