Abstract
This paper aims at presenting in some depth the “Leurré.com” project and its first results. The project aims at deploying so-called low level interaction honeypot platforms all over the world to collect in a centralized database a set of information amenable to the analysis of today's Internet threats. At the time of this writing, around two dozens platforms have been deployed in the five continents. The paper offers some insight into the findings that can be derived from such data set. More importantly, the design and the structure of the repository are presented and justified by means of several examples that highlight the simplicity and efficiency of extracting useful information out of it. We explain why such low cost, largely distributed system represents an important, foundational element, towards the building of early warning information systems.
Keywords
This research is supported by a research contract with France Telecom R&D, Contract Number 46127561
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
7. References
WORM 2004, The 2nd Workshop on Rapid Malcode, held in Association with the 11th ACM Conference on Computer and Communication Security CCS, Oct. 2004, VA, USA, home page at: http://www.acm.org/sigs/sigsac/ccs/CCS2004/worm.html
DIMVA 2004, The Detection of Intrusions and Malware & Vulnerability Assessment, July 2004, Dortmund, Germany, home page at: http://www.dimva.org/dimva2005
SRUTI: Steps to Reducing Unwanted Traffic on the Internet, Usenix Workshop, July 2005, MA USA, home page at: http://nms.lcs.mit.edu/~dina/SRUTI/
Staniford, S., V. Paxson, and N. Weaver, “How to Own the Internet in Your Spare Time.” In the Proceedings of the 11th USENIX Security Symposium, pages 149–167, USENIX Association, 2002.
Chen, Z., L. Gao, and K. Kwiat, “Modeling the Spread of Active Worms,” in the Proceedings of the IEEE INFOCOM 2003, April 2003, CA, USA.
Zou, C. C., W. Gong, and D. Towsley, “Worm Propagation Modeling and Analysis Under Dynamic Quarantine Defense,” in Proceedings of the 1st Workshop on Rapid Malcode (WORM'03), Oct. 2003, WA, USA.
Spafford, E., “The Internet Worm Program: An Analysis,” Purdue Technical Report CSD-TR-823, West Lafayette, IN 47907-2004, 1988.
Moore, D., C. Shannon, G.M. Voelker, and S. Savage, “Code Red, a Case Study on the Spread and Victims of an Internet Worm,” in Proceedings of the ACM/USENIX Internet Measurement Workhop, Nov. 2002.
McAFEE Security Antivirus. “Virus Profile: W32/deloder worm.” Available at: http://us.mcafee.com/virusInfo/
F-Secure Corporation. “Deloder worm analysis.” Available at: http://www.fsecure.com
McHugh J., “Sets, Bags, and Rock and Roll Analyzing Large Data Sets of Network Data,” in Proceedings of the 9th European Symposium on Research in Computer Security USENIX'04, Sept. 2004, Sophia-Antipolis, France.
Honeyd Virtual Honeypot from N. Provos, home page: http://www.honeyd.org
Dacier, M., F. Pouget, and H. Debar. “Honeypots, A Practical Mean to Validate Malicious Fault Assumptions,” in Proceedings of the 10th Pacific Ream Dependable Computing Conference (PRDC'04), Feb. 2004.
Pouget, F. and M. Dacier. “Honeypot-based Forensics,” in Proceedings of the AusCERT Asia Pacific Information Technology Security Conference 2004 (AusCERT2004), May 2004, Australia.
Pouget, F., M. Dacier, and V.H. Pham, “Understanding Threats: a Prerequisite to Enhance Survivability of Computing Systems,” in Proceedings of the International Infrastructure Survivability Workshop (IISW 2004), Dec. 2004, Portugal.
Pouget, F., M. Dacier, and H. Debar, “Attack Processes found on the Internet,” in Proceedings of the NATO Symposium IST-041/RSY-013, April 2004, France.
VMWare Corporation. User's Manual version 4.1 available at: http://www.vmware.com
TCPDUMP utility home page: http://www.tcpdump.org
LEURRE.COM, the Eurecom Honeypot Project home page: http://www.eurecom.fr/~pouget/leurrecom.html
Pouget, F., M. Dacier, and V.H. Pham, “On the Advantages of Deploying a Large Scale Distributed Honeypot Platform,” to appear in the Proceedings of the E-Crime and Computer Evidence Conference 2005, Monaco, Feb. 2005.
Garcia-Molina, H., J. D. Ullman, and J. D. Widom, “Database Systems: the Complete Book,” 2002.
Ullman, J. D., “A First Course in Database Systems,” 2nd Edition, 1989.
SNORT Intrusion Detection Sytem home page: http://www.snort.org
MySQL Open Source Database home page: http://www.mysql.com
“Blacklist Scanner” in Security Focus Home Tools: http://www.securityfocu.com/tools/1962
CAIDA Project. “Netgeo utility-the Internet geographical database,” home page: http://www.caida.org/tools/utilities/netgeo/
Rosin, A., “Measuring Availability in Peer-to-Peer Networks,” Sept. 2003, available at: http://www.wiwi.hu-berlin.de/fis/p2pe/paper_A_Rosin.pdf
Zeitoun, A., C. N. Chuah, S. Bhattacharyya, and C. Diot, “An AS-level study of Internet path delay characteristics,” technical report, 2003, available at: http://ipmon.sprint.com/pubs_trs/trs/RR03-ATL-051699-AS-delay.pdf
Hook, S. H., H. Jeong, and A.L. Barabasi, “Modeling the Internet's large scale topology,” in PNAS —vol. 99, Oct. 2002, available at: http://www.nd.edu/networks/PDF/Modeling
Eugene, T. S., Ng, and H. Zhang, “Predicting Internet Network Distance with Coordinates-based Approaches,” in Proceedings of INFOCOM 2002, available at: http://www-2.cs.cmu.edu/eugeneng/papers/INFOCOM02.pdf
MaxMind GeoIP Country Database Commercial Product, home page: http://www.maxmind.com/app/products
IP2location products, home page: http://www.ip2location.com
GeoBytes IP Address Locator Tool, home page: http://www.geobytes.com/IPLocator.htm
ISO 3166-1 alpha-2, Introduction to the 2-letter code for countries names, available at: http://encyclopedia.thefreedictionary.com/ISO%203166-1
Symantec Antivirus Corporation. Symantec Security Response w32.welchia.worm, 2004, available at http://response.symantec.com/avcentr/venc/data/w32.welchia.b.worm.html
“Internet Worm squirms into Linux Servers,” CNET tech report available at: http://news.com.com/2100-1001-251071.html?legacy=cnet
“Ramen Linux Worm seen in Wild,” InfoWorld News available at: http://www.infoworld.com/articles/hn/xml/01/01/25/010125hnramen.html?p=br=3
Disco Passive Fingerprinting Tool home page: http://www.altmode.com/disco
P0f Passive Fingerprinting Tool, version 2.0 home page: http://lcamtuf.coredump.cx/p0f-beta.tgz
Ettercap NG-0.7.1 Sourceforge Project available at: http://ettercap.sourceforge.net
Comprehensive Perl Archive Network CPAN home page: http://www.cpan.org
“Exchanging Routing Information Across Provider Boundaries in the CIDR Environment,” IETF RFC 1520, available at: http://www.ietf.org/rfc/rfc1520.txt
CAIDA Project: The UCSD Network Telescope, http://www.caida.org/outreach/papers/2001/BackScatter/
Moore, D., G. Voelker, and S. Savage, “Infering Internet Denial-of-Service activity,” in Proceedings of the 2001 USENIX Security Symposium, Aug. 2001, CA, USA.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer
About this paper
Cite this paper
Pouget, F., Dacier, M., Pham, V., Debar, H. (2005). Honeynets: Foundations for the Development of Early Warning Information Systems. In: Kowalik, J.S., Gorski, J., Sachenko, A. (eds) Cyberspace Security and Defense: Research Issues. NATO Science Series II: Mathematics, Physics and Chemistry, vol 196. Springer, Dordrecht. https://doi.org/10.1007/1-4020-3381-8_13
Download citation
DOI: https://doi.org/10.1007/1-4020-3381-8_13
Publisher Name: Springer, Dordrecht
Print ISBN: 978-1-4020-3379-7
Online ISBN: 978-1-4020-3381-0
eBook Packages: Computer ScienceComputer Science (R0)