Quality of Protection pp 79-91
Collection and analysis of attack data based on honeypots deployed on the Internet
The CADHo project (Collection and Analysis of Data from Honeypots) is an ongoing research action funded by the French ACI “Securiteé & Informatique” . It aims at building an environment to better understand threats on the Internet and also at providing models to analyze the observed phenomena. Our approach consists in deploying and sharing with the scientific community a distributed platform based on honeypots that gathers data suitable to analyze the attack processes targeting machines connected to the Internet. This distributed platform, called Leurreé.com and administrated by Institut Eurecom, offers each partner collaborating to this initiative access to all collected data in order to carry out statistical analyzes and modeling activities. So far, about thirty honeypots have been operational for several months in twenty countries of the five continents. This paper presents a brief overview of this distributed platform and examples of results derived from the data. It also outlines the approach investigated to model observed attack processes and to describe the intruders behaviors once they manage to get access to a target machine.
Unable to display preview. Download preview PDF.
- 2.M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson, “The Internet Motion Sensor: A Distributed Blackhole Monitoring System”, Proc. 12th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2005.Google Scholar
- 5.L. Spitzner, Honeypots: Tracking Hackers, Addison-Wesley, ISBN from-321-10895-7, 2002Google Scholar
- 14.F. Pouget, Publications web page, http://www.eurecom.fr/ pougefpapers.htm
- 15.M. Dacier, F. Pouget, H. Debar, “Honeypots: Practical Means to Validate Malicious Fault Assumptions on the Internet”, Proc. 10th IEEE International Symposium Pacific Rim Dependable Computing (PRDC10), Tahiti, March 2004, pages 383–388.Google Scholar
- 16.M. Dacier, F. Pouget, H. Debar, “Attack Processes found on the Internet”, Proc. OTAN Symposium on Adaptive Defense in Unclassified Networks, Toulouse, France, April 2004.Google Scholar
- 17.F. Pouget, M. Dacier, “Honeypot-based Forensics”, Proc. AusCERT Asia Pacific Information Technology Security Conference (AusCERT2004), Brisbane (Australia), May 2004.Google Scholar
- 18.F. Pouget, M. Dacier, V. H. Pham, “Towards a Better Understanding of Internet Threats to Enhance Survivability”, Proc. International Infrastructure Survivability Workshop (IISW04), Lisbon (Portugal), December 2004.Google Scholar
- 19.F. Pouget, T. Holz, “A Pointillist Approach for Comparing Honeypots”, Proc. Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2005), Vienna (Austria), July 2005.Google Scholar
- 20.F. Pouget, M. Dacier, V. H. Pham, “Leurreé.com: On the Advantages of Deploying a Large Scale Distributed Honeypot Platform”, Proc. E-Crime and Computer Evidence Conference (ECCE 2005), Monaco, Mars 2005.Google Scholar
- 22.M. Dacier, Y. Deswarte, M. Kaaâniche, “Models and tools for quantitative assessment of operational security”, Proc. 12th International Information Security Conference (IFIP SEC'96),Samos (Greece), May 1996, pages 177–186Google Scholar