A Honeyfarm Data Control Mechanism and Forensic Study

  • Wei Yin
  • Hongjian Zhou
  • Chunlei Yang
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 237)


Honeyfarm is a model to deploy honeypots for global network attack monitoring, correlation and forensic analysis. Data control is a fundamental problem in the honeyfarm to protect the Internet from being attacked by compromised honeypots in the honeyfarm, while providing a controlled environment for worm behaviour study. However, this problem is not well addressed in a limited number of existing implementations. This paper presents a honeyfarm system and focuses on the design of a data control mechanism based on Intrusion detection and Data redirection (DOID). Comprehensive experiments including attack event tracing, worm behaviour study and forensic analysis display that DOID is a good tool for attack monitoring and forensic analysis.


Honeyfarm Data control Forensic analysis 


  1. 1.
    Jiang, X., Xu, D., Wang, Y.-M.: Collapsar: AVM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention. J. Parallel Distrib. Comput. 66, 1165–1180 (2006)CrossRefzbMATHGoogle Scholar
  2. 2.
    Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A.C., Voelker, G.M., Savage, S.: Scalability, fidelity, and containment in the potemkin virtual honeyfarm. In: Proceedings of the ACM Symposium on Operating Systems Principles. ACM, Brighton, October 2005Google Scholar
  3. 3.
    Spitzner, L.: Honeypots: Tracking Hackers, pp. 1–480. Addison Wesley, Boston (2002)Google Scholar
  4. 4.
    Burkhart, M., Schatzmann, D., Trammell, B., Boschi, E., Plattner, B.: The role of network trace anonymization under attack. SIGCOMM Comput. Commun. Rev. 40(1), 5–11 (2010)CrossRefGoogle Scholar
  5. 5.
    Jain, P., Sardana, A.: Defending against internet worms using honeyfarm. In: Proceedings of the CUBE International Information Technology Conference, CUBE 2012, Pune, India, pp. 795–800. ACM (2012)Google Scholar
  6. 6.
    Krishnan, S., Snow, K.Z., Monrose, F.: Trail of bytes: efficient support for forensic analysis. In: Proceedings of the 17th ACM CCS, Chicago, Illinois, USA, pp. 50–60. ACM (2010)Google Scholar
  7. 7.
  8. 8.
  9. 9.
    Kaur, R., Singh, M.: A survey on zero-day polymorphic worm detection techniques. IEEE Commun. Surv. Tutor. 16(3), 1520–1549 (2014)CrossRefGoogle Scholar
  10. 10.
    Abbasi, F.H., Harris, R.J.: Experiences with a generation III virtual honeynet. In: Proceedings of ATNAC, pp. 1–9 (2009)Google Scholar
  11. 11.
    Kumar, S., Singh, P., Sehgal, R., Bhatia, J.S.: Distributed honeynet system using Gen III virtual honeynet. Int. J. Comput. Theory Eng. 4(4), 537–541 (2012)CrossRefGoogle Scholar
  12. 12.
    Kim, I.S., Kim, M.H.: Agent-based honeynet framework for protecting servers in campus networks. IET Inf. Secur. 6(3), 202–211 (2012)CrossRefGoogle Scholar
  13. 13.
    He, X.-Y., Lam, K.-Y., Chung, S.-L., Chi, C.-H., Sun, J.-G.: Real-time emulation of intrusion victim in honeyfarm. In: Chi, C.-H., Lam, K.-Y. (eds.) AWCC 2004. LNCS, vol. 3309, pp. 143–154. Springer, Heidelberg (2004). Scholar
  14. 14.
    Kreibich, C., Weaver, N., Kanich, C., Cui, W., Paxson, V.: GQ: practical containment for measuring modern malware systems. In: Proceedings of the 2011 ACM SIGCOMM IMC, Toronto, Canada, pp. 397–412. ACM (2011)Google Scholar
  15. 15.
    Al Fahdi, M., Clarke, N.L., Li, F., Furnell, S.M.: A suspect-oriented intelligent and automated computer forensic analysis. Digit. Invest. 18, 65–76 (2016)CrossRefGoogle Scholar
  16. 16.
    da Cruz Nassif, L.F., Huschka, E.R.: Document clustering for forensic analysis: an approach for improving computer inspection. IEEE Trans. Inf. Forensics Secur. 8(1), 46–54 (2013)CrossRefGoogle Scholar
  17. 17.
    Ovens, K.M., Morison, G.: Forensic analysis of Kik messenger on iOS devices. Digit. Invest. 17, 40–52 (2016)CrossRefGoogle Scholar
  18. 18.
    Walnycky, D., Baggili, I., Marrington, A., Moore, J., Breitinger, F.: Network and device forensic analysis of android social-messaging applications. Digit. Invest. 14, 77–84 (2015)CrossRefGoogle Scholar
  19. 19.
    Anglano, C.: Forensic analysis of whatsapp messenger on android smartphones. Digit. Invest. 11, 201–213 (2014)CrossRefGoogle Scholar
  20. 20.
    Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A.C., Voelker, G.M., Savage, S.: A forensic analysis of android malware how is malware written and how it could be detected? In: Proceedings of IEEE 38th Annual International Computer, Software and Applications Conference (2014)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  1. 1.North China Institute of Computing TechnologyBeijingChina

Personalised recommendations