Comparative survey of local honeypot sensors to assist network forensics

P. T. Chen, C. S. Laih, F. Pouget, Marc Dacier

Research output: Chapter in Book/Report/Conference proceedingConference contribution

11 Citations (Scopus)

Abstract

This paper intends to illustrate the usefulness of deploying multiple simple honeypot sensors in a large variety of locations. Indeed, a permanent identification of anomalies that occur on a single sensor allows pinpointing abnormal local activities. These can be the manifest of misconfiguration issues or highlight attacks particular to some given environments. Both cases are important for administrators in charge of the networks hosting the sensors. We propose in this paper a comparison of simple parameters that reveal to be an easy way to determine these abnormal and particular activities. On the basis of two identical honeypot sensors that we have deployed for more than 6 months in France and in Taiwan, we detail the analysis of some anomalies that have been found against one unique sensor only. This is a preliminary but useful stage for network forensics and we intend in a near future to deploy the method over a large number of sensors. This is an on-going work and we hope that the illustrations we provide all along the paper will be a good incentive for partners to join this open project.

Original languageEnglish
Title of host publicationProceedings - First International Workshop on Systematic Approaches to Digital Forensic Engineering
Pages120-132
Number of pages13
Volume2005
DOIs
Publication statusPublished - 2005
Externally publishedYes
EventProceedings - First International Workshop on Systematic Approaches to Digital Forensic Engineering - Taipei
Duration: 7 Nov 20059 Nov 2005

Other

OtherProceedings - First International Workshop on Systematic Approaches to Digital Forensic Engineering
CityTaipei
Period7/11/059/11/05

Fingerprint

Sensors
Digital forensics

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Chen, P. T., Laih, C. S., Pouget, F., & Dacier, M. (2005). Comparative survey of local honeypot sensors to assist network forensics. In Proceedings - First International Workshop on Systematic Approaches to Digital Forensic Engineering (Vol. 2005, pp. 120-132). [1592526] https://doi.org/10.1109/SADFE.2005.6

Comparative survey of local honeypot sensors to assist network forensics. / Chen, P. T.; Laih, C. S.; Pouget, F.; Dacier, Marc.

Proceedings - First International Workshop on Systematic Approaches to Digital Forensic Engineering. Vol. 2005 2005. p. 120-132 1592526.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Chen, PT, Laih, CS, Pouget, F & Dacier, M 2005, Comparative survey of local honeypot sensors to assist network forensics. in Proceedings - First International Workshop on Systematic Approaches to Digital Forensic Engineering. vol. 2005, 1592526, pp. 120-132, Proceedings - First International Workshop on Systematic Approaches to Digital Forensic Engineering, Taipei, 7/11/05. https://doi.org/10.1109/SADFE.2005.6
Chen PT, Laih CS, Pouget F, Dacier M. Comparative survey of local honeypot sensors to assist network forensics. In Proceedings - First International Workshop on Systematic Approaches to Digital Forensic Engineering. Vol. 2005. 2005. p. 120-132. 1592526 https://doi.org/10.1109/SADFE.2005.6
Chen, P. T. ; Laih, C. S. ; Pouget, F. ; Dacier, Marc. / Comparative survey of local honeypot sensors to assist network forensics. Proceedings - First International Workshop on Systematic Approaches to Digital Forensic Engineering. Vol. 2005 2005. pp. 120-132
@inproceedings{bd6f100b2a494d7a8d5ff0d6e1efa95f,
title = "Comparative survey of local honeypot sensors to assist network forensics",
abstract = "This paper intends to illustrate the usefulness of deploying multiple simple honeypot sensors in a large variety of locations. Indeed, a permanent identification of anomalies that occur on a single sensor allows pinpointing abnormal local activities. These can be the manifest of misconfiguration issues or highlight attacks particular to some given environments. Both cases are important for administrators in charge of the networks hosting the sensors. We propose in this paper a comparison of simple parameters that reveal to be an easy way to determine these abnormal and particular activities. On the basis of two identical honeypot sensors that we have deployed for more than 6 months in France and in Taiwan, we detail the analysis of some anomalies that have been found against one unique sensor only. This is a preliminary but useful stage for network forensics and we intend in a near future to deploy the method over a large number of sensors. This is an on-going work and we hope that the illustrations we provide all along the paper will be a good incentive for partners to join this open project.",
author = "Chen, {P. T.} and Laih, {C. S.} and F. Pouget and Marc Dacier",
year = "2005",
doi = "10.1109/SADFE.2005.6",
language = "English",
isbn = "0769524788",
volume = "2005",
pages = "120--132",
booktitle = "Proceedings - First International Workshop on Systematic Approaches to Digital Forensic Engineering",

}

TY - GEN

T1 - Comparative survey of local honeypot sensors to assist network forensics

AU - Chen, P. T.

AU - Laih, C. S.

AU - Pouget, F.

AU - Dacier, Marc

PY - 2005

Y1 - 2005

N2 - This paper intends to illustrate the usefulness of deploying multiple simple honeypot sensors in a large variety of locations. Indeed, a permanent identification of anomalies that occur on a single sensor allows pinpointing abnormal local activities. These can be the manifest of misconfiguration issues or highlight attacks particular to some given environments. Both cases are important for administrators in charge of the networks hosting the sensors. We propose in this paper a comparison of simple parameters that reveal to be an easy way to determine these abnormal and particular activities. On the basis of two identical honeypot sensors that we have deployed for more than 6 months in France and in Taiwan, we detail the analysis of some anomalies that have been found against one unique sensor only. This is a preliminary but useful stage for network forensics and we intend in a near future to deploy the method over a large number of sensors. This is an on-going work and we hope that the illustrations we provide all along the paper will be a good incentive for partners to join this open project.

AB - This paper intends to illustrate the usefulness of deploying multiple simple honeypot sensors in a large variety of locations. Indeed, a permanent identification of anomalies that occur on a single sensor allows pinpointing abnormal local activities. These can be the manifest of misconfiguration issues or highlight attacks particular to some given environments. Both cases are important for administrators in charge of the networks hosting the sensors. We propose in this paper a comparison of simple parameters that reveal to be an easy way to determine these abnormal and particular activities. On the basis of two identical honeypot sensors that we have deployed for more than 6 months in France and in Taiwan, we detail the analysis of some anomalies that have been found against one unique sensor only. This is a preliminary but useful stage for network forensics and we intend in a near future to deploy the method over a large number of sensors. This is an on-going work and we hope that the illustrations we provide all along the paper will be a good incentive for partners to join this open project.

UR - http://www.scopus.com/inward/record.url?scp=33847230917&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33847230917&partnerID=8YFLogxK

U2 - 10.1109/SADFE.2005.6

DO - 10.1109/SADFE.2005.6

M3 - Conference contribution

AN - SCOPUS:33847230917

SN - 0769524788

SN - 9780769524788

VL - 2005

SP - 120

EP - 132

BT - Proceedings - First International Workshop on Systematic Approaches to Digital Forensic Engineering

ER -