Honeypot trace forensics: The observation viewpoint matters

Van Hau Pham, Marc Dacier

Research output: Contribution to journalArticle

21 Citations (Scopus)

Abstract

In this paper, we propose a method to identify and group together traces left on low interaction honeypots by machines belonging to the same botnet(s) without having any a priori information at our disposal regarding these botnets. In other words, we offer a solution to detect new botnets thanks to very cheap and easily deployable solutions. The approach is validated thanks to several months of data collected with the worldwide distributed Leurr.com system. To distinguish the relevant traces from the other ones, we group them according to either the platforms, i.e. targets hit or the countries of origin of the attackers. We show that the choice of one of these two observation viewpoints dramatically influences the results obtained. Each one reveals unique botnets. We explain why. Last but not the least, we show that these botnets remain active during very long periods of times, up to 700 days, even if the traces they left are only visible from time to time.1

Original languageEnglish
Pages (from-to)539-546
Number of pages8
JournalFuture Generation Computer Systems
Volume27
Issue number5
DOIs
Publication statusPublished - May 2011
Externally publishedYes

Fingerprint

Botnet

Keywords

  • Attack trace analysis
  • Botnet detection
  • Honeypot

ASJC Scopus subject areas

  • Hardware and Architecture
  • Software
  • Computer Networks and Communications

Cite this

Honeypot trace forensics : The observation viewpoint matters. / Pham, Van Hau; Dacier, Marc.

In: Future Generation Computer Systems, Vol. 27, No. 5, 05.2011, p. 539-546.

Research output: Contribution to journalArticle

@article{4525e5c7d94249a9ad6415bea8a6033f,
title = "Honeypot trace forensics: The observation viewpoint matters",
abstract = "In this paper, we propose a method to identify and group together traces left on low interaction honeypots by machines belonging to the same botnet(s) without having any a priori information at our disposal regarding these botnets. In other words, we offer a solution to detect new botnets thanks to very cheap and easily deployable solutions. The approach is validated thanks to several months of data collected with the worldwide distributed Leurr.com system. To distinguish the relevant traces from the other ones, we group them according to either the platforms, i.e. targets hit or the countries of origin of the attackers. We show that the choice of one of these two observation viewpoints dramatically influences the results obtained. Each one reveals unique botnets. We explain why. Last but not the least, we show that these botnets remain active during very long periods of times, up to 700 days, even if the traces they left are only visible from time to time.1",
keywords = "Attack trace analysis, Botnet detection, Honeypot",
author = "Pham, {Van Hau} and Marc Dacier",
year = "2011",
month = "5",
doi = "10.1016/j.future.2010.06.004",
language = "English",
volume = "27",
pages = "539--546",
journal = "Future Generation Computer Systems",
issn = "0167-739X",
publisher = "Elsevier",
number = "5",

}

TY - JOUR

T1 - Honeypot trace forensics

T2 - The observation viewpoint matters

AU - Pham, Van Hau

AU - Dacier, Marc

PY - 2011/5

Y1 - 2011/5

N2 - In this paper, we propose a method to identify and group together traces left on low interaction honeypots by machines belonging to the same botnet(s) without having any a priori information at our disposal regarding these botnets. In other words, we offer a solution to detect new botnets thanks to very cheap and easily deployable solutions. The approach is validated thanks to several months of data collected with the worldwide distributed Leurr.com system. To distinguish the relevant traces from the other ones, we group them according to either the platforms, i.e. targets hit or the countries of origin of the attackers. We show that the choice of one of these two observation viewpoints dramatically influences the results obtained. Each one reveals unique botnets. We explain why. Last but not the least, we show that these botnets remain active during very long periods of times, up to 700 days, even if the traces they left are only visible from time to time.1

AB - In this paper, we propose a method to identify and group together traces left on low interaction honeypots by machines belonging to the same botnet(s) without having any a priori information at our disposal regarding these botnets. In other words, we offer a solution to detect new botnets thanks to very cheap and easily deployable solutions. The approach is validated thanks to several months of data collected with the worldwide distributed Leurr.com system. To distinguish the relevant traces from the other ones, we group them according to either the platforms, i.e. targets hit or the countries of origin of the attackers. We show that the choice of one of these two observation viewpoints dramatically influences the results obtained. Each one reveals unique botnets. We explain why. Last but not the least, we show that these botnets remain active during very long periods of times, up to 700 days, even if the traces they left are only visible from time to time.1

KW - Attack trace analysis

KW - Botnet detection

KW - Honeypot

UR - http://www.scopus.com/inward/record.url?scp=79951851851&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79951851851&partnerID=8YFLogxK

U2 - 10.1016/j.future.2010.06.004

DO - 10.1016/j.future.2010.06.004

M3 - Article

AN - SCOPUS:79951851851

VL - 27

SP - 539

EP - 546

JO - Future Generation Computer Systems

JF - Future Generation Computer Systems

SN - 0167-739X

IS - 5

ER -