Honeypot traces forensics

The observation viewpoint matters

Van Hau Pham, Marc Dacier

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

In this paper, we propose a method to identify and group together traces left on low interaction honeypots by machines belonging to the same botnet(s) without having any a priori information at our disposal regarding these botnets. In other terms, we offer a solution to detect new botnets thanks to very cheap and easily deployable solutions. The approach is validated thanks to several months of data collected with the worldwide distributed Leurré.com system. To distinguish the relevant traces from the other ones, we group them according to either the platforms, i.e. targets hit or the countries of origin of the attackers. We show that the choice of one of these two observation viewpoints dramatically influences the results obtained. Each one reveals unique botnets. We explain why. Last but not least, we show that these botnets remain active during very long periods of times, up to 700 days, even if the traces they left are only visible from time to time.

Original languageEnglish
Title of host publicationNSS 2009 - Network and System Security
Pages365-372
Number of pages8
DOIs
Publication statusPublished - 2009
Externally publishedYes
Event2009 3rd International Conference on Network and System Security, NSS 2009 - Gold Coast, QLD
Duration: 19 Oct 200921 Oct 2009

Other

Other2009 3rd International Conference on Network and System Security, NSS 2009
CityGold Coast, QLD
Period19/10/0921/10/09

Fingerprint

Botnet

Keywords

  • Attack trace analysis
  • Botnet detection
  • Honeypot

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software
  • Control and Systems Engineering

Cite this

Pham, V. H., & Dacier, M. (2009). Honeypot traces forensics: The observation viewpoint matters. In NSS 2009 - Network and System Security (pp. 365-372). [5319287] https://doi.org/10.1109/NSS.2009.46

Honeypot traces forensics : The observation viewpoint matters. / Pham, Van Hau; Dacier, Marc.

NSS 2009 - Network and System Security. 2009. p. 365-372 5319287.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Pham, VH & Dacier, M 2009, Honeypot traces forensics: The observation viewpoint matters. in NSS 2009 - Network and System Security., 5319287, pp. 365-372, 2009 3rd International Conference on Network and System Security, NSS 2009, Gold Coast, QLD, 19/10/09. https://doi.org/10.1109/NSS.2009.46
Pham VH, Dacier M. Honeypot traces forensics: The observation viewpoint matters. In NSS 2009 - Network and System Security. 2009. p. 365-372. 5319287 https://doi.org/10.1109/NSS.2009.46
Pham, Van Hau ; Dacier, Marc. / Honeypot traces forensics : The observation viewpoint matters. NSS 2009 - Network and System Security. 2009. pp. 365-372
@inproceedings{b10a80e71a4840cfb345901f93c7cdf8,
title = "Honeypot traces forensics: The observation viewpoint matters",
abstract = "In this paper, we propose a method to identify and group together traces left on low interaction honeypots by machines belonging to the same botnet(s) without having any a priori information at our disposal regarding these botnets. In other terms, we offer a solution to detect new botnets thanks to very cheap and easily deployable solutions. The approach is validated thanks to several months of data collected with the worldwide distributed Leurr{\'e}.com system. To distinguish the relevant traces from the other ones, we group them according to either the platforms, i.e. targets hit or the countries of origin of the attackers. We show that the choice of one of these two observation viewpoints dramatically influences the results obtained. Each one reveals unique botnets. We explain why. Last but not least, we show that these botnets remain active during very long periods of times, up to 700 days, even if the traces they left are only visible from time to time.",
keywords = "Attack trace analysis, Botnet detection, Honeypot",
author = "Pham, {Van Hau} and Marc Dacier",
year = "2009",
doi = "10.1109/NSS.2009.46",
language = "English",
isbn = "9780769538389",
pages = "365--372",
booktitle = "NSS 2009 - Network and System Security",

}

TY - GEN

T1 - Honeypot traces forensics

T2 - The observation viewpoint matters

AU - Pham, Van Hau

AU - Dacier, Marc

PY - 2009

Y1 - 2009

N2 - In this paper, we propose a method to identify and group together traces left on low interaction honeypots by machines belonging to the same botnet(s) without having any a priori information at our disposal regarding these botnets. In other terms, we offer a solution to detect new botnets thanks to very cheap and easily deployable solutions. The approach is validated thanks to several months of data collected with the worldwide distributed Leurré.com system. To distinguish the relevant traces from the other ones, we group them according to either the platforms, i.e. targets hit or the countries of origin of the attackers. We show that the choice of one of these two observation viewpoints dramatically influences the results obtained. Each one reveals unique botnets. We explain why. Last but not least, we show that these botnets remain active during very long periods of times, up to 700 days, even if the traces they left are only visible from time to time.

AB - In this paper, we propose a method to identify and group together traces left on low interaction honeypots by machines belonging to the same botnet(s) without having any a priori information at our disposal regarding these botnets. In other terms, we offer a solution to detect new botnets thanks to very cheap and easily deployable solutions. The approach is validated thanks to several months of data collected with the worldwide distributed Leurré.com system. To distinguish the relevant traces from the other ones, we group them according to either the platforms, i.e. targets hit or the countries of origin of the attackers. We show that the choice of one of these two observation viewpoints dramatically influences the results obtained. Each one reveals unique botnets. We explain why. Last but not least, we show that these botnets remain active during very long periods of times, up to 700 days, even if the traces they left are only visible from time to time.

KW - Attack trace analysis

KW - Botnet detection

KW - Honeypot

UR - http://www.scopus.com/inward/record.url?scp=72849115931&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=72849115931&partnerID=8YFLogxK

U2 - 10.1109/NSS.2009.46

DO - 10.1109/NSS.2009.46

M3 - Conference contribution

SN - 9780769538389

SP - 365

EP - 372

BT - NSS 2009 - Network and System Security

ER -