Honeypot traces forensics: The observation viewpoint matters

Van Hau Pham, Marc Dacier

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

In this paper, we propose a method to identify and group together traces left on low interaction honeypots by machines belonging to the same botnet(s) without having any a priori information at our disposal regarding these botnets. In other terms, we offer a solution to detect new botnets thanks to very cheap and easily deployable solutions. The approach is validated thanks to several months of data collected with the worldwide distributed Leurré.com system. To distinguish the relevant traces from the other ones, we group them according to either the platforms, i.e. targets hit or the countries of origin of the attackers. We show that the choice of one of these two observation viewpoints dramatically influences the results obtained. Each one reveals unique botnets. We explain why. Last but not least, we show that these botnets remain active during very long periods of times, up to 700 days, even if the traces they left are only visible from time to time.

Original languageEnglish
Title of host publicationNSS 2009 - Network and System Security
Pages365-372
Number of pages8
DOIs
Publication statusPublished - 1 Dec 2009
Event2009 3rd International Conference on Network and System Security, NSS 2009 - Gold Coast, QLD, Australia
Duration: 19 Oct 200921 Oct 2009

Publication series

NameNSS 2009 - Network and System Security

Conference

Conference2009 3rd International Conference on Network and System Security, NSS 2009
CountryAustralia
CityGold Coast, QLD
Period19/10/0921/10/09

Keywords

  • Attack trace analysis
  • Botnet detection
  • Honeypot

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software
  • Control and Systems Engineering

Fingerprint Dive into the research topics of 'Honeypot traces forensics: The observation viewpoint matters'. Together they form a unique fingerprint.

  • Cite this

    Pham, V. H., & Dacier, M. (2009). Honeypot traces forensics: The observation viewpoint matters. In NSS 2009 - Network and System Security (pp. 365-372). [5319287] (NSS 2009 - Network and System Security). https://doi.org/10.1109/NSS.2009.46