The Leurre.com Project

Collecting internet threats information using a worldwide distributed honeynet

C. Leita, V. H. Pham, O. Thonnard, E. Ramirez-Silva, F. Pouget, E. Kirda, Marc Dacier

Research output: Chapter in Book/Report/Conference proceedingConference contribution

22 Citations (Scopus)

Abstract

This paper aims at presenting in some depth the Leurre.com project and its data collection infrastructure. Launched in 2003 by the Institut Eurecom, this project is based on a worldwide distributed system of honeypots running in more than 30 different countries. The main objective of the project is to get a more realistic picture of certain classes of threats happening on the Internet, by collecting unbiased quantitative data in a long-term perspective. In the first phase of the project, the data collection infrastructure relied solely on low-interaction sensors based on Honeyd [24] to collect unsolicited traffic on the Internet. Recently, a second phase of the project was started with the deployment of medium-interaction honeypots based on the ScriptGen [15] technology, in order to enrich the network conversations with the attackers. All network traces captured on the platforms are automatically uploaded into a centralized database accessible by the partners via a convenient interface. The collected traffic is also enriched with a set of contextual information (e.g. geographical localization and reverse DNS lookups). This paper presents this complex data collection infrastructure, and offers some insight into the structure of the central data repository. The data access interface has been developed to facilitate the analysis of today's Internet threats, for example by means of data mining tools. Some concrete examples are presented to illustrate the richness and the power of this data access interface. By doing so, we hope to encourage other researchers to share with us their knowledge and data sets, to complement or enhance our ongoing analysis efforts, with the ultimate goal of better understanding Internet threats.

Original languageEnglish
Title of host publicationProceedings - WOMBAT Workshop on Information Security Threats Data Collection and Sharing, WISTDCS 2008
Pages40-57
Number of pages18
DOIs
Publication statusPublished - 2008
Externally publishedYes
EventWOMBAT Workshop on Information Security Threats Data Collection and Sharing, WISTDCS 2008 - Amsterdam
Duration: 21 Apr 200822 Apr 2008

Other

OtherWOMBAT Workshop on Information Security Threats Data Collection and Sharing, WISTDCS 2008
CityAmsterdam
Period21/4/0822/4/08

Fingerprint

Internet
Data mining
Sensors

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems

Cite this

Leita, C., Pham, V. H., Thonnard, O., Ramirez-Silva, E., Pouget, F., Kirda, E., & Dacier, M. (2008). The Leurre.com Project: Collecting internet threats information using a worldwide distributed honeynet. In Proceedings - WOMBAT Workshop on Information Security Threats Data Collection and Sharing, WISTDCS 2008 (pp. 40-57). [4627314] https://doi.org/10.1109/WISTDCS.2008.8

The Leurre.com Project : Collecting internet threats information using a worldwide distributed honeynet. / Leita, C.; Pham, V. H.; Thonnard, O.; Ramirez-Silva, E.; Pouget, F.; Kirda, E.; Dacier, Marc.

Proceedings - WOMBAT Workshop on Information Security Threats Data Collection and Sharing, WISTDCS 2008. 2008. p. 40-57 4627314.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Leita, C, Pham, VH, Thonnard, O, Ramirez-Silva, E, Pouget, F, Kirda, E & Dacier, M 2008, The Leurre.com Project: Collecting internet threats information using a worldwide distributed honeynet. in Proceedings - WOMBAT Workshop on Information Security Threats Data Collection and Sharing, WISTDCS 2008., 4627314, pp. 40-57, WOMBAT Workshop on Information Security Threats Data Collection and Sharing, WISTDCS 2008, Amsterdam, 21/4/08. https://doi.org/10.1109/WISTDCS.2008.8
Leita C, Pham VH, Thonnard O, Ramirez-Silva E, Pouget F, Kirda E et al. The Leurre.com Project: Collecting internet threats information using a worldwide distributed honeynet. In Proceedings - WOMBAT Workshop on Information Security Threats Data Collection and Sharing, WISTDCS 2008. 2008. p. 40-57. 4627314 https://doi.org/10.1109/WISTDCS.2008.8
Leita, C. ; Pham, V. H. ; Thonnard, O. ; Ramirez-Silva, E. ; Pouget, F. ; Kirda, E. ; Dacier, Marc. / The Leurre.com Project : Collecting internet threats information using a worldwide distributed honeynet. Proceedings - WOMBAT Workshop on Information Security Threats Data Collection and Sharing, WISTDCS 2008. 2008. pp. 40-57
@inproceedings{15e38c5ed7eb42ae859916efe23b4b8f,
title = "The Leurre.com Project: Collecting internet threats information using a worldwide distributed honeynet",
abstract = "This paper aims at presenting in some depth the Leurre.com project and its data collection infrastructure. Launched in 2003 by the Institut Eurecom, this project is based on a worldwide distributed system of honeypots running in more than 30 different countries. The main objective of the project is to get a more realistic picture of certain classes of threats happening on the Internet, by collecting unbiased quantitative data in a long-term perspective. In the first phase of the project, the data collection infrastructure relied solely on low-interaction sensors based on Honeyd [24] to collect unsolicited traffic on the Internet. Recently, a second phase of the project was started with the deployment of medium-interaction honeypots based on the ScriptGen [15] technology, in order to enrich the network conversations with the attackers. All network traces captured on the platforms are automatically uploaded into a centralized database accessible by the partners via a convenient interface. The collected traffic is also enriched with a set of contextual information (e.g. geographical localization and reverse DNS lookups). This paper presents this complex data collection infrastructure, and offers some insight into the structure of the central data repository. The data access interface has been developed to facilitate the analysis of today's Internet threats, for example by means of data mining tools. Some concrete examples are presented to illustrate the richness and the power of this data access interface. By doing so, we hope to encourage other researchers to share with us their knowledge and data sets, to complement or enhance our ongoing analysis efforts, with the ultimate goal of better understanding Internet threats.",
author = "C. Leita and Pham, {V. H.} and O. Thonnard and E. Ramirez-Silva and F. Pouget and E. Kirda and Marc Dacier",
year = "2008",
doi = "10.1109/WISTDCS.2008.8",
language = "English",
isbn = "9780769533476",
pages = "40--57",
booktitle = "Proceedings - WOMBAT Workshop on Information Security Threats Data Collection and Sharing, WISTDCS 2008",

}

TY - GEN

T1 - The Leurre.com Project

T2 - Collecting internet threats information using a worldwide distributed honeynet

AU - Leita, C.

AU - Pham, V. H.

AU - Thonnard, O.

AU - Ramirez-Silva, E.

AU - Pouget, F.

AU - Kirda, E.

AU - Dacier, Marc

PY - 2008

Y1 - 2008

N2 - This paper aims at presenting in some depth the Leurre.com project and its data collection infrastructure. Launched in 2003 by the Institut Eurecom, this project is based on a worldwide distributed system of honeypots running in more than 30 different countries. The main objective of the project is to get a more realistic picture of certain classes of threats happening on the Internet, by collecting unbiased quantitative data in a long-term perspective. In the first phase of the project, the data collection infrastructure relied solely on low-interaction sensors based on Honeyd [24] to collect unsolicited traffic on the Internet. Recently, a second phase of the project was started with the deployment of medium-interaction honeypots based on the ScriptGen [15] technology, in order to enrich the network conversations with the attackers. All network traces captured on the platforms are automatically uploaded into a centralized database accessible by the partners via a convenient interface. The collected traffic is also enriched with a set of contextual information (e.g. geographical localization and reverse DNS lookups). This paper presents this complex data collection infrastructure, and offers some insight into the structure of the central data repository. The data access interface has been developed to facilitate the analysis of today's Internet threats, for example by means of data mining tools. Some concrete examples are presented to illustrate the richness and the power of this data access interface. By doing so, we hope to encourage other researchers to share with us their knowledge and data sets, to complement or enhance our ongoing analysis efforts, with the ultimate goal of better understanding Internet threats.

AB - This paper aims at presenting in some depth the Leurre.com project and its data collection infrastructure. Launched in 2003 by the Institut Eurecom, this project is based on a worldwide distributed system of honeypots running in more than 30 different countries. The main objective of the project is to get a more realistic picture of certain classes of threats happening on the Internet, by collecting unbiased quantitative data in a long-term perspective. In the first phase of the project, the data collection infrastructure relied solely on low-interaction sensors based on Honeyd [24] to collect unsolicited traffic on the Internet. Recently, a second phase of the project was started with the deployment of medium-interaction honeypots based on the ScriptGen [15] technology, in order to enrich the network conversations with the attackers. All network traces captured on the platforms are automatically uploaded into a centralized database accessible by the partners via a convenient interface. The collected traffic is also enriched with a set of contextual information (e.g. geographical localization and reverse DNS lookups). This paper presents this complex data collection infrastructure, and offers some insight into the structure of the central data repository. The data access interface has been developed to facilitate the analysis of today's Internet threats, for example by means of data mining tools. Some concrete examples are presented to illustrate the richness and the power of this data access interface. By doing so, we hope to encourage other researchers to share with us their knowledge and data sets, to complement or enhance our ongoing analysis efforts, with the ultimate goal of better understanding Internet threats.

UR - http://www.scopus.com/inward/record.url?scp=55149105073&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=55149105073&partnerID=8YFLogxK

U2 - 10.1109/WISTDCS.2008.8

DO - 10.1109/WISTDCS.2008.8

M3 - Conference contribution

SN - 9780769533476

SP - 40

EP - 57

BT - Proceedings - WOMBAT Workshop on Information Security Threats Data Collection and Sharing, WISTDCS 2008

ER -