DocumentCode :
2299946
Title :
Honeypot Traces Forensics: The Observation Viewpoint Matters
Author :
Pham, Van-Hau ; Dacier, Marc
Author_Institution :
Networking & Security Dept., EURECOM, Sophia Antipolis, France
fYear :
2009
fDate :
19-21 Oct. 2009
Firstpage :
365
Lastpage :
372
Abstract :
In this paper, we propose a method to identify and group together traces left on low interaction honeypots by machines belonging to the same botnet(s) without having any a priori information at our disposal regarding these botnets. In other terms, we offer a solution to detect new botnets thanks to very cheap and easily deployable solutions. The approach is validated thanks to several months of data collected with the worldwide distributed Leurre.com system. To distinguish the relevant traces from the other ones, we group them according to either the platforms, i.e. targets hit or the countries of origin of the attackers. We show that the choice of one of these two observation viewpoints dramatically influences the results obtained. Each one reveals unique botnets. We explain why. Last but not least, we show that these botnets remain active during very long periods of times, up to 700 days, even if the traces they left are only visible from time to time.
Keywords :
Internet; invasive software; Internet security; attack trace analysis; botnet detection; data collection; low-interaction honeypot trace forensics; observation viewpoint; worldwide distributed Leurre.com system; Command and control systems; Forensics; Information security; Internet; Joining processes; Large-scale systems; Pattern recognition; Protocols; Telecommunication traffic; attack trace analysis; botnet detection; honeypot;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Network and System Security, 2009. NSS '09. Third International Conference on
Conference_Location :
Gold Coast, QLD
Print_ISBN :
978-1-4244-5087-9
Electronic_ISBN :
978-0-7695-3838-9
Type :
conf
DOI :
10.1109/NSS.2009.46
Filename :
5319287
Link To Document :
بازگشت