Comparison of Empirical Data from Two Honeynets and a Distributed Honeypot Network

In this paper we present empirical results and speculative analysis based on observations collected over a two month period from studies with two high interaction honeynets, deployed in a corporate and an SME (small to medium enterprise) environment, and a distributed honeypots deployment. All three networks contain a mixture of Windows and Linux hosts. We detail the architecture of the deployment and results of comparing the observations from the three environments. We analyze in detail the times between attacks on different hosts, operating systems, networks or geographical location. Even though results from honeynet deployments are reported often in the literature, this paper provides novel results analyzing traffic from three different types of networks and some initial exploratory models. This research aims to contribute to endeavours in the wider security research community to build methods, grounded on strong empirical work, for assessment of the robustness of computer-based systems in hostile environments.

[1]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[2]  Robin Berthier,et al.  Profiling Attacker Behavior Following SSH Compromises , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[3]  Marc Dacier,et al.  Honeypots: practical means to validate malicious fault assumptions , 2004, 10th IEEE Pacific Rim International Symposium on Dependable Computing, 2004. Proceedings..

[4]  Michel Cukier,et al.  An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[5]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[6]  Marc Dacier,et al.  Lessons learned from the deployment of a high-interaction honeypot , 2006, 2006 Sixth European Dependable Computing Conference.

[7]  Marc Dacier,et al.  ScriptGen: an automated script generation tool for Honeyd , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[8]  R. Durrett Random Graph Dynamics: References , 2006 .

[9]  Tony Wheeler,et al.  Tahiti & French Polynesia , 1992 .

[10]  Robin Berthier,et al.  A Statistical Analysis of Attack Data to Separate Attacks , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[11]  Marc Dacier,et al.  Empirical analysis and statistical modeling of attack processes based on honeypots , 2007, ArXiv.

[12]  Albert,et al.  Emergence of scaling in random networks , 1999, Science.

[13]  Van-Hau Pham,et al.  on the Advantages of Deploying a Large Scale Distributed Honeypot Platform , 2005 .