论文信息 - Comparative survey of local honeypot sensors to assist network forensics

Comparative survey of local honeypot sensors to assist network forensics

This paper intends to illustrate the usefulness of deploying multiple simple honeypot sensors in a large variety of locations. Indeed, a permanent identification of anomalies that occur on a single sensor allows pinpointing abnormal local activities. These can be the manifest of misconfiguration issues or highlight attacks particular to some given environments. Both cases are important for administrators in charge of the networks hosting the sensors. We propose in this paper a comparison of simple parameters that reveal to be an easy way to determine these abnormal and particular activities. On the basis of two identical honeypot sensors that we have deployed for more than 6 months in France and in Taiwan, we detail the analysis of some anomalies that have been found against one unique sensor only. This is a preliminary but useful stage for network forensics and we intend in a near future to deploy the method over a large number of sensors. This is an on-going work and we hope that the illustrations we provide all along the paper a good incentive for partners to join this open project.

[1] Stefan Savage,et al. Inferring Internet denial-of-service activity , 2001, TOCS.

[2] M. Dacier,et al. Honeypots : A Practical Mean to Validate Malicious Fault Assumptions Practical Experience Report , 2003 .

[3] Van-Hau Pham,et al. on the Advantages of Deploying a Large Scale Distributed Honeypot Platform , 2005 .

[4] Van-Hau Pham,et al. HONEYNETS: FOUNDATIONS FOR THE DEVELOPMENT OF EARLY WARNING INFORMATION SYSTEMS , 2005 .

[5] Eric Alata,et al. CADHo: Collection and Analysis of Data from Honeypots , 2005 .

[6] Thorsten Holz,et al. A Pointillist Approach for Comparing Honeypots , 2005, DIMVA.

[7] Robert Stone,et al. A Snapshot of Global Internet Worm Activity , 2001 .

[8] Somesh Jha,et al. Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[9] Zhuoqing Morley Mao,et al. Toward understanding distributed blackhole placement , 2004, WORM '04.