Set-up and deployment of a high-interaction honeypot: experiment and lessons learned

This paper presents the lessons learned from an empirical analysis of attackers behaviours based on the deployment on the Internet of a high-interaction honeypot for more than 1 year. We focus in particular on the attacks performed via the SSH service and the activities performed by the attackers once they gain access to the system and try to progress in their intrusion. The first part of the paper describes: (a) the global architecture of the honeypot and the mechanisms used to capture the implementation details so that we can observe attackers behaviours and (b) the details of the experiment itself (duration, data captured, overview of the attackers activity). The second part presents the results of the observation of the attackers. It includes: (a) the description of the global attack process, constituted of two main steps, dictionary attacks and intrusions and (b) the detailed analysis of these two main steps.

[1]  Marc Dacier,et al.  Lessons learned from the deployment of a high-interaction honeypot , 2006, 2006 Sixth European Dependable Computing Conference.

[2]  Markus Jakobsson,et al.  Crimeware: Understanding New Attacks and Defenses , 2008 .

[3]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[4]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[5]  Robert Stone,et al.  A Snapshot of Global Internet Worm Activity , 2001 .

[6]  Cyril Labbé,et al.  Inter-Textual Distance and Authorship Attribution Corneille and Molière , 2001, J. Quant. Linguistics.

[7]  Jeff Dike,et al.  User-mode Linux , 2006, Annual Linux Showcase & Conference.

[8]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[9]  Robin Berthier,et al.  Profiling Attacker Behavior Following SSH Compromises , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[10]  Eric Alata,et al.  Observation, caractérisation et modélisation de processus d'attaques sur Internet , 2007 .

[11]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[12]  Markus Jakobsson,et al.  Crimeware: Understanding New Attacks and Defenses (Symantec Press) , 2008 .

[13]  Ryan Cunningham,et al.  Honeypot-Aware Advanced Botnet Construction and Maintenance , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[14]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[15]  Felix C. Freiling,et al.  The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.

[16]  Michel Cukier,et al.  An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[17]  Ross N. Williams,et al.  An extremely fast Ziv-Lempel data compression algorithm , 1991, [1991] Proceedings. Data Compression Conference.

[18]  Chengyu Song,et al.  Collecting Autonomous Spreading Malware Using High-Interaction Honeypots , 2007, ICICS.

[19]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[20]  Van-Hau Pham,et al.  Understanding threats: a prerequisite to enhance survivability of computing systems , 2008, Int. J. Crit. Infrastructures.

[21]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[22]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[23]  Van-Hau Pham,et al.  on the Advantages of Deploying a Large Scale Distributed Honeypot Platform , 2005 .

[24]  Jeanna Neefe Matthews,et al.  A Study of Passwords and Methods Used in Brute-Force SSH Attacks , 2008 .

[25]  Reinhard German,et al.  Flow-based Worm Detection using Correlated Honeypot Logs , 2011 .

[26]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[27]  Fabien Pouget Distributed system of honeypot sensors : discrimination and correlative analysis of attack processes , 2006 .