Honeypot-based forensics

Some attacks on honeypots are very frequent and repetitive. In addition, such repetitive attacks generate a very large amount of data. In this paper, we show that it might be misleading to consider general statistics obtained on these data without carrying an in depth analysis of the various processes that have led to their creation. We show that such analysis can be done by means of a simple clustering approach. We present an algorithm to characterize the root causes of these attacks. This algorithm enables us to obtain precious and non trivial information to identify the various attacks targeting our environment. We use this algorithm to identify root causes of the data collected from our honeypot environment. We demonstrate that identifying the root causes is a prerequisite for a better understanding of malicious activity observed thanks to honeypots environments. Finally, we hope this work will open new avenues for the ongoing work related to honeynets.

[1]  Neal Krawetz,et al.  Anti-honeypot technology , 2004, IEEE Security & Privacy Magazine.

[2]  Petra Perner,et al.  Data Mining - Concepts and Techniques , 2002, Künstliche Intell..

[3]  Robert J. Latino,et al.  Root Cause Analysis: Improving Performance for Bottom Line Results , 1999 .

[4]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[5]  Marc Dacier,et al.  Attack Processes Found on the Internet , 2004 .

[6]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[7]  L. B. Wilson,et al.  The stable marriage problem , 1971, Commun. ACM.

[8]  Clifford Stoll,et al.  Stalking the wily hacker , 1988, CACM.

[9]  Steven M. Bellovin,et al.  There Be Dragons , 1992, USENIX Summer.

[10]  Robert Stone,et al.  A Snapshot of Global Internet Worm Activity , 2001 .

[11]  Steven M. Bellovin,et al.  Packets found on an internet , 1993, CCRV.

[12]  Sadie Creese,et al.  Conceptual Model and Architecture of MAFTIA , 2003 .

[13]  Christian Borgelt Apriori-Finding Association Rules/Hyperedges with the Apriori Algorithm , 2004 .

[14]  Rakesh Agarwal,et al.  Fast Algorithms for Mining Association Rules , 1994, VLDB 1994.

[15]  M. Paradies,et al.  Root cause analysis at Savannah River plant (nuclear power station) , 1988, Conference Record for 1988 IEEE Fourth Conference on Human Factors and Power Plants,.

[16]  Klaus Julisch,et al.  Using root cause analysis to handle intrusion detection alarms , 2003 .

[17]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[18]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[19]  Marc Dacier,et al.  Honeypots: practical means to validate malicious fault assumptions , 2004, 10th IEEE Pacific Rim International Symposium on Dependable Computing, 2004. Proceedings..

[20]  Fred Cohen,et al.  A Framework for Deception , 2001 .

[21]  M Paradies,et al.  Root cause analysis at the Savannah River Plant , 1988 .