Set-up and deployment of a high-interaction honeypot: experiment and lessons learned

Authors:
Vincent Nicomette;Mohamed Kaâniche;Eric Alata;Matthieu Herrb
Affiliations:
CNRS, LAAS, Toulouse, France 31077 and Université de Toulouse, UPS, INSA, INP, ISAE, LAAS, Toulouse, France 31077;CNRS, LAAS, Toulouse, France 31077 and Université de Toulouse, UPS, INSA, INP, ISAE, LAAS, Toulouse, France 31077;CNRS, LAAS, Toulouse, France 31077 and Université de Toulouse, UPS, INSA, INP, ISAE, LAAS, Toulouse, France 31077;CNRS, LAAS, Toulouse, France 31077 and Université de Toulouse, UPS, INSA, INP, ISAE, LAAS, Toulouse, France 31077
Venue:
Journal in Computer Virology
Year:
2011

Citing 16
Cited 0

Honeypots: Tracking Hackers

Honeypots: Tracking Hackers
Characteristics of internet background radiation

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack

DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Scalability, fidelity, and containment in the potemkin virtual honeyfarm

Proceedings of the twentieth ACM symposium on Operating systems principles
Honeypot-Aware Advanced Botnet Construction and Maintenance

DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
User Mode Linux(R) (Bruce Perens Open Source)

User Mode Linux(R) (Bruce Perens Open Source)
Lessons learned from the deployment of a high-interaction honeypot

EDCC '06 Proceedings of the Sixth European Dependable Computing Conference
A multifaceted approach to understanding the botnet phenomenon

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation

Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
QEMU, a fast and portable dynamic translator

ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
A virtual honeypot framework

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Profiling Attacker Behavior Following SSH Compromises

DSN '07 Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
Crimeware: Understanding New Attacks and Defenses (Symantec Press)

Crimeware: Understanding New Attacks and Defenses (Symantec Press)
Virtual honeypots: from botnet tracking to intrusion detection

Virtual honeypots: from botnet tracking to intrusion detection
Collecting autonomous spreading malware using high-interaction honeypots

ICICS'07 Proceedings of the 9th international conference on Information and communications security
The nepenthes platform: an efficient approach to collect malware

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper presents the lessons learned from an empirical analysis of attackers behaviours based on the deployment on the Internet of a high-interaction honeypot for more than 1 year. We focus in particular on the attacks performed via the SSH service and the activities performed by the attackers once they gain access to the system and try to progress in their intrusion. The first part of the paper describes: (a) the global architecture of the honeypot and the mechanisms used to capture the implementation details so that we can observe attackers behaviours and (b) the details of the experiment itself (duration, data captured, overview of the attackers activity). The second part presents the results of the observation of the attackers. It includes: (a) the description of the global attack process, constituted of two main steps, dictionary attacks and intrusions and (b) the detailed analysis of these two main steps.