Abstract
Our research focuses on the usage of honeypots for gathering detailed statistics on the Internet threats over a long period of time. In this context, we are deploying honeypots (sensors) of different interaction levels in various locations.
Generally speaking, honeypots are often classified by their level of interaction. For instance, it is admitted that a high interaction approach is suited for recording hacker shell commands, while a low interaction approach provides limited information on the attackers’ activities. So far, there exists no serious comparison to express the level of information on which those approaches differ. Thanks to the environment that we are deploying, we are able to provide a rigorous comparison between the two approaches, both qualitatively and quantitatively. We build our work on an interesting classification of the observed attacks, and we pay particular attention during the comparison to the bias introduced by packet losses.
The proposed analysis leads to an interesting study of malicious activities hidden by the noise of less interesting ones. Finally, it shows the complementarities of the two approaches: a high interaction honeypot allows us to control the relevance of low interaction honeypot configurations. Thus, both interaction levels are required to build an efficient network of distributed honeypots.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
CAIDA, The Cooperative Association for Internet Data Analysis (2005), Internet: http://www.caida.org/
Moore, D., Voelker, G., Savage, S.: Infering internet denial-of-service activity. In: The USENIX Security Symposium (August 2001)
Song, D., Malan, R., Stone, R.: A global snapshot of internet worm activity. Technical report, http://research.arbor.net/downloads/snapshot_worm_activity.pdf
Gemberling, B., Morrow, C.: How to allow your customers to blackhole their own traffic, http://www.secsup.org/CustomerBlackhole/
Team Cymru: The Darknet Project (2004), Internet: http://www.cymru.com/Darknet/
Cooke, E., Bailey, M., Mao, Z.M., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224. Springer, Heidelberg (2004)
The SANS Institute Internet Storm Center. The trusted source for computer security trainind, certification and research, http://isc.sans.org
Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the domino overlay system (2004)
DShield Distributed Intrusion Detection System, http://www.dshield.org
myNetWatchman. Network intrusion detection and reporting, http://www.mynetwatchman.com
Cisco Systems. Netflow Services and Applications (1999)
Dacier, M., Pouget, F., Debar, H.: Attack processes found on the internet. In: NATO Symposium IST-041/RSY-013 (April 2004)
Pouget, F., Dacier, M.: Honeypot-based forensics. In: AusCERT Asia Pacific Information Technology Security Conference 2004, AusCERT 2004 (May 2004)
Pouget, F., Dacier, M., Pham, V.H.: Leurre.com: On the advantages of deploying a large scale distributed honeypot platform. In: E-Crime and Computer Evidence Conference, ECCE 2005 (March 2005)
Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley, Reading (2002)
Dacier, M., Pouget, F., Debar, H.: Honeypots, a practical mean to validate malicious fault assumptions. In: The 10th Pacific Ream Dependable Computing Conference, PRDC 2004 (February 2004)
VMWare Corporation. User’ s manual. version 4.1, http://www.vmware.com
TCPDump utility, http://www.tcpdump.org
The Honeynet Project. Know Your Enemy: GenII Honeynets (2003), http://www.honeynet.org/papers/gen2/
honeyd Homepage (2004), Internet: http://honeyd.org/
Pouget, F., Dacier, M., Debar, H.: Honeynets: Foundations for the development of early warning systems. In: NATO Advanced Research Workshop, Gdansk 2004. In the Cyberspace Security and Defense: Research Issues. LNCS, NATO ARW Series. Springler, Heidelberg (2005)
Stanford Linear Accelerator Center. Tutorial on internet monitoring and pinger (2001), http://www.slac.stanford.edu/comp/net/wan-mon/tutorial.html
Internet Traffic Report (2005), http://www.internettrafficreport.com/main.htm
The AdvanceSCAN advscan utility (2005), http://advancemame.sourceforge.net/doc-advscan.html
Symantec Security Response. W32-sasser.worm (2004), http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
LURHQ. Dabber worm analysis (2004), http://www.lurhq.com/dabber.html
p0f: Passive OS Fingerprinting Tool (2004), Internet http://lcamtuf.coredump.cx/p0f.shtml
MaxMind: Geolocation and Credit Card Fraud Detection (2004), Internet http://www.maxmind.com
SOPHOS. Sophos virus analysis: W32/agobot-pq (2004), http://www.sophos.com.au/virusinfo/analyses/w32agobotpq.html
5000 spike? (2004), Internet http://lists.sans.org/pipermail/list/2004-May/048192.html
TCP port 5000 syn increasing (2004), Internet http://seclists.org/lists/incidents/2004/May/0074.html
Security Port Scanner, Trojan Port List: ICKiller (2005), Internet http://www.glocksoft.com/trojan_list/ICKiller.htm
2003 UPnP Exploit (2003), Internet http://www.packetstormsecurity.org/0112-exploits/XPloit.c
Pouget, F., Dacier, M.: Honeypot-based forensics. In: Mohay, G., Clark, A., Kerr, K. (eds.) Proceedings of AusCERT Asia Pacific Information Technology Security Conference 2004, pp. 1–15 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pouget, F., Holz, T. (2005). A Pointillist Approach for Comparing Honeypots. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_4
Download citation
DOI: https://doi.org/10.1007/11506881_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26613-6
Online ISBN: 978-3-540-31645-9
eBook Packages: Computer ScienceComputer Science (R0)