Skip to main content
SpringerLink
Log in

A Pointillist Approach for Comparing Honeypots

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3548))

Abstract

Our research focuses on the usage of honeypots for gathering detailed statistics on the Internet threats over a long period of time. In this context, we are deploying honeypots (sensors) of different interaction levels in various locations.

Generally speaking, honeypots are often classified by their level of interaction. For instance, it is admitted that a high interaction approach is suited for recording hacker shell commands, while a low interaction approach provides limited information on the attackers’ activities. So far, there exists no serious comparison to express the level of information on which those approaches differ. Thanks to the environment that we are deploying, we are able to provide a rigorous comparison between the two approaches, both qualitatively and quantitatively. We build our work on an interesting classification of the observed attacks, and we pay particular attention during the comparison to the bias introduced by packet losses.

The proposed analysis leads to an interesting study of malicious activities hidden by the noise of less interesting ones. Finally, it shows the complementarities of the two approaches: a high interaction honeypot allows us to control the relevance of low interaction honeypot configurations. Thus, both interaction levels are required to build an efficient network of distributed honeypots.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. CAIDA, The Cooperative Association for Internet Data Analysis (2005), Internet: http://www.caida.org/

  2. Moore, D., Voelker, G., Savage, S.: Infering internet denial-of-service activity. In: The USENIX Security Symposium (August 2001)

    Google Scholar 

  3. Song, D., Malan, R., Stone, R.: A global snapshot of internet worm activity. Technical report, http://research.arbor.net/downloads/snapshot_worm_activity.pdf

  4. Gemberling, B., Morrow, C.: How to allow your customers to blackhole their own traffic, http://www.secsup.org/CustomerBlackhole/

  5. Team Cymru: The Darknet Project (2004), Internet: http://www.cymru.com/Darknet/

  6. Cooke, E., Bailey, M., Mao, Z.M., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224. Springer, Heidelberg (2004)

    Google Scholar 

  7. The SANS Institute Internet Storm Center. The trusted source for computer security trainind, certification and research, http://isc.sans.org

  8. Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the domino overlay system (2004)

    Google Scholar 

  9. DShield Distributed Intrusion Detection System, http://www.dshield.org

  10. myNetWatchman. Network intrusion detection and reporting, http://www.mynetwatchman.com

  11. Cisco Systems. Netflow Services and Applications (1999)

    Google Scholar 

  12. Dacier, M., Pouget, F., Debar, H.: Attack processes found on the internet. In: NATO Symposium IST-041/RSY-013 (April 2004)

    Google Scholar 

  13. Pouget, F., Dacier, M.: Honeypot-based forensics. In: AusCERT Asia Pacific Information Technology Security Conference 2004, AusCERT 2004 (May 2004)

    Google Scholar 

  14. Pouget, F., Dacier, M., Pham, V.H.: Leurre.com: On the advantages of deploying a large scale distributed honeypot platform. In: E-Crime and Computer Evidence Conference, ECCE 2005 (March 2005)

    Google Scholar 

  15. Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley, Reading (2002)

    Google Scholar 

  16. Dacier, M., Pouget, F., Debar, H.: Honeypots, a practical mean to validate malicious fault assumptions. In: The 10th Pacific Ream Dependable Computing Conference, PRDC 2004 (February 2004)

    Google Scholar 

  17. VMWare Corporation. User’ s manual. version 4.1, http://www.vmware.com

  18. TCPDump utility, http://www.tcpdump.org

  19. The Honeynet Project. Know Your Enemy: GenII Honeynets (2003), http://www.honeynet.org/papers/gen2/

  20. honeyd Homepage (2004), Internet: http://honeyd.org/

  21. Pouget, F., Dacier, M., Debar, H.: Honeynets: Foundations for the development of early warning systems. In: NATO Advanced Research Workshop, Gdansk 2004. In the Cyberspace Security and Defense: Research Issues. LNCS, NATO ARW Series. Springler, Heidelberg (2005)

    Google Scholar 

  22. Stanford Linear Accelerator Center. Tutorial on internet monitoring and pinger (2001), http://www.slac.stanford.edu/comp/net/wan-mon/tutorial.html

  23. Internet Traffic Report (2005), http://www.internettrafficreport.com/main.htm

  24. The AdvanceSCAN advscan utility (2005), http://advancemame.sourceforge.net/doc-advscan.html

  25. Symantec Security Response. W32-sasser.worm (2004), http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html

  26. LURHQ. Dabber worm analysis (2004), http://www.lurhq.com/dabber.html

  27. p0f: Passive OS Fingerprinting Tool (2004), Internet http://lcamtuf.coredump.cx/p0f.shtml

  28. MaxMind: Geolocation and Credit Card Fraud Detection (2004), Internet http://www.maxmind.com

  29. SOPHOS. Sophos virus analysis: W32/agobot-pq (2004), http://www.sophos.com.au/virusinfo/analyses/w32agobotpq.html

  30. 5000 spike? (2004), Internet http://lists.sans.org/pipermail/list/2004-May/048192.html

  31. TCP port 5000 syn increasing (2004), Internet http://seclists.org/lists/incidents/2004/May/0074.html

  32. Security Port Scanner, Trojan Port List: ICKiller (2005), Internet http://www.glocksoft.com/trojan_list/ICKiller.htm

  33. 2003 UPnP Exploit (2003), Internet http://www.packetstormsecurity.org/0112-exploits/XPloit.c

  34. Pouget, F., Dacier, M.: Honeypot-based forensics. In: Mohay, G., Clark, A., Kerr, K. (eds.) Proceedings of AusCERT Asia Pacific Information Technology Security Conference 2004, pp. 1–15 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institut Eurécom, BP 193, 06904, Sophia-Antipolis Cedex, France

    Fabien Pouget

  2. Laboratory for Dependable Distributed Systems, RWTH Aachen University, 52056, Aachen, Germany

    Thorsten Holz

Authors
  1. Fabien Pouget
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thorsten Holz
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Research GmbH, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Klaus Julisch

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Pouget, F., Holz, T. (2005). A Pointillist Approach for Comparing Honeypots. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_4

Download citation

  • DOI: https://doi.org/10.1007/11506881_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-26613-6

  • Online ISBN: 978-3-540-31645-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation