Lessons learned from the deployment of a high-interaction honeypot

Alata, Éric; Nicomette, Vincent; Kaâniche, Mohamed; Daciér, Marc; Herrb, Matthieu

doi:10.1109/edcc.2006.17

Cited by 75 publications

(52 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This allows to evaluate its capability to cope with heterogeneous and diverse samples. We focus this analysis on the first 30 days of operation 3 . This period corresponds in fact to the most interesting one from the point of view of the ScriptGen learning.…”

Section: Scriptgen and Real Attacksmentioning

confidence: 99%

“…Also, recent work has shown the usefulness of gathering experimental data to model and better understand the threats due to attackers [24,29]. Alata et al have shown the merits of using honeypots for the statistical modeling of attack processes [20,2] and, more specifically, the merits of high interaction ones [3]. The benefits due to high interaction honeypots, i.e.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models

Leita

Daciér

2008

2008 Seventh European Dependable Computing Conference

View full text Add to dashboard Cite

The dependability community has expressed a growing interest in the recent years for the effects of malicious, external, operational faults in computing systems, ie. intrusions. The term intrusion tolerance has been introduced to emphasize the need to go beyond what classical fault tolerant systems were able to offer. Unfortunately, as opposed to well understood accidental faults, the domain is still lacking sound data sets and models to offer rationales in the design of intrusion tolerant solutions. In this paper, we describe a framework similar in its spirit to so called honeyfarms but built in a way that makes its large-scale deployment easily feasible. Furthermore, it offers a very rich level of interaction with the attackers without suffering from the drawbacks of expensive high interaction systems. The system is described, a prototype is presented as well as some preliminary results that highlight the feasibility as well as the usefulness of the approach.

show abstract

Section: Scriptgen and Real Attacksmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models

Leita

Daciér

2008

2008 Seventh European Dependable Computing Conference

View full text Add to dashboard Cite

show abstract

“…Quite simply a high interaction honeypot can be any vulnerable system that is connected to a network and can be monitored for analysis. Authors in [5] describe these as truly vulnerable systems that can be probed, attacked and exploited, once the attacker gains access to the system the honeypot can be used in a botnet or to carry out other attacks. This gives light to some ethical issues with regard to continuing the research once a honeypot has been compromised, when should the system be taken back from the attacker and should it really be used in the type of attacks that it has been designed to prevent?…”

Section: Introductionmentioning

confidence: 99%

SSH Honeypot: Building, Deploying and Analysis

Doubleday¹,

Μαγλαράς²,

Janicke³

2016

ijacsa

View full text Add to dashboard Cite

Abstract-This article is set to discuss the various techniques that can be used while developing a honeypot, of any form, while considering the advantages and disadvantages of these very different methods. The foremost aims are to cover the principles of the Secure Shell (SSH), how it can be useful and more importantly, how attackers can gain access to a system by using it. The article involved the development of multiple low interaction honeypots. The low interaction honeypots that have been developed make use of the highly documented libssh and even editing the source code of an already available SSH daemon. Finally the aim is to combine the results with the vastly distributed Kippo honeypot, in order to be able to compare and contrast the results along with usability and necessity of particular features. Providing a clean and simple description for less knowledgeable users to be able to create and deploy a honeypot of production quality, adding security advantages to their network instantaneously.

show abstract

“…In the context of this work, a harvesting attack is a mass exploitation where an attacker initiates communications with multiple hosts in order to control and reconfigure them. This type of automated exploitation is commonly associated with worms, however, modern bot software often includes automated buffer-overflow and password exploitation attacks against local networks 1 . In contrast, in a scanning attack, the attacker's communication with multiple hosts is an attempt to determine what services they are running; i.e., the intent is reconnaissance.…”

Section: Introductionmentioning

confidence: 99%

“…More specifically, a single host, whether scanning This work was done while the author was affiliated with the CERT/NetSA group at the Software Engineering Institute, Carnegie Mellon University. 1 A representative example of this class of bot is the Gaobot family, which uses a variety of propagation methods including network shares, buffer overflows and password lists. A full description is available at http://www.trendmicro.com/vinfo/ virusencyclo/default5.asp?VName=WORM AGOBOT.GEN.…”

Section: Introductionmentioning

confidence: 99%

On the Limits of Payload-Oblivious Network Attack Detection

Collins¹,

Reiter

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We introduce a methodology for evaluating network intrusion detection systems using an observable attack space, which is a parameterized representation of a type of attack that can be observed in a particular type of log data. Using the observable attack space for log data that does not include payload (e.g., NetFlow data), we evaluate the effectiveness of five proposed detectors for bot harvesting and scanning attacks, in terms of their ability (even when used in conjunction) to deter the attacker from reaching his goals. We demonstrate the ranges of attack parameter values that would avoid detection, or rather that would require an inordinately high number of false alarms in order to detect them consistently.

show abstract

Lessons learned from the deployment of a high-interaction honeypot

Cited by 75 publications

References 4 publications

SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models

SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models

SSH Honeypot: Building, Deploying and Analysis

On the Limits of Payload-Oblivious Network Attack Detection

Contact Info

Product

Resources

About