Honeypot forensics

Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004. Pub Date : 1900-01-01 DOI:10.1109/iaw.2004.1437793

F. Raynal, Y. Berthier, P. Biondi, D. Kaminsky

{"title":"Honeypot forensics","authors":"F. Raynal, Y. Berthier, P. Biondi, D. Kaminsky","doi":"10.1109/iaw.2004.1437793","DOIUrl":null,"url":null,"abstract":"The deployment of low-interaction honeypots used mainly as deception tools has become more and more common these days. Another interesting but more resource and time consuming playground is made available thanks to high interaction honeypots where a blackhat can connect to the system and download, install and execute his own tools in a less constrained environment. Once caught in the honeypot, the blackhat leaves many fingerprints behind: network (information gathering scans, IRC chats, mail, etc) and system activity (what he did on the system, which tools he used, etc). The aim of honeypot forensics is to identify these fingerprints as part of the evidence gathering process. We present a methodology that will help the analyst to achieve this goal. The first step is to analyze the honeypot's ingress and egress network traffic. The second one is to look at the actions performed by the blackhat and the tools he used on the honeypot. The next step is to correlate these data: network and system events are joined to identify common events or patterns, and also to highlight unexplained items and focus on them.","PeriodicalId":141403,"journal":{"name":"Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004.","volume":"6 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"26","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/iaw.2004.1437793","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 26

Abstract

The deployment of low-interaction honeypots used mainly as deception tools has become more and more common these days. Another interesting but more resource and time consuming playground is made available thanks to high interaction honeypots where a blackhat can connect to the system and download, install and execute his own tools in a less constrained environment. Once caught in the honeypot, the blackhat leaves many fingerprints behind: network (information gathering scans, IRC chats, mail, etc) and system activity (what he did on the system, which tools he used, etc). The aim of honeypot forensics is to identify these fingerprints as part of the evidence gathering process. We present a methodology that will help the analyst to achieve this goal. The first step is to analyze the honeypot's ingress and egress network traffic. The second one is to look at the actions performed by the blackhat and the tools he used on the honeypot. The next step is to correlate these data: network and system events are joined to identify common events or patterns, and also to highlight unexplained items and focus on them.

查看原文本刊更多论文

蜜罐取证

如今，低交互作用蜜罐的部署越来越普遍，主要用作欺骗工具。另一个有趣但更耗费资源和时间的平台是高交互性蜜罐，在蜜罐中，黑客可以连接到系统，在不那么受限的环境中下载、安装和执行自己的工具。一旦被“蜜罐”抓住，黑帽就会留下许多痕迹:网络(信息收集扫描、IRC聊天、邮件等)和系统活动(他在系统上做了什么，使用了哪些工具等)。蜜罐取证的目的是识别这些指纹，作为证据收集过程的一部分。我们提出了一种方法来帮助分析人员实现这一目标。第一步是分析蜜罐的入口和出口网络流量。第二个是查看黑帽所执行的操作以及他在蜜罐上使用的工具。下一步是将这些数据关联起来:将网络和系统事件连接起来，以确定共同的事件或模式，并突出显示未解释的项目并关注它们。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004.

自引率

0.00%

发文量