ISSN : 1796-203X
Volume : 4    Issue : 5    Date : May 2009

Security and Results of a Large-Scale High-Interaction Honeypot
Jeremy Briffaut, Jean-Francois Lalande, and Christian Toinard
Page(s): 395-404
Full Text:
PDF (638 KB)

This paper presents the design and discusses the results of a secured high-interaction honeypot.
The challenge is to have a honeypot that welcomes attackers, allows userland malicious activities
but prevents system corruption. The honeypot must authorize real malicious activities. It must ease
the analysis of those activities. A clustered honeypot is proposed for two kinds of hosts. The first
class prevents a system corruption and never has to be reinstalled. The second class assumes a
system corruption but an easy reinstallation is available. Various off-the-shelf security tools are
deployed to detect a corruption and to ease analysis. Moreover, host and network information
enable a full analysis for complex scenario of attacks. The solution is totally based on open source
software and has been validated over two years. A complete analysis is provided using the collected
events and alarms. First, different types of malicious activities are easily reconstructed. Second,
correlation of alarms enables us to compare the efficiency of various off-the-shelf security tools.
Third, a correlation eases a complete analysis for the host and network activities. Finally, complete
examples of attacks are explained. Ongoing works focus on recognition of complex malicious
activities using a correlation grid and on distributed analysis.

Index Terms
High-Interaction Honeypot, Attack Monitoring, Intrusion Detection System