Skip to Main content Skip to Navigation
Book sections

Honeypot forensics for system and network SIEM design

Abstract : This chapter presents forensic investigations of cyber attackers' activities on a large scale honeypot and shows how these methodologies can be integrated into an SIEM. The chapter describes our high interaction honeypot and analyzes the illegal activities performed by attackers on the basis of the data collected over two years of attacks: logged sessions, intrusion detection system alerts, mandatory access control system alerts. The empirical study of these illegal activities has allowed us to understand the global motivations of the attackers, their technical skills, the geographical location of the attackers and their targets. A generic method is presented that has enabled us to rebuild the illegal activities using correlation techniques operating on system and network events. Monitoring the network and the operations occurring on each system has provided precise and high level characterization of attacks. Finally, the chapter explains how network and system methods for forensics can be integrated into an SIEM in order to more accurately monitor the security of a pool of hosts.
Document type :
Book sections
Complete list of metadata
Contributor : Jean-François Lalande Connect in order to contact the contributor
Submitted on : Thursday, March 8, 2012 - 8:53:21 AM
Last modification on : Thursday, December 16, 2021 - 9:22:02 AM


  • HAL Id : hal-00677340, version 1


Jérémy Briffaut, Patrice Clemente, Jean-François Lalande, Jonathan Rouzaud-Cornabas. Honeypot forensics for system and network SIEM design. Guillermo Suárez de Tangil and Esther Palomar. Advances in Security Information Management: Perceptions and Outcomes, Nova Science Publishers, pp.181-216, 2013, Computer Science, Technology and Applications, Computer Networks, 978-1-62417-221-2. ⟨hal-00677340⟩



Record views