Honeypot forensics for system and network SIEM design

Abstract : This chapter presents forensic investigations of cyber attackers' activities on a large scale honeypot and shows how these methodologies can be integrated into an SIEM. The chapter describes our high interaction honeypot and analyzes the illegal activities performed by attackers on the basis of the data collected over two years of attacks: logged sessions, intrusion detection system alerts, mandatory access control system alerts. The empirical study of these illegal activities has allowed us to understand the global motivations of the attackers, their technical skills, the geographical location of the attackers and their targets. A generic method is presented that has enabled us to rebuild the illegal activities using correlation techniques operating on system and network events. Monitoring the network and the operations occurring on each system has provided precise and high level characterization of attacks. Finally, the chapter explains how network and system methods for forensics can be integrated into an SIEM in order to more accurately monitor the security of a pool of hosts.
Document type :
Book sections
Complete list of metadatas

https://hal.archives-ouvertes.fr/hal-00677340
Contributor : Jean-François Lalande <>
Submitted on : Thursday, March 8, 2012 - 8:53:21 AM
Last modification on : Thursday, January 17, 2019 - 3:06:04 PM

Identifiers

  • HAL Id : hal-00677340, version 1

Collections

Citation

Jérémy Briffaut, Patrice Clemente, Jean-François Lalande, Jonathan Rouzaud-Cornabas. Honeypot forensics for system and network SIEM design. Guillermo Suárez de Tangil and Esther Palomar. Advances in Security Information Management: Perceptions and Outcomes, Nova Science Publishers, pp.181-216, 2013, Computer Science, Technology and Applications, Computer Networks, 978-1-62417-221-2. ⟨hal-00677340⟩

Share

Metrics

Record views

301