Honeypot forensics for system and network SIEM design

Abstract : This chapter presents forensic investigations of cyber attackers' activities on a large scale honeypot and shows how these methodologies can be integrated into an SIEM. The chapter describes our high interaction honeypot and analyzes the illegal activities performed by attackers on the basis of the data collected over two years of attacks: logged sessions, intrusion detection system alerts, mandatory access control system alerts. The empirical study of these illegal activities has allowed us to understand the global motivations of the attackers, their technical skills, the geographical location of the attackers and their targets. A generic method is presented that has enabled us to rebuild the illegal activities using correlation techniques operating on system and network events. Monitoring the network and the operations occurring on each system has provided precise and high level characterization of attacks. Finally, the chapter explains how network and system methods for forensics can be integrated into an SIEM in order to more accurately monitor the security of a pool of hosts.
Type de document :
Chapitre d'ouvrage
Guillermo Suárez de Tangil and Esther Palomar. Advances in Security Information Management: Perceptions and Outcomes, Nova Science Publishers, pp.181-216, 2013, Computer Science, Technology and Applications, Computer Networks, 978-1-62417-221-2
Liste complète des métadonnées

https://hal.archives-ouvertes.fr/hal-00677340
Contributeur : Jean-François Lalande <>
Soumis le : jeudi 8 mars 2012 - 08:53:21
Dernière modification le : mercredi 29 novembre 2017 - 10:19:00

Identifiants

  • HAL Id : hal-00677340, version 1

Collections

Citation

Jérémy Briffaut, Patrice Clemente, Jean-François Lalande, Jonathan Rouzaud-Cornabas. Honeypot forensics for system and network SIEM design. Guillermo Suárez de Tangil and Esther Palomar. Advances in Security Information Management: Perceptions and Outcomes, Nova Science Publishers, pp.181-216, 2013, Computer Science, Technology and Applications, Computer Networks, 978-1-62417-221-2. 〈hal-00677340〉

Partager

Métriques

Consultations de la notice

266