Security and Results of a Large-Scale High-Interaction Honeypot

This paper presents the design and discusses the results of a secured high-interaction honeypot. The challenge is to have a honeypot that welcomes attackers, allows userland malicious activities but prevents system corruption. The honeypot must authorize real malicious activities. It must ease the analysis of those activities. A clustered honeypot is proposed for two kinds of hosts. The first class prevents a system corruption and never has to be reinstalled. The second class assumes a system corruption but an easy reinstallation is available. Various off-the-shelf security tools are deployed to detect a corruption and to ease analysis. Moreover, host and network information enable a full analysis for complex scenario of attacks. The solution is totally based on open source software and has been validated over two years. A complete analysis is provided using the collected events and alarms. First, different types of malicious activities are easily reconstructed. Second, correlation of alarms enables us to compare the efficiency of various off-the-shelf security tools. Third, a correlation eases a complete analysis for the host and network activities. Finally, complete examples of attacks are explained. Ongoing works focus on recognition of complex malicious activities using a correlation grid and on distributed analysis.