This page is updated (check the update date at the end) every week after each session.

Course Description

The subject of this course is to use the Honeynet/pot technologies as a tool to discover and learn existing and new threats to networked/distributed information system. The course includes a project to build a custom honeypot to turn the theory into a practical collection engine. The course requires a high involvement from the participants.

Given by : Alexandre Dulaunoy


During the period of the course, there will be a specific project to realize. The project is fully integrated into the course sessions that means some topics covered will help to enhance or complete your work.

Project - Modus Operandi

The project is done in group. A group is composed of two people (three if required and approved). It preferred that the group is composed of at least one student having an experience with a computer programming language (e.g. Python, Perl, Ruby, C, Java). I also prefer that the group is working on distinct coverage. That means you must express the project description as soon as possible to all the class in the project wiki (url given in class).

Project - Topic

As the course is mainly covering the aspect of the honeynet/pot technologies, the group has to build a specific honeypot to cover a specific service used on Internet or/and in an internal IP network.

Backup project : building a complete and new covert-channel communication system/protocol.

Project - Rules

Project - Ideas

If you are lacking imagination, some potential ideas :

Project - Evaluation

Evaluation of the project is based : Originality (10%), Innovation (20%), Security (20%), Risks Analysis (20%), Data Collection/Analysis (20%), Documentation (10%).


Sat. 25 Jan 2008 (08h30->12h30)/SSIC Computer RoomIntroduction to Honeynet/pot Technologies
and network datacapture. Reminder regarding the legal status of Honeynet/pot and your ethical role.
Intro and History - Honeynets
Network Data Capture : Berkeley Packet Filter Legal framework of Honeynet/pots
Sat. 2 Feb 2008 (09h00->13h00)/SSIC Computer Room Packet capture: a key component of a honeynet. Analysis of malicious software. An alternative use of Honeypot. Network Data Capture : Berkeley Packet Filter - Analysis of malicious software -
Sat. 9 Feb 2008 (09h00->13h00)/SSIC Computer Room Extending the use of honeypot technologies. Data capture and collection in honeynet, a critical part. Scanning and testing your honeypot. A POP3 honeypot used as a security awareness tool. Datacapture and data colection in honeynet.
Sat. 15 Feb 2008 (09h00->13h00)/SSIC Computer Room Scanning and testing your honeypot. DNS Security and Good Practices. Testing the software running your honeypot. Network scanning to better see how your honeynet is visible and test your datacapture. Securing an Internet Name Server (CERT). Testing your honeypot. HoneyBot research and its application in your honeypot.
Sat. 1 March 2008 (09h00->13h00)/SSIC Computer Room STATUS review of your project What have we learn from the capture ? Forensic analysis a key component in incident response. Learning from the attacker, outcome from the analysis. Forensic analysis, how to do analysis on compromised information systems.
Sat. 8 March 2008 (09h00->13h00)/SSIC Computer Room (technical/documentation/completeness) review of your project One who develops future intellectual pursuits by understanding the research and works created by notable thinkers of the past papers used as "shoulders"
Call for Papers / Poster : 2008 Symposium on Usable Privacy and Security (SOUPS) - secrypt 2008 - USENIX Security '08
Sat. 14 March 2008 (09h00->13h00)/SSIC Computer Room (technical/documentation/completeness) review of your project

Sessions - Additional Support


You may find that the subject is too experimental and not yet mature for real-life application. If you have any issue with the course (including the way I teach it), don't hesitate to talk about as soon as possible.