Instant Ebook Access, One Click Away – Begin at ebookball.

com

Honeypot Frameworks and Their Applications A New

Framework 1st edition by Chee Keong, Lei Pan ,
Yang Xiang ISBN 9811077398 9789811077395

https://ebookball.com/product/honeypot-frameworks-and-their-
applications-a-new-framework-1st-edition-by-chee-keong-lei-
pan-yang-xiang-isbn-9811077398-9789811077395-16996/

OR CLICK BUTTON

DOWLOAD EBOOK

Get Instant Ebook Downloads – Browse at https://ebookball.com

 Your digital treasures (PDF, ePub, MOBI) await
Download instantly and pick your perfect format...

Read anywhere, anytime, on any device!

Nanotechnology Enhanced Orthopedic Materials 1st Edition

by Lei Yang ISBN 0857098446 9780857098443

https://ebookball.com/product/nanotechnology-enhanced-orthopedic-
materials-1st-edition-by-lei-yang-isbn-0857098446-9780857098443-6638/

ebookball.com

Cross Industry Applications of Cyber Security Frameworks

1st edition by Baral Sukanta 1668434512 9781668434512

https://ebookball.com/product/cross-industry-applications-of-cyber-
security-frameworks-1st-edition-by-baral-
sukanta-1668434512-9781668434512-20170/

ebookball.com

Guide to Reliable Internet Services and Applications

Computer Communications and Networks 1st Edition by
Charles R Kalmanek, Sudip Misra, Yang Richard Yang ISBN
1848828276 9781848828278

https://ebookball.com/product/guide-to-reliable-internet-services-and-
applications-computer-communications-and-networks-1st-edition-by-
charles-r-kalmanek-sudip-misra-yang-richard-yang-
isbn-1848828276-9781848828278-12028/
ebookball.com

A New Framework for Building Secure Collaboork 1st edition

by Philipp Winter, Ralph Giles, Alex Davidson, Gonçalo
Pestana ISBN 3540202608 9783540202608

https://ebookball.com/product/a-new-framework-for-building-secure-
collaboork-1st-edition-by-philipp-winter-ralph-giles-alex-davidson-
gonassalo-pestana-isbn-3540202608-9783540202608-9556/

ebookball.com
Window functions and their applications in signal
processing 1st edition by Prabhu ISBN 9814463086
978-9814463089

https://ebookball.com/product/window-functions-and-their-applications-
in-signal-processing-1st-edition-by-prabhu-
isbn-9814463086-978-9814463089-20280/

ebookball.com

(Ebook PDF) Alginates and Their Biomedical Applications

1st edition by Bernd Rehm 9811069107 9789811069109 full
chapters

https://ebookball.com/product/ebook-pdf-alginates-and-their-
biomedical-applications-1st-edition-by-bernd-
rehm-9811069107-9789811069109-full-chapters-22480/

ebookball.com

PLI A New Framework to Protect Digital Content for P2P

Networks 1st edition by Guofei Gu, Bin Zhu, Shipeng Li,
Shiyong Zhang ISBN 3540202080 9783540202080

https://ebookball.com/product/pli-a-new-framework-to-protect-digital-
content-for-p2p-networks-1st-edition-by-guofei-gu-bin-zhu-shipeng-li-
shiyong-zhang-isbn-3540202080-9783540202080-9666/

ebookball.com

Weighted Minimal Hypersurfaces and Their Applications in

Computer Vision 1st edition by Bastian Goldlucke, Marcus
Magnor ISBN 3540219835 9783540219835

https://ebookball.com/product/weighted-minimal-hypersurfaces-and-
their-applications-in-computer-vision-1st-edition-by-bastian-
goldlucke-marcus-magnor-isbn-3540219835-9783540219835-13260/

ebookball.com

A New Framework for Building Secure Collaborative Systems

in True Ad Hoc Network 1st edition by Hans Peter Bischof,
Alan Kaminsky, Joseph Binder ISBN 3540202608 9783540202608

https://ebookball.com/product/a-new-framework-for-building-secure-
collaborative-systems-in-true-ad-hoc-network-1st-edition-by-hans-
peter-bischof-alan-kaminsky-joseph-binder-
isbn-3540202608-9783540202608-9552/
ebookball.com
SPRINGER BRIEFS ON
C YBER SECURIT Y SYSTEMS AND NET WORKS

Chee Keong Ng · Lei Pan · Yang Xiang

Honeypot
Frameworks and
their Applications:
A New Framework
SpringerBriefs on Cyber Security Systems
and Networks

Editor-in-Chief
Yang Xiang, Digital Research and Innovation Capability, Swinburne University of
Technology, Hawthorn, Melbourne, VIC, Australia

Series editors
Liqun Chen, University of Surrey, Guildford, UK
Kim-Kwang Raymond Choo, University of Texas at San Antonio, San Antonio,
TX, USA
Sherman S. M. Chow, Department of Information Engineering, The Chinese
University of Hong Kong, Shatin, Hong Kong
Robert H. Deng, School of Information Systems, Singapore Management
University, Singapore, Singapore
Dieter Gollmann, Hamburg University of Technology, Hamburg, Germany
Javier Lopez, University of Málaga, Málaga, Spain
Kui Ren, University at Buffalo, Buffalo, NY, USA
Jianying Zhou, Singapore University of Technology and Design, Singapore,
Singapore
The series aims to develop and disseminate an understanding of innovations,
paradigms, techniques, and technologies in the contexts of cyber security systems
and networks related research and studies. It publishes thorough and cohesive
overviews of state-of-the-art topics in cyber security, as well as sophisticated
techniques, original research presentations and in-depth case studies in cyber
systems and networks. The series also provides a single point of coverage of
advanced and timely emerging topics as well as a forum for core concepts that may
not have reached a level of maturity to warrant a comprehensive textbook. It
addresses security, privacy, availability, and dependability issues for cyber systems
and networks, and welcomes emerging technologies, such as artificial intelligence,
cloud computing, cyber physical systems, and big data analytics related to cyber
security research. The mainly focuses on the following research topics:

Fundamentals and Theories

• Cryptography for cyber security
• Theories of cyber security
• Provable security
Cyber Systems and Networks
• Cyber systems security
• Network security
• Security services
• Social networks security and privacy
• Cyber attacks and defense
• Data-driven cyber security
• Trusted computing and systems
Applications and Others
• Hardware and device security
• Cyber application security
• Human and social aspects of cyber security

More information about this series at http://www.springer.com/series/15797

Chee Keong Ng Lei Pan
•

Yang Xiang

Honeypot Frameworks
and their Applications:
A New Framework

123
Chee Keong Ng Yang Xiang
School of Information Digital Research and Innovation Capability
Deakin University Swinburne University of Technology
Burwood, Melbourne, VIC Hawthorn, Melbourne, VIC
Australia Australia

Lei Pan
School of Information
Deakin University
Burwood, Melbourne, VIC
Australia

ISSN 2522-5561 ISSN 2522-557X (electronic)

SpringerBriefs on Cyber Security Systems and Networks
ISBN 978-981-10-7738-8 ISBN 978-981-10-7739-5 (eBook)
https://doi.org/10.1007/978-981-10-7739-5
Library of Congress Control Number: 2018938790

© The Author(s) 2018

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part
of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations,
recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission
or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar
methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this
publication does not imply, even in the absence of a specific statement, that such names are exempt from
the relevant protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this
book are believed to be true and accurate at the date of publication. Neither the publisher nor the
authors or the editors give a warranty, express or implied, with respect to the material contained herein or
for any errors or omissions that may have been made. The publisher remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.

Printed on acid-free paper

This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd.
part of Springer Nature
The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721,
Singapore
This book is dedicated to those who are
interested to know more about honeypots. It
does not matter whether you are an expert or
novice, this book is for you.
Preface

Most people understand honeypots as systems sit in an isolated corner of the net-
work waiting for attacker to discover and compromise them. This is often untrue, in
fact, in some frameworks, honeypots have enjoyed the prime spot in an organisa-
tional network to lure potential hacker. As new instances of malware appear so
rapidly that more spotlight has been placed in honeypot technology.
This book gives a detailed description of honeypots including their forms,
purposes, natures and interaction. It also gives an in-depth introduction of different
types of honeypot, their applications in monitoring and capturing of malware and
adversary tactic to detect honeypot.
The main role of honeypot which effectively assists the researcher to derive
solutions for the deadly malware attack has been outlined in the book. This book
also gives rich information of other roles and uses of honeypot not only in the area
of cyber and network security, but also in collecting proof for forensic investigation.
Finally, this book addresses the importance of honeypot as a learning tool for
detecting future malware such as ransomware.

Burwood, Melbourne, Australia Chee Keong Ng

Burwood, Melbourne, Australia Lei Pan
Hawthorn, Melbourne, Australia Yang Xiang

vii
Acknowledgements

Thanks to Almighty God for enabling and helping me to complete this book.
I would like to first express my appreciation to my family, especially my wife,
Xinying Liu, for her support and love. I would like to also express my most sincere
gratitude to my supervisor, Prof. Xiang Yang, and Dr. Lei Pan for their wisdom and
advice which is essential for the completion of this book.
Next, I would like to also express my token of appreciation to NSCLab, espe-
cially Dr. Jun Zhang for their moral support.
Lastly, I would like to thank Springer Publication for giving me this opportunity
to spare my knowledge and finding in their book. I would also like to express my
thanks to the editor, Dr. Xiaolan Yao, for her patient and assistance.

ix
Contents

1 Introduction to Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Design Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1 The Concept of Honeypot (Basic Taxonomy) . . . . . . . . . . . . . . . . 7
2.2 Advanced Taxonomy of Honeypot . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Roadmap of the Honeypot Concept . . . . . . . . . . . . . . . . . . . . . . . 11
2.4 Challenges in Designing Honeypot . . . . . . . . . . . . . . . . . . . . . . . 11
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3 Specialized Honeypot Applications . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1 Web-Server Based Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 Web Client-Based Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3 Worm Detection Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.4 Bot Detection Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.5 Honeytoken . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.5.1 Anti-phishing Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.5.2 Insider Detection Honeypot . . . . . . . . . . . . . . . . . . . . . . . 32
3.6 Advanced Persistent Threat Honeypot . . . . . . . . . . . . . . . . . . . . . 36
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4 General Purposed Honeypot Applications . . . . . . . . . . . . . . . . . . . . . 43
4.1 Dynamic Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.2 Artificial Intelligent Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.3 Shadow Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

xi
xii Contents

5 Other Honeypot Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.1 Concealment of Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2 Application of Forensic in Honeypot . . . . . . . . . . . . . . . . . . . . . . 53
5.2.1 Honeypot Forensic for General Type Attack . . . . . . . . . . . 55
5.2.2 Honeypot Forensics for Botnet . . . . . . . . . . . . . . . . . . . . . 62
5.3 Direct Role of Honeypot in a Security System . . . . . . . . . . . . . . . 64
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6 Honeypot Framework, Limitation and Counter-Measure . . . . . . . . . 67
6.1 Conceptual Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.2 Common Features of Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . 69
6.3 Other Honeypot Detection Method . . . . . . . . . . . . . . . . . . . . . . . 71
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
7 Ramsonware and Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
7.1 Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
7.2 Ransomware Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
7.3 Bitcoin Honeytoken . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
8 Conclusions and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
8.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
8.1.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
8.1.2 Future Research Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Chapter 1
Introduction to Honeypot

Abstract Honeypot is a decoy system or a simulated application which simulates

an entire network to lure attacker by disguising itself with popular vulnerabilities.
There are different types of honeypots. For instance, a research honeypot can assist
researchers to monitor and analyse the activities of the attacker that are captured in
the honeypot. Usually, honeypot can be categorised into three different sub-types
based on its purpose, interaction and form. It is then further categorised according
to its nature, specialization and framework. Honeypot, however, is not a foolproof
concept; often it can be detected by experienced attacker. The information about the
features of honeypot and anti-honeypot tools are widely available online to educate
attackers. This book will cover the honeypot to detect some of the more popular and
damaging attacks such as worm, DDoS, APT, phishing and insider breaches. It will
also cover the application of forensics work in honeypot and proposed concept from
honeypot researchers to enhance the features of honeypot so as to make it difficult
distinguish between a real host and honeypot.

1.1 Introduction

When honeypot was introduced by Fred Cohen in 1998 [1], it was known as a decep-
tion toolkit which is used to trap attacker with a large number of widely known
vulnerabilities. The term “honeypot” was first used by Lance Spitzer in 2002 to
describe how attacker is lurked toward a system perceive to possess valuable infor-
mation similar to the scenario when a bee is attracted to the honey in the honeypot [2].
The initial intention of honeypot is for research purpose. It is used to capture, ana-
lyze, and derive the motivation behind an attack. Different types of honeypots, such
as honeyd [3] a limited interactive honeypot and Sebek [4] real system with real
operating system honeypot, are created by researchers which enables honeypots to
interact with the attacker to improve the concealment of the honeypot. Honeypot has
evolved from merely a toolkit into a real system equipped with “real” data.
Honeypots have been divided into different categories. Most people understand
the difference of honeypot based on their capability of interaction such as the low

© The Author(s) 2018 1

C. K. NG et al., Honeypot Frameworks and their Applications:
A New Framework, SpringerBriefs on Cyber Security Systems and Networks,
https://doi.org/10.1007/978-981-10-7739-5_1
2 1 Introduction to Honeypot

interaction honeypot and high-interaction honeypot. The distinctions of honeypots

can also be categorised based on their form type, purpose used, structure and nature.
Honeypots can be used to cater for a general attack such as server-based attack and
client-based attack, or more specialized attack such as APT [5], worm, DDoS [6]
and insider [7].
The importance of the honeypot has increased rapidly, especially in the early part
of this millennium where worms, botnet and other malware attacks have become more
frequent and common causing serious losses economically. Researchers have pro-
posed various honeypot frameworks to tackle the ever-growing issue. This includes
the application of:
1. The multiple honeynet framework for polymorphic worm [8–11]
2. The usage of the advantage of low and high interactive honeypot to capture
malware exploitation [12, 13]
3. Honeypot with redirect toolkit or anomaly detection to capture botware
[14–16]
Honeypots have also being implemented as part of the security system in a pro-
duction environment serve as an early warning to any intrusion discovered. This
is to distract the attacker away from the real system. Even though honeypots can
be used to prevent attack, its main responsibilities such as monitoring, collecting
and analyzing the activities of the attacker and attack remain unchanged but to a
much lesser degree. While the work of honeypot continues, honeypots do contribute
greatly in the work of forensic analysis. A new term “honeypot forensic” refers to
the application of forensic work in the honeypot. Some researchers [17] believe that
the traditional forensics method has become irrelevant and is no longer adequate to
meet its expectation when analyzing the data collected using honeypots.
Honeypots do face several technical challenges. Honeypots do have some fixed
identities/features which will give themselves away. This is also due to the availability
of information about honeypot online such as Project Honeypot, www.project-
honeypot.net and honeynet.org [18]. These sites provide the downloads
for all open-source honeypot application and source code. The attacker can easily
learn and study about the strength and weakness of honeypots.
Attackers can use methods such as fingerprint attack [19], the response timing
analysis [20, 21] and send attack traffic from the compromised machine [22] to
determine the presence of honeypot. There are also many open source anti-honeypot
toolkits such as honeypot hunter which is freely available to be used to detect hon-
eypot.
Honeypots also face other challenges such as honeypot immersion [23]. Honeypot
immersion describes the experience of adversaries when engaging with the honeypot
system. Sometime the ease of compromising of a honeypot may held back or scare
off a more experienced person from attacking the honeypot.
Honeypot has been a very useful tool to learn about ransomware and its attack.
However, there are very little paper about the application of honeypot in ransomware
attack, despite the growing popularity of ransomware. Ransomware encrypts file of
legitimate users and demands an extortsion from them [24]. It demands payment in
1.1 Introduction 3

form of cryptocurrency such as bitcoin. Ransomware has caused devastating dam-

age financially to the society and is the fastest growing malware. The variants of
the ransomware has increase ten-fold since 2013. Client honeypot equipped with
CaptureBat [25] collects the information of amended registry, file activities and the
communication between ransomware and its CNC server. The information collected
is used for these two purposes, to formula a more effective signature and to derive a
solution to decrypt the encryption. The proposed solution will use multiple server-
based honeypots which equipped with cuckoo sandbox [26] and remunx framework
[27], and signature generator to enhance its efficiency to capture the full capabilities
of the ransomware.
Honeypot is used to capture a specific pattern of different types of ransomware.
Honeypot using honeytoken is used to trace the bitcoin transaction to its destination.
Signal beacon is embedded into the bitcoin transaction so that once the transaction
reached its destination and accessed [28]. The beacon will be activated and send back
to the sensor server.
The aim of this survey are to:
1. Demonstrate the great flexibility of honeypots
2. Provides rich inside for its reader to understand different honeypot approach to
the same problem
3. Outline the limitation of honeypot and solutions to their limitations
4. Present current anti-honeypot methods and their counter method
5. Contribute honeypot and honeytoken to popular malware such as ransomware
The rest of the book are organized as follows. Chapter 2 explains the basic and
advance concept of honeypot and the roadmap of the whole survey. Chapters 3,
4 and 5 describes the difference ground breaking concept of honeypots proposed
by researcher and their uses. Chapter 3 will described the specialized client and
server honeypot in great length. Chapter 4 focuses on general purposed honeypot
include shadow honeypot and dynamic honeypot. The various method of cover and
concealment that contribute to the succeed of reconnaissance work performed by
the honeypot will be covered in Chap. 5. The use of honeypot in the area of forensic
work will be discussed at the end of Chap. 5. Chapter 6 summarizes the conceptual
framework of the honeypot. It also describes the anti-honeypot methods and their
proposed counter-measures. Chapter 7 discusses the application of honeypot concept
on ramsonware and followed by Chap. 8 which concludes the book and sums up the
future research work.

References

1. F. Cohen et al., The deception toolkit. Risks Digest 19, 1998 (1998)
2. L. Spitzner, Honeypots: catching the insider threat, in 19th Annual on Computer Security
Applications Conference, 2003. Proceedings (IEEE, 2003), pp. 170–179
4 1 Introduction to Honeypot

3. N. Provos, Honeyd-a virtual honeypot daemon, in 10th DFN-CERT Workshop, vol. 2 (Hamburg,
Germany, 2003), p. 4
4. K.Y. Enemy, Sebek, a kernel based data capture tool, the honeynet project (2003)
5. M.K. Daly, Advanced persistent threat, vol. 4 (Usenix, 2009). (Nov)
6. J. Mirkovic, P. Reiher, A taxonomy of ddos attack and ddos defense mechanisms. ACM SIG-
COMM Comput. Commun. Rev. 34(2), 39–53 (2004)
7. R. Chinchani, A. Iyer, H. Q. Ngo, S. Upadhyaya, Towards a theory of insider threat assessment,
in 2005 International Conference on Dependable Systems and Networks (DSN’05) (IEEE,
2005), pp. 108–117
8. A.N.A. AlFraih, W. Chen, Design of a worm isolation and unknown worm monitoring system
based on honeypot, in International Conference on Logistics Engineering, Management and
Computer Science (LEMCS 2014) (Atlantis Press, 2014)
9. S. Paul, B.K. Mishra, Honeypot-based signature generation for polymorphic worms. Int. J.
Secur. Appl. 8(6), 101–114 (2014)
10. M.M. Mohammed, E. Aleisa, N. Ventura, Zero-day polymorphic worms detection using aho-
corasick algorithm
11. P. Jain, A. Sardana, Defending against internet worms using honeyfarm, in Proceedings of the
CUBE International Information Technology Conference (ACM, 2012), pp. 795–800
12. L. Vokorokos, P. Fanfara, J. Radusovsky, P. Poor, Sophisticated honeypot mechanism-the
autonomous hybrid solution for enhancing computer system security, in 2013 IEEE 11th Inter-
national Symposium on Applied Machine Intelligence and Informatics (SAMI) (IEEE, 2013),
pp. 41–46
13. K. Chawda, A.D. Patel Dynamic & hybrid honeypot model for scalable network monitoring,
in 2014 International Conference on Information Communication and Embedded Systems
(ICICES) (IEEE, 2014), pp. 1–5
14. I. Alberdi, E. Alata, V. Nicomette, P. Owezarski, M. Kaâniche, Shark: Spy honeypot with
advanced redirection kit, in IEEE Workshop on Monitoring, Attack Detection and Mitigation
(MonAM07) (2007), pp. 47–52. (ps approach for preventing, detecting, and responding to ddos
attacks. Br. J. Appl. Sci. Technol. 5(5), 500 (2015))
15. R. Selvaraj, V.M. Kuthadi, T. Marwala, An effective odaids-hps approach for preventing, detect-
ing, and responding to ddos attacks. Br. J. Appl. Sci. Technol. 5(5), 500 (2015)
16. S.S. Sadamate, V. Nandedkar, Advance honeypot mechanism-the hybrid solution for enhancing
computer system security with DoS, vol. 4 (2015)
17. B.-X. Jia, S.-X. Xie, Dynamic forensics model based on ontology and context information.
Netinfo Secur. 1, 026 (2012)
18. T.H. Project, www.honeynet.org
19. O. Hayatle, A. Youssef, H. Otrok, Dempster-shafer evidence combining for (anti)-honeypot
technologies. Inf. Secur. J. Glob. Perspect. 21(6), 306–316 (2012)
20. S. Mukkamala, K. Yendrapalli, R. Basnet, M. Shankarapani, A. Sung, Detection of virtual
environments and low interaction honeypots, in Information Assurance and Security Workshop,
2007. IAW’07. IEEE SMC (IEEE, 2007), pp. 92–98
21. X. Fu, W. Yu, D. Cheng, X. Tan, K. Streff, S. Graham, On recognizing virtual honeypots
and countermeasures, in 2nd IEEE International Symposium on Dependable, Autonomic and
Secure Computing (IEEE, 2006), pp. 211–218
22. C.C. Zou, R. Cunningham, Honeypot-aware advanced botnet construction and maintenance,
in International Conference on Dependable Systems and Networks, 2006. DSN 2006 (IEEE,
2006), pp. 199–208
23. A. Nicholson, H. Janicke, T. Watson, R. Smith, Rolling the dice-deceptive authen-
tication for attack attribution, in Reading: Academic Conferences International Lim-
ited (2015), pp. 223–XI, http://ezproxy.deakin.edu.au/login?url=http://search.proquest.com/
docview/1781336066?accountid=10445
24. G. O’Gorman, G. McDonald, Ransomware: a growing menace, (Symantec Corporation, 2012)
25. C. Seifert, R. Steenson, I. Welch, P. Komisarczuk, B. Endicott-Popovsky, Capture-a behavioral
analysis tool for applications and documents. Digit. Investig. 4(Suppl), 23–30 (2007)
References 5

26. C. Sandbox, Automated malware analysis (2013)

27. L. Pearce, Malware analysis in a nutshell. Technical Report (Los Alamos National Laboratory
(LANL), 2016)
28. B.M. Bowen, M.B. Salem, A.D. Keromytis, S.J. Stolfo, Monitoring technologies for mitigating
insider threats, in Insider Threats in Cyber Security (Springer, 2010), pp. 197–217
Chapter 2
Design Honeypots

Abstract According to Lance Spitzner, any information collected by honeypot will

be deemed as attack and unauthorized intrusion. Honeypot can be considered in
two levels of Taxonomy. The basic level defines the logical order for planning to
implement a honeypot. It also explains each category of the honeypot. The advanced
taxonomy covers the deeper meaning of honeypot and describes some of the special-
ized honeypot framework. In this chapter, a roadmap is provided so as to allow the
reader to easily grasp the number of homepot frameworks discussed in the Chap. 3
Honeypot developer and researcher faces several challenges such as the type of hon-
eypot to be implemented, types of IDS used and level of difficulty for the hacker.
Impropriate decision made may result collecting wrong information or even expose
itself.

2.1 The Concept of Honeypot (Basic Taxonomy)

Any movement found in the honeypot is deemed to be malicious and will be treated
as an intrusion. The data set collected by honeypot is small and has high value in
its content. According to the Lance Spitzner, “A honeypot is an information system
resource whose value lies in unauthorized or illicit use of that resource” [1]. It simply
means the honeypot is deemed useless if it is not been probed. The unprobed honeypot
may reveal other useful information which contradicts to the above definition, they
are:
1. The current honeypot technology has exposed itself as a trap
2. The attackers have loss their interest in the current honeypot setup
Figure 2.1 shows the different categories of honeypot in layers in ascending order.
Each layer requires decision making before moving down to the next layer.
Honeypots are used for different purposes. They are divided into two main cate-
gories, namely for research and production.
The research honeypot is used to collect, monitor and analyze the activities of
attacker and the tools used to hack into the honeypot. It is used to discover an
unknown vulnerability and attack.
© The Author(s) 2018 7
C. K. NG et al., Honeypot Frameworks and their Applications:
A New Framework, SpringerBriefs on Cyber Security Systems and Networks,
https://doi.org/10.1007/978-981-10-7739-5_2
8 2 Design Honeypots

Fig. 2.1 The overview of honeypot concept in layer

Unlike research honeypot, production honeypot focuses in the defensive aspect.

It is mainly implemented behind the firewall and conceals within the production
network. Its purposes are to keep attacker away from the actual system. It creates
an illusion that the attackers are attacking the actual system and alert the system
administrator of the intrusion.
Gangfu Feng’s proposed linkage defense system design with honeypot [2] is an
excellence example of production type honeypot. This proposed system includes
honeypot and other traditional security system to protect the production network.
There are three important factors contribute to the success of this honeypot frame-
work. They are network data collection, cover and concealment, and logging of all
activities. This honeypot framework has the abilities to interact with its owner with
expected respond and record all activities of the attacker. It has no difference from
the real system in term of respond and time which help to avoid being detected.
The nature of the honeypot is an important factor that needs to be carefully con-
sidered. This category can be classified into server-based or client-based honeypot. A
server-based honeypot is passive in nature and the client-based honeypot is actively
searching for attack over the internet. It is important to take note that all production
honeypots to our best knowledge are passive in nature.
Radek Hes proposes an active client-based honeypot framework, Capture-HPC. It
actively searches for malicious servers which attack web browser or other application
like acrobat reader [3]. The proposed framework consists of a central control server
and multiple client honeypot. The server sends a series of command to the client
which will in turn act on the command. The task of the client honeypot is to monitor
and capture any changes in file system, registry and communication while visiting
the targeted web site or remote material. The changes will be communicated back to
the server.
2.1 The Concept of Honeypot (Basic Taxonomy) 9

The honeypot can be setup as just a simple standalone honeypot, like the frame-
work used in insider detection honeypot [4] or a network of honeypots with a more
complex setup, such as multiple worm detection honeynet framework [5]. This com-
plex setup is usually refers to a honeynet or a honeyfarm. The honeynet implemen-
tation can also be further classified according to its variety. It can be implemented
as a network of single type of interactive honeypot or comprising of severe different
interactive honeypots.
Honeypots can also be differentiated by their form. There are two different form
namely the virtual honeypot and physical honeypot. Physical honeypots use dedicated
host for each honeypot. It is more costly when compare to honeypot which is virtually
setup. Virtual honeypot is setup on a single computer with shared resource [6].
These honeypots can be used to imitate a real production network with real working
servers and other resources that can produce the same result as of the physically
implemented honeypot. The virtually implemented honeypot can be high-interactive
honeypot (real operating system with real vulnerabilities) or low-interactive honeypot
(emulate service) or a group of honeypots which is also refer to as honeynet.
Xuxian Jiang proposes an interesting “out of box” concept for the virtual honeypot.
The “out of box” is fulfilled by moving the anti-virus security suite or monitoring
software out of the virtual machine to the host [7]. The author pointed out some of
the blind spot and the danger of being detected by anti-malware software and IDS
which are implemented in the honeypot with the “in the box” concept. However, the
“out of box” concept is not a flawless concept, the semantic view which the “in the
box” approach enjoy is lost as only the memory pages, register and disk block can
be seen.
This issue can be resolved by using a third party application namely Vmwatcher to
provide a non-intrusive virtual machine introspection that will not disturb the system
state of the virtual machine being monitored. The guest view casting application
reconstruct the semantic-level view of the VM, which bridges the semantic gap which
mentioned earlier. The guest view casting also allows the anti-malware software to
perform an equivalent “in the box” scanning for virus and malware without the host
being affected.
Honeypots themselves, in principle, is classified into two main different types,
low-interactive and high-interactive honeypots [1]. The low-interactive honeypot is
typically an emulation software tool used to imitate the network services and host
systems. It provides limited interaction with the attacker and is generally use to trap
and monitor attacker using known attack [8].
Jungsuk Song has include a low-interactive honeypot into his proposed active
cooperate-based honeypot to detect the attack [9]. The proposal consists of two
parts, a set of low-interactive honeypot and the control server. The honeypot is fur-
ther broken down into three components, there are the monitoring system (TAP)
which is responsible for the communication between attacker and honeypot, hon-
eypot (Nepenthes) that response to the attacker’s request and firewall (FW) which
allows the communication of the honeypot and control server. The responsibility of
the honeypot is to contain the attack as long as possible and the decision of which
port to be opened in the honeypot is made by the control server by sending instruction
10 2 Design Honeypots

to the FW and the FW will act accordingly. Another function of the control server is
to collect and analyze the data from the honeypot.
High-interactive honeypots use systems with real operating system and service
virtually or physically for the attacker to compromise it. It provides a lot of interaction
between the system and attacker. It allows researcher to discover new kind of attack.
Both high-interactive and low-interactive honeypot do have certain advantages
and disadvantages. The advantage of low-interactive honeypot is easy to setup and
configure, and its disadvantage is the limitation detect to known threat. As mentioned
above, high-interactive honeypot can discover new threat and malware, but it is more
complex to setup. Unlike low-interactive honeypot which the monitoring and logging
function are include in the emulation software itself; the monitoring software, event
logging software, firewall and IDS need to be carefully planned, considered and
configured to prevent attacker to use the honeypot for their advantage.
Figure 2.1 provides a hierarchical flow for honeypot decision making. The choice
of which interactive type, form, variety and setup are influenced by their purpose
and nature. The decision of honeypots may also be guided by the budget and expert
available which are not relevant and will not be discussed in this survey.

2.2 Advanced Taxonomy of Honeypot

Basic taxonomy of honeypot covers a superficial explanation of each category of

honeypot. In this section, we will like to expand the nature of honeypots further
according to their specialization and framework. They will be renamed as attack
type. Table 2.1 gives a full review for the advanced taxonomy of honeypot.

Table 2.1 Overview for advance taxonomy

Attack type Specialization Framework
Honeypot Client-based Web-based
General porpose
Honeytoken Phishing
Insider
Server-based Web-based
Worm detection
Bot detection
APT detection
General purpose Dynamic
AI
Shadow
2.2 Advanced Taxonomy of Honeypot 11

In the attack type, the honeytoken has been included as a class of its own. Hon-
eytoken can be passive or active in nature and this will be elaborated further in the
next section.
The attack type is expanded and a new category is added called specialization.
The specialization class describes the honeypot application for specified attack and
the honeypot technique used. This includes:
1. Web server-based honeypot
2. Web client-based honeypot
3. Worm detection honeypot
4. Bot detection honeypot
5. APT detection honeypot
6. General purpose honeypot
The general purpose of honeypot aims to detect more than one type of attack and
it can be further expand based on its framework. Thus, framework class is created.
These include:
1. Shadow honeypot
2. Dynamic honeypot
3. Artificial intelligence honeypot

2.3 Roadmap of the Honeypot Concept

Figure 2.2 shows a roadmap of the honeypot and the proposed framework to be dis-
cussed. The articles are grouped according to their functionalities. There are ten main
groups namely, web-based honeypot, worm detection honeypot, bot detection hon-
eypot, dynamic honeypot, shadow honeypot, honeytoken, advance persistent threat
detection honeypot and production honeypot.

2.4 Challenges in Designing Honeypot

Honeypots provide us a rich and relevant information about the intruder and his/
her attack. This can only be fulfilled when the honeypot is set up appropriately with
certain properties attracting the attacker. Researchers face enormous challenges in
the initial setup. Questions such as:
1. What type of honeypot should be used?
2. Which IDS to be included in the research?
3. What kind of attack to be capture?
4. What vulnerability should the honeypot emit?
12 2 Design Honeypots

Fig. 2.2 The roadmap of honeypot

Often, researchers are able to capture great amount of attack from the “wild”.
Those attacks does provide good research value but to a limited extent. This is because
most of the attack capture are from script kiddies who take hacking as merely an
interest.
Researcher fails to consider serious hacker like the black hat professionals and
organized cyber criminal gangs. The use of popular vulnerabilities allow the hon-
eypot to be compromised easily. Thus, the level of challenges to compromise it is
relatively low which will fan those people away. What is level of immersion in the
honeypot should be? The honeypot owner should also consider making the process
of compromission challenging and “interesting” to the expert hacker?
References 13

References

1. L. Spitzner, Honeypots: catching the insider threat, in 19th Annual on Computer Security Appli-
cations Conference, 2003. Proceedings (IEEE, 2003), pp. 170–179
2. G. Feng, C. Zhang, Q. Zhang, A design of linkage security defense system based on honeypot,
in Trustworthy Computing and Services (Springer, 2014), pp. 70–77
3. R. Hes, P. Komisarczuk, R. Steenson, C. Seifert, The capture-hpc client architecture, Technical
Report (Victoria University of Wellington, 2009)
4. B.M. Bowen, M.B. Salem, A.D. Keromytis, S.J. Stolfo, Monitoring technologies for mitigating
insider threats, in Insider Threats in Cyber Security (Springer, 2010), pp. 197–217
5. B.K. Mirsha, U. Kumar, G. Sahoo, in Double-Sticky-Honeynet for Defending Viruses in Com-
puter Network, vol. 7 (2012), pp. 131–134
6. L. Spitzner, Dynamic honeypots (2003)
7. X. Jiang, X. Wang, D. Xu, Stealthy malware detection through vmm-based out-of-the-box
semantic view reconstruction, in Proceedings of the 14th ACM conference on Computer and
communications security (ACM, 2007), pp. 128–138
8. D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, H. Owen, Honeystat: local worm
detection using honeypots, in Recent Advances in Intrusion Detection (Springer, 2004), pp.
39–58
9. J. Song, H. Takakura, Y. Okabe, Cooperation of intelligent honeypots to detect unknown mali-
cious codes, in WOMBAT Workshop on Information Security Threats Data Collection and Shar-
ing, 2008. WISTDCS’08 (IEEE, 2008), pp. 31–39
Chapter 3
Specialized Honeypot Applications

Abstract In the this chapter, different evolutionary concepts of specialized honeypot

to resolve the rapid growing issues of concern of various threats are compared and
discussed. As mentioned in the previous chapter, honeypot can be built for a very
specified purpose which we will called it ‘specialized’ honeypot. These honeypot
will be used to monitor a very specify malware or attack like worm and advanced
persistent attack.

3.1 Web-Server Based Honeypot

Web-server based honeypot is a honeypot which is used to act as a web server. This
server, an emulated service or actual server physically or virtually, use to probe
the attack. Honeypot often refers to server-based honeypot. The web-server based
honeypot waits for attacker to discover its vulnerability and to compromise it. The
main purpose of this honeypot is to attract attacks so as to collect information about
the malicious activities. Table 3.1 reveals a summary of web server-based honeypot
which will be discussed in detail.
When the first web server was introduced in the late 1970s, it is limited to hyper-
text markup language which is also called html in short. The purpose of the web
server is for browsing and provides no interaction between the user and the server.
The technology in software and hardware available during that time do have some
contribution to this limitation. Then in the late ninetieth, functions such as search,
posting and uploading are made available for internet user to interact with the server
through the introduction of common gateway interface (CGI). It is well said in the
Chinese idiom, “Water can float a boat, but it can also sink a boat”, suggests that
CGI can be used for good cause and it can be used to conflict damage to the server.
Flooding the server through the use of CGI becomes the first web application attack
known [4].
New frameworks such as PHP, ASP.NET, AJAX and so on are used to replace CGI,
as the technology continue to advances rapidly from the early twentieth-first century
up to this present day. The new frameworks provides more interactive features which
allow users more flexibility and power to manage data within the web application.
© The Author(s) 2018 15
C. K. NG et al., Honeypot Frameworks and their Applications:
A New Framework, SpringerBriefs on Cyber Security Systems and Networks,
https://doi.org/10.1007/978-981-10-7739-5_3
16 3 Specialized Honeypot Applications

Table 3.1 Summary of the web server-side honeypot

S/No Ref No Author Year Framework Type of Purpose of Form of Flexibility Detection
honeypot honeypot honeypot
3.1.1 [1] John P. 2011 Heat-seeking Low Production Physical High Filter
John Honeypot
3.1.2 [2] Adam 2013 Amber-Zero High Production Physical NA IP filter
Schoe- interaction
man honeypot
3.1.3 [3] Supeno 2014 Aggressive Low Research Physical NA NA
Djanali Web honeypot

Table 3.2 Number of attacks initiated in 2011 by countries [5]

Remote file inclusion SQL injection Directory traversal
Country Attacks Country Attacks Country Attacks
USA 20918 USA 91606 USA 189474
United Kingdom 1897 China 47800 Sweden 13535
Netherlands 1879 Sweden 8789 France 9417
France 1253 Indonesia 3604 Netherlands 8320
Republic of Korea 1070 United Kingdom 3419 Germany 7656
Germany 1030 Netherlands 2793 United Kingdom 6692
Sweden 1012 Ukraine 2489 European Union 4159
Brazil 506 Republic of Korea 2374 Canada 3492
Russian Federation 490 Romania 2136 Republic of Korea 2838
European Union 460 Germany 1263 China 2507

The great flexibilities exposes various system vulnerabilities and loopholes. The
server becomes vulnerable to attack such as XSS attack, RFI, SQL injection and DT.
Even though patch and new version of the frameworks have released to patch the
vulnerable, the blackhat community is still able to find and exploit new vulnerabilities
in the server. Honeypot developer has put in tremendous amount of effort to detect
and study such attack in order to derive new solution to the problem. Honeypot such
as honeyd and high interaction honeypot analysis toolkit (HIHAT) are introduced in
the early twentieth century to capture and monitor these attacks.
Table 3.2 reveals number of attack initiated in descending order by countries. The
figure is alarming and requires immediate attention.
John P. John in his article has proposed a heat seeking passive web-based hon-
eypot to capture attacker who targets compromised web server with the common
server attack. The proposed framework emulates the most popular vulnerability and
construct the page which is most probable be attacked by the attacker [1].
The web server-based honeypot is comprised of four components. First, it has a
module that identifies the web pages that are targeted by attacker and automatically
generate the web page. Second, the web pages are query based and there are no
software involved. Third, link is advertised on the search page and all interaction
3.1 Web-Server Based Honeypot 17

between server and attacker are logged. Lastly, filter is used to separate the attacker
traffic and the legitimate user traffic.
This honeypot is easy to implement as it utilizes the advantage of low-interactive
honeypot. There are examples to emulate the vulnerability of the software and to
interact with the attacker. The low-interaction honeypot implemented gives great
flexibility to add new high-interactive honeypot to provide a more realistic environ-
ment for the attacker.
Web server-honeypot not only able to provides a decoy environment for the
attacker, it helps to consolidate useful information for the filter and firewall to provide
more efficient detection of malicious traffic.
Researcher such as Adam Schoeman proposes a zero-interaction honeypot-web
server to create a blacklist of source IP address. This honeypot combined the best
of the two concepts namely decision through detect (DtD) and decision through
presence which are adopted by the traditional security system and honeypot for its
discovery phase and action phase [2]. The honeypot is assigned to the unused IP
address within the web server domain.
In discovery phase, the honeypot spawn a set of common TCP/IP ports on the
listener interface and record the source IP address. The record is then compared
with the packet collected using a packet sniffing application such as tcpdump. The
upstream network enforcer labelled the packet as malicious by checking if the source
IP address attempted to connect to other host within the same domain. This web
server based honeypot allows itself to be attracted and attacked through DDoS as it
is non-productive in nature.
The proposed frameworks in [1, 2] emit the popular web vulnerability to capture
the common attacks on server, it does not give reference of which attack it is capable
or incapable of capture. In Table 3.2, XSS attack is omitted due to the fact of the
difficulty to determine its attack source of origin.
Supeno Djanali has proposed a low-interaction web honeypot equipped with
obfuscated javascript code to detect cross-site scripting and SQL injection. The pro-
posed framework is able to complement the limitation in the existing honeypot such
as Glastopf, a low-interactive honeypot and HIHAT, a high-interactive honeypot [3].
The web honeypot, consists of three different web pages, is implemented using the
likejacking technique and the hardcoded script of the commonly used SQL injection
attack.
The web honeypot main page portraits an institutional web site to lust the attacker
preform XSS or SQL injection to compromise the web site. The obfuscated javascript
analyzes and redirected the request to the appropriate page (XSS page or SQL inject-
ing page) according to the nature of the request. The requested page will emulate the
vulnerability anticipated and respond to the attacker. It also records the information
of the attacker such as identity, browser, agent information and operating system
fingerprint.
Summary for web server-based honeypot: Table 3.3 reveals the number of attacker
IP detected visiting the honeypot. This result exclude the number of repeated IP
occurrence. The variation in the figure is affected by several factors such as:
18 3 Specialized Honeypot Applications

Table 3.3 IP address capture (No repeat)

S/No Framework IP address detection
3.1.1 Heat-seeking honeypot 6438
3.1.2 Amber-Zero interaction honeypot 529
3.1.3 Aggressive web honeypot 610

Table 3.4 Average visit for each honeypot

S/No Framework Total visit Average visit
3.1.1 Heat-seeking honeypot 44696 7.5
3.1.2 Amber-Zero interaction honeypot 4132 6.98
3.1.3 Aggressive web honeypot 36000 59

1. The purpose of the honeypot

2. Location of the honeypot
It is obvious that the total number of visit capture is not equivalent to the number
of IP address and the average number shows in Table 3.4 reveal this fact. Table 3.4
shows sign of multiple visit to the honeypot from each IP capture in Table 3.4.

3.2 Web Client-Based Honeypot

Client honeypot is a honeypot that actively search for malicious or compromised

server which attack on client. It acts like a normal computer or application and interact
with the server to examine whether an attack has occurred. The main objective of the
client honeypot is to capture and identify the malicious server by actively visiting
them (Table 3.5).
Basically, there are two types of attacks namely server-side attack (which has been
described in detail) and client-side attack. Contrary to server-side attack, client-side
attacks are those attacks focusing on the vulnerabilities of client application such as
web browser, email and office software.
In recent years, attack on client side vulnerability has been increasing and there is
a need of new tools and techniques to defend such attack. Tools such as IDS, firewall
and anti-virus software are based on the pre-defined signature available within the
application database to detect attack and prevent the network from known attacks.
These security tools do have their drawback such as inability to detect zero-day
attacks that there are no signature within the database.
Honeypot plays a big role by tighten the network from these kinds of attack. It is
worth to mention that client honeypot does not provide direct security or protection
to the client host or network. It gives us useful information so that we can take further
3.2 Web Client-Based Honeypot 19

Table 3.5 Summary of Web Client-side Honeypot

S/No Ref No Author Year Framework Interaction Purpose for Form of Detection
of honeypot honeypot method
honeypot
3.2.1 [6] Mitsuaki 2012 Multi-OS High- Production Virtual Hooked API
and Multi- interactive function on file
process operation file
honeypot finding, registry
operation,
process creation,
process
termination and
code injection
3.2.2 [7] Rohit 2014 Python High- Production Virtual Signature-base
Shukla honeymon- interactive IDS
key
3.2.3 [8] Tung- 2013 Four High- Production Physical Source code
Ming modules interactive analysis module
Koo client-side behavior
honeypot analysis module

remedial action and also have a deep understanding of client-side attack. Generally,
client honeypot is made up of three components, queuer, client and analysis engine.
The queuer consolidates all malicious web site and create a list of server for the
client to visit. The initial consolidation process plays an important roles here. It
is the eye that pin point the client to the correct malicious web site. It will cause
the honeypot to be deemed useless if it does not perform its task correctly. Rohit
Shukla proposed malicious internet web site collection system which is similar to
honeymonkey introduce by Microsoft [9]. The proposed system is used to collect
and analyze the information of the malicious web site. It comprised of four virtual
client high-interactive honeypots of various operating system [7]. The master system
is setup in isolation to other network rather than the one connected to the client. The
master system control the slave/client system and it also hosts database log server.
The honeypot consists of a snort IDS running at the background and web clawer.
The web crawler which is the focus, act as a queuer, takes in the web parameter,
extracts all the links and URLs, and stores in the database in the master system. Based
on the information collected, the master system issues command via the secure shell
process for the honeypot browser to visit the URL link. The IDS in the honeypot
record and store the data for event occur and IP address which match the signature
into an external database. A list of blacklisted web site is compiled into a file.
The client visits the web site and contain the attack. The client is the actual
honeypot that collect important information about the attacker. It is required to collect
as much information as possible about the attack. Any misinformation can affect the
level of accuracy in the next component. Mitsuaki has proposed a client honeypot
system that uses multi-operating systems and multi-process honeypot multiplication
approaches using the web browser to provide high scalability and performance-
efficiency. The purpose of this proposed honeypot architecture is to detect drive-by
20 3 Specialized Honeypot Applications

download from the malicious web site. Multiple honeypot instances are created in a
single physical machine or virtual machine [6]. The increasing instances of honeypots
require many OS instance in a physical machine or virtual machine to improve the
inspection performance. According to the article, there are two processes proposed,
namely multi-OS and multiple processes, which make the high interaction honeypot
system to be scalable and efficient.
The multiple-operating system process is made up of three components. They
are honeypot-agent which is a parent program of the web browser on the honeypot
instance, honeypot-manager a controller used to provide instruction to the agent via
agent processes and, virtual machine monitor that use for each honeypot operation
and also provides virtual space for each OS. Thus, this allows multiple OS to be ran
on a single physical system. The multiple process concept in the web-based honeypot
allows the OS to launch other browser processes when the current browser is idle.
This reduces the OS overhead and improve the inspection efficiency. Process isolation
mechanism such as process sandbox is implemented in the process multiplication
solve the issue of not able to determine the cause of exploitation in the event of
anomaly occurred.
The analysis engine analyses and determines whether an attack has occurred on
the client honeypot. For better detection of the latest client-side malware, researcher
[8] has focused on creating a better analysis engine of the client honeypot. Tung-Ming
Koo proposed to use client honeypot with custom static and dynamic analysis engine
to detect malicious website that download malware stealthy via drive-by method into
the client [8]. The system consists of four modules. They are the proxy module, source
code analysis module, behavior recording module and behavior analysis module. The
proxy module record the address, save the web page and send it to the source code
analysis module. It then waits for the result before decide whether to allow the web
page to be sent to the client.
The other three components made up the analysis engine. The source code analysis
module based on the static content analysis to test the web under those assumptions.
The first is the obfuscation coding in the webpage script, application attack or leakage
attack by redirect user to malicious image files and second is the present of abnormal
semantics in the source code. After testing using the above mentioned assumption and
the web page is yet to be deemed to be safe, will be passed to the next module record
behavior module. This module is operated on the captureBAT, a client honeypot.
In this module, the web page is executed on a simulated windows environment to
capture the event such as changes done to the registry, I/O and the construction
and destruction of processes. The captured information is passed to the last module
for analysis. The last module analyzes each event and identifies the severity level of
damage. The level of damage is determined by analyze three major events namely I/O
event, registry event and process event. The web page will be considered malicious
if the signature of any the event response negatively. Thus, the user will be prevented
to open the web page.
Difference measuring method has been used to determine the level of effectiveness
for different proposed honeypot framework. As each author uses the dataset that
flavor his/her architecture, the result of each framework is extracted and formulated in
3.2 Web Client-Based Honeypot 21

Table 3.6 Result of IP capture using Client-based Honeypot in percentage

S/No Framework Malicious detection Benign detection
Success (%) Fail Success Fail
3.2.1 Multi-OS and Multi-process honeypot 100 0 100% 0
3.2.2 Python honeymonkey 100 0 0 0
3.2.3 Four modules Client-side honeypot 100 0 100% 0

Table 3.6. The ability to detect malicious web site is selected as a form of measurement
to determine the efficiency of the framework.
Summary for web client honeypot: Although each framework using their own
dataset shows an above average result, this result does not give a full picture to
justify the effectiveness of the honeypot. This is due to the different in number of
dataset used. Example framework two uses only a web with hundred link which
twenty-seven of them is deemed to be malicious. If the data-sets which are used in
the other two frameworks is considered in former framework, the outcome might
only render not more than 85% effectiveness.
In Table 3.6, framework in [6] uses the hooked API to monitor the changes take
place in the honeypot, whether the attack is known or unknown is no longer relevant.
As all attack is detected and monitored once modification occurs. The framework
in [7] is limited to detect known attack which is made up a major portion of the
attack. It does not have the ability to detect on unknown attack. Framework in [8]
uses the static detection method to detect the known attack and dynamic detection
method to detect the unknown attack. It basically provides detection for all attacks.
The framework in [6, 8] are equally effective when detecting unknown attack.
The only issue is that both framework rely on the ability to detect anomaly signal
from the traffic which do require time consuming learning process.

3.3 Worm Detection Honeypot

Worm attack has and will always be one of the top focus by the system administrator
and security software developer. Over the years, worm has done some of the most
devastating damage that caused the loss of billions of dollar economically. The worm
detection honeypot helps researcher to study the worm and also to derive a better
solution to solve the new strand worm virus.
The term “worm” has gained its notorious reputation over the pass decade for its
ability to self-replicate and spread without aid from any form of applications. Worm
was first appeared in a 1975 novel called Shockwave Rider where the leading actor
designs and sets off worm in the act of revenge against the powerful man who own
an electronic information web site. The initial intention and use of worm were for
Table 3.7 Summary of polymorphic worm detection honeypot
22

S/No Ref No Author Year Framework Multiple Type of Form of Detector Signature
honeypot honeypot honeypot generating
concept
3.3.1 [10] Upendra 2012 Double sticky Yes High Physical Gate Position-
Kumar honeynet translator aware
distribution
signature
algorithm
3.3.2 [11] Sounak Paul 2014 Honeypot Yes Low Physical Signature- Probability
based on fast based calculation of
signature detection and the multiple
generation anomaly- invariant
system based strings
detection present in a
polymorphic
worm
3.3.3 [12] Mohssen 2014 Zero-day Yes High Physical Gate Aho-Corasick
polymorphic translator Algorithm
worms string
honeypot matching
algorithm
3.3.4 [13] AlFraih 2014 Worm Yes High Virtual Anomaly- Auto
Abdul isolation based signature
honeypot detection generation
3.3.5 [14] Pragya Jainc 2012 Three layer Yes High and Low Physical Signature- Netbeans 7.0
honeypot based
detection and
anomaly-
based
detection
3 Specialized Honeypot Applications
3.3 Worm Detection Honeypot 23

good cause such as network worm created by John Shoch in Xerox PARC in 1982
to monitor the performance of the ethernet principle in the network.
Unfortunately, most of the later development of worm move to join the dark side
such as the first worm by Robert Morris which infected a tenth of the computer online
and the latest worm such as NGRBot worm which help bot master to build up the
botnet using the IRC channel. Worm can be used to convey message from the social
hatred to the CEO of mega software company such as message to Bill Gate, CEO
of Microsoft Enterprise, embedded in the string of Blaster worm serve as a wake up
call.
The use of worms have gave security researcher a hard time looking for alternative
way to detect and study them. Current security system such as anti-virus software
and firewall provides good protection to keep the worm away. It does not provide a
‘space’ for the worm to mingle with the system so that researcher can do more studies
to understand them. Honeypot answers this call. Multiple honeypots [11–15], which
can also refer to honeynet, provide a playground for the worm to mingle with severe
hosts. All activities occur in the honeypot and within its network are logged.
Upendra Kumar in his articles has proposed a framework with multiple honeypot
concepts to capture the polymorphic worm [10]. The framework consists of three
honeypots, gate translator and router. The gate translator separates and redirects the
infectious packet to the inbound honeypot. The honeypot with the signature-based
intrusion detection algorithm detect the old virus and its packets. The outbound
honeypot with the Position-Aware Distribution Signature algorithm verifies, records
and analyses the new evolved worm virus. Lastly, the worm is transferred to the
sticky-honeypot. The activities of the worm virus halt once it is being redirected into
the unused IP address system which is equipped with the updated anti-virus software.
Upendra Kumar, later, introduces a similar framework as the first concept in his
second article, the major difference is that it is using two honeynets to capture the
worm [15]. Both concepts provide room for the worm virus to manoeuvre and evolve
within the space specified. The second concept has the abilities to generate more
signature of the polymorphic by allowing the worm to roam within the honeynet.
Sounak Paul proposes the use of multiple low-interactive honeypots to capture
polymorphic worms. The proposed framework is less complex in setting up than
[15]. It adopts the fast signature generation scheme which is based on the proba-
bilistic approach considering its abilities to generate an accurate polymorphic worm
signature even noise exist [11].
The framework makes room for the worm to roam between the two sets of low-
interactive honeypots which emulate different types of commonly used services such
as DHCP, FTP, HTTP and POP3. The information of the worm is collected using the
multi-layer data capturing system. The first layer is the entry layer where the firewall
logs the packet header once the worm enters the network. The second layer is the
layer between the router and the honeypot sensor, full packets are capture and saved.
The last layer is the honeypot which records the activities of the attacker.
A restrictive path method can be applied in the honeypot framework to limit the
movement of the worm so that the worm will not move beyond the boundary. This
allows the researcher to manipulate the worm towards his/her desire direction and an
24 3 Specialized Honeypot Applications

extra precautious step to reduce the probability of out of control. Mohssen proposes
to capture of the variant of polymorphic worm by allowing it to interact with two set
of honeypot in the planned fashion. The major distinctions between [11, 12, 15] are
the algorithm used for signature generating and the degree of roaming freedom for
the worm.
In this honeypot structure, the worm was given limited freewill to roam freely
within the honeypots [12]. Every movement of the worm is directed by the internal
translator one and two which act as the door for the honeypots. The worm is redirected
from honeypot group one to group two by the internal translator one and via visa.
The signature generator adopts a dictionary matching algorithm to match the worm
instant and accurately create the signature for the worm.
Honeypot, in all instant, provides an environment to monitor the worm evolution
and it relies on the intruder prevention system and intruder prevention system to
detect and notify its user about the intrusion. One of the great skill of polymorphic
worm is its ability to replicate and create another variant of itself through the process
like obfuscation etc. Signature-based IDS may not be able to detect all of its variants.
Anomaly-based IDS can be used to resolve such problem.
AlFraih Abdul proposes a system that combine idea used in sweetbait [16] and
Honeystat [17] to setup a production honeypot against polymorphic worm [13].
The burden of detecting the new bleed of worm relay on the network gateway. The
gateway adopts anomaly detection method to detect the new unfamiliar data flow
by comparing the data against the whitelist. The traffic is then redirect towards
the honeypot group. The honeypot group is made up of several virtual honeystat
honeypots which collect memory, disk write and network event [17] and store them
in the security management center [16]. The honeypot is also equipped with the
automated worm signature generation to create the new signature and store them in
the security center. The security center updates the signature to the NIDS and NIPS
once it is created.
Single IDS reduces the chance of worm detection. For example, using merely
signature-based IDS can detect the known worm but not the unknown. Both types
of IDS can be used together to ensure the known and unknown worm do not slip
through the check.
Pragya Jainc proposes the use of three layers concept with the honeyfarm to help
to detect new unknown worm with polymorphic, monomorphic and metamorphic in
nature [14]. The first layer of defend consists of signature-based intrusion detection
system to detect the known danger based on the signature comparison. The second
layer used anomaly-based intrusion detection system to detect the unknown worm
by detecting the abnormal behavior. The last layer is made up of a group of high and
low interactive honeypot. The proposed system uses a roaming method to randomly
select a honeypot to play the role of control center for security purpose.
The proposed system filters the known threat and redirect the unknown threat to
the honeyfarm so that the activity can be analyze and new signature can be created
accurately to reduce the false positive in the signature-based IDS.
Summary for worm detection honeypot: The initial detection of polymorphic worm
plays a very vital role in worm detection honeypot. According to the Table 3.7,
3.3 Worm Detection Honeypot 25

signature-based IDS is commonly include either as the main IDS or part of the IDS
system. The framework proposed by [10] configures the edge router to recognize the
list of unused port in the process of data accession. The framework proposed by [11,
14] use two different type of IDSs to detect the worm attack. Reference [12] uses
only signature-based IDS.
Table 3.7 shows framework proposed by Upendra [10] and Mohssen [12] are
useful for generating the variant of the known polymorphic worm. They are limited
in capacity to deal with the known polymorphic worm due to the nature of IDS
used. The focus is to collect as much variant as possible for the known polymorphic
worm. The framework proposed by [11, 13, 14] use anomaly-based IDS for the
detection which is able to detect the unknown and also the known worm. Anomaly-
based detection does have disadvantage, it can result high false positive if insufficient
training is provided for the IDS or the IDS is not tunes to the appropriate level.
In all frameworks, signature generator is adopted to create the signature for the
polymorphic worm. References [10, 13, 14] focus on how the worm is trapped in
the honeypot and collect as much as possible of the variant of the worm. References
[11, 12] frameworks have given a considerable amount of detail on their proposed
frameworks, algorithm for extracting the variant and test result base on the dataset
used.
Reference [12] does mentioned about how the worm can be capture and explain
how Aho-Corasick Algorithm can be used to generate the obfuscation. This algorithm
uses the string searching method to locate a finite set of string in the dictionary to
match all patterns. The [11] treats all string as token and a token can be presented
in a significant number of flow. Signature is a set of tokens with their occurrence
number in suspicious flows.
To conclude, the proposed architecture in [10–14] adopt a fairly similar idea with
multiple honeypots to capture the signature of the worm. The ability to capture all the
variant using honeypot or generate signatures to accurately represent all the variant
of the polymorphic worm is vital. The first, forth and fifth framework use generator
that is limited to generate variant only collected from the honeypot. Comparing the
algorithms in [11, 12], there seem to have a gap in the level of algorithm advancement
even though both articles are published very recently. The Aho-Corasick algorithm
which is implemented in the architecture of [12] stand out. The Aho-Corasick Algo-
rithm is able to generates signature even if not all the variant of the polymorphic
worm is capture.

3.4 Bot Detection Honeypot

Bot is also called zombie host and botnet is a network of zombie hosts. Botnet can be
used for many malicious acts such as sending perishing mail, launching Distributed
Denial of Service attack and collecting user information. Among all, DDoS attack
has the most devastating effect. The DDoS attack can be used to paralyze the set of
servers or single server to affect their abilities to perform the normal daily tasks.
26 3 Specialized Honeypot Applications

Table 3.8 Summary of the DDoS dectection honeypot

S/No Ref Author Year Framework Type Form of Technique
No of honeypot
hon-
eypot
3.4.1 [18] Ion Alberdi 2007 Shark High Physical Redirection
kit
3.4.2 [19] Sherif 2006 Back High Virtual Server replica
Khattabv propagation and back
honeypot propagation
3.4.3 [20] Rajalakshmi 2015 ODAIDS- High Physical Outlier IDS
Selvaraj HPS
honeypot
3.4.4 [21] Swapnali 2015 Hybrid Low Virtual Threshold-
Sundar honeypot based
Sadamate anomaly IDS
system

Botnet is very hard to detect by a single border firewall. The implementation of

Bot detection honeypot can be for two purposes. It can be used to contain bot and
study its origin or can be used to contain the DDoS attack in order to keep the real
server safe and free from such attack (Table 3.8).
The concept of bot was initially used to serve the community; the benign bot,
eggdrop bot, used for automating the basic task on Internet Relay Chat (IRC) [22].
In the late ninetieth, the first two malicious bot, Sub7 or Pretty Park, which were
actually a trojan and worm, are created to connect to the IRC channel and wait to
receive command from the bot master.
In the early part of the millennium, the bot writer has adopted difference types of
botnet such as http botnet and peer-to-peer botnet which made security researchers
work overtime to seek for solution to tackle this issue.
Botnet can be detected by honeypot with intruder detection system. The honeypot
allows the bot master to compromise so that any movements and malicious activities
can be monitored and analyzed. The IDS either adopts static analysis (signature-
based) or behaviour analysis (anomaly-based) [20, 21] to detect botnet. Static anal-
ysis method involves checking the traffic against a list of known malicious whereas
behaviour analysis method monitors the communication of the network for behaviour
exhibited by botnet. Behaviour analysis method allows high degree of flexibility
while adopting various methods and have great potential in the area of research.
Swapnali Sundar Sadamate has proposed a hybrid system to detect DDoS. The
hybrid system adopts the client-server architecture. The system consists of a server
that store all information collected by the honeypot, a honeypot to capture the attack
information, web-management interface and a threshold-based anomaly IDS system.
The IDS system is implemented at the gateway of the network to detect the
malicious traffic. The malicious packet is redirected to the honeypot. The honeypot
3.4 Bot Detection Honeypot 27

is install with sebek to record attacker behavior, dionaea to collect the malware
information and snort in the verification process to collect and analyse the packet
received. The server receives all the data from the honeypot and stores them in a
database. The web-management interface allows the data to be presented visually.
The proposed system use the threshold-based anomaly IDS to detect and identify
the attack by comparing the incoming traffic with the legitimate traffic records [21].
The result in the differences is examined against the predetermined threshold to
determine whether the packet is a DDoS attack or not.
Rajalakshmi Selvaraj implemented an outlier IDS in the honeypot framework to
detect the DoS packet. The IDS adopts distance of the nearest neighbor method and
requires a set of pure normal data to train the system [20]. The system consists of
outlier IDS, attack classifier and honeypot.
The packet is checked and valued by the outlier based IDS. The IDS also outlines
the feature of the packet such as percentage of connection having the same destination
and same service and percentage of packet with error. The attack classifier will
compare the packet outlier value with the threshold to determine whether the packet
is DoS packet. The malicious packet is redirected to the honeypot. The honeypot will
respond to the packet with the relevant error message to the sender.
Unlike other security method, the activity, such as outgoing traffic, of honeypot is
restricted by law in most countries. This makes honeypot a less favour method in the
area of research. However, this does not prevent [18] to propose honeypot framework
to detect bot.
Ion Alberdi has proposed a system that first use passive network monitoring tech-
niques for observing and analyzing attacks and the spread of bot via malware. The
purpose was to discover the behavior of malware which drive the bot [18]. The
spreading of the bot is then halted by redirecting the packet to another honeypot
within the network using the advanced redirection kit.
The redirection functionality creates an illusion to the attacker that they are able
to connect to the internet and the bot is communicating with each other within the
botnet. This will also to deduce the possibility of the honeypot to be exposed.
Honeypot can also be used to prevent the actual server from falling victim under
DDoS attack, especially, in the commercial environment such as stock market where
millions of dollar may be lost even the server is down for a few minutes.
Sherif Khattab has proposed the use of roaming honeypot with back-propagation
ability to prevent non-spoofed service-level DoS attack [19]. The honeypot is hidden
within the pool of server replicas. The set of server replicas will be selected to become
active for a duration of time while the remaining idle servers will act as honeypot. The
active server replicas will coordinate with legitimate user. This makes it very tedious
to identify the real server and thus trap DoS attack in a honeypot. The proposed
framework is based on the assumption that even if the attacker knows all the server
and honeypot at time t, he will still not be able to differentiate the honeypot from the
real server at time t+1 [23]. The honeypot also have the ability to drop all attacks
once it changes from idle to active state.
The back-propagation function of the honeypot allows the server to send out a
recursive trace back process by alerting the Autonomous System across the path
28 3 Specialized Honeypot Applications

Table 3.9 Task of the DDoS honeypot

S/No Framework Technique Detect Capture Protect
DDoS DDoS from
DDoS
3.4.1 Shark Redirection kit Yes Yes No
3.4.2 Back propagation Server replica and back Yes No Yes
honeypot propagation
3.4.3 ODAIDS-HPS Outlier IDS Yes No Yes
honeypot
3.4.4 Hybrid honeypot Threshold-based anomaly Yes Yes Yes
IDS system

towards the bot. The alert triggered the AS-level input debugging process traffic
that are for the honeypot. Access routers of attack hosts or bots are identified and
filtering rules are installed to drop all traffic destined to the honeypot. The back-
propagation function also help the router to distinguish the attack packet from the
legitimate packet so that the attack packet will be dropped to prevent the network to
be over-congested.
Summary for bot detection honeypot: As shown in the Table 3.9, most of the
proposed frameworks, except [18], focus on detecting DDoS attack on the server.
Reference [18] uses a very primitive approach to detect bot by detect and redirect
its out-going packet. Reference [19] uses roaming method so that the attacker will
not be able to distinguish which is the real server while performing a DDoS attack.
Lastly, [20, 21] uses an anomaly-based IDS to identify the DDoS attack and redirect
them to a honeypot.
However, all proposed methods do post unsolved question. For [18], question
likes what is the probability that the attacker will fall into such illusion that the bot
(honeypot) is communicating with each other and will not suspect that he/she is
communicating with a honeypot should be carefully considered. For [19], it is just
like throwing a dice, the attacker have 50% chance to accurately get the server if
he does a DDoS attack at random. The detection of the DDoS attack occurs only
after the event happens. For [20], the nearest neighbour method for the IDS do have
downside such as high resource consumption and long processing time. Reference
[21] seems to have an excellence setup for bot detection, only under one condition.
That is no outgoing traffic restriction imposed on the honeypot. The intend setup
of the honeypot seems to be redundant if it is only used to contain DDoS attack.
DDoS attack is the one of the final products create by botnet and it has little value
for research purpose. The initial exploitation is the real juice for the research. It
provides information such as method, malware used in the exploitation and also the
new vulnerability in the existing system.
3.5 Honeytoken 29

3.5 Honeytoken

The concept of honeytoken is as old as the security itself. Honeytoken has the same
properties of that of the honepot except that it is not a computer [24]. A honeytoken
is digital entity perceive to be valuable by the ignorance attacker. It can be as simple
as an ID with the password and also as complex as the spreadsheet with customer
information. Honeytoken does, however, face several difficulties in creating espe-
cially to generate those spreadsheet with fake customer details. Before generating
the honeytoken, there are three main questions that should be answered. They are:
1. How it should be constructed?
2. Who is the honeytoken for?
3. What information should be changed or unchanged?
The knowledge to generate the honeytoken is vital and the honeytoken may be
manually generated. The whole process is tedious and time consuming.
Maya Bercovitch et al. has solved the process issue by introducing honeygen, an
automated honeytoken generation software that automatically create the complex
honeytoken. The honeytoken generation adopts the constrict satisfaction problem
approach to generate a honeytoken [25].
The application has two difference modes which can be used to create the honey-
token. The first mode is the obfuscation mode where the real data is used as input.
This mode only changes the more sensitive value. The second mode is the generation
mode. This mode creates the honeytoken from scratch based on the given rules. The
rules is a set of predefined attributes by its user. The information in this mode of
honeytoken is artificial and the amount of records is rely on the definition of its user.
The advantage of honeytoken can be best demonstrated in the area of anti-phishing
and insider threat which will be discussed.

3.5.1 Anti-phishing Honeypot

Phishing is an attempt to acquire personal credential, often for malicious reason, by

pretending to be trustworthy entity such as local authority or staff from financial
institution via electronic communication. It has being and will be an ongoing issue
and concern for security researcher as more advance technique has been used to
avoid being detect by the anti-phishing software. Phishing attack has caused loss of
millions of dollar economically.
The most common phishing tactic is to send spam email to as many internet users
as possible hoping that someone will be convinced by the content and act accordingly.
Majority of the victims are internet novice who does not have adequate knowledge
of such danger.
Phishing attack has been around since 1995, it is not commonly known by peo-
ple until ten years later. The first recorded mention of phishing attack takes place
30 3 Specialized Honeypot Applications

in America Online (AOL). Hacker imposes as AOL employee and request users to
verify their account or billing information via AIM accounts. Such account cannot
be punished by AOL TOS department and eventually force the company to include
warming, which is the first security measure against phishing, in its email and mes-
senger (Table 3.10).
The technique for phishing attack has not change much, but its target has shifted
from email and communication software to financial institution and online payment
system in the early of second millennium. Email worm program is used to send
spoofed email to paypal which will direct those customer to a spoofed site for them
to update their credit card detail and other sensitive information.
Different types of phishing attack, such as phishing, spear phishing, clone phishing
and whaling, have been used to cause damage economically. Some of the attack are
group focused such spear phishing which directed at specific organisation and whal-
ing which only focus on higher management personnel in an organisation. Phishing
attack like clone focuses on the technique used to create an indistinguishable fake
email to lure user to believe its legitimacy.
Large organisation and institution have setup anti-phishing detection software in
their mail server to detect spam mail. Such technique is not 100% foolproof as small
percentage of the spam mail manage to get pass the check. Staff training do help to
prevent phishing as well. This, however, is not enough, phishing technique such as
clone phishing can confused user who fail to distinguish fake email.
Honeytoken and honeypot, in this case, can be setup to attact the phisher to steal
from it so as to keep the real system secures. Shubhika Chauhan has proposed the
use of honeytoken to capture the phisher activities. Shubhika also mentioned the
issue with the accessibility of the fake credential and, honeypot vs real online system
[26]. In order to overcome such issue, the proposed framework involves part of the
legitimate banking system and the system administrator of the bank. The framework
consists of honeytoken (phoneytoken), honeypot (honeyed) and spamtrap.
The spamtrap is used to detect the spams and phishing email. The honeytoken
generates the fake user credential that is accessible to the real online system. The real
system with the knowledge of the honeytoken redirects the phisher to the honeypot.
The honeypot used is not a real honeypot. It is a topped-up online banking system
with additional features where the bank administrator has a fair share of control
over it. To avoid being detected by the phisher, he is allowed limited access to some
banking feature such as transferring a limited fund and viewing bank statement.
Honeytoken allows phisher to use the fake credential to log into the intended
system so that researcher can monitor and track him/her down. Honeypot can be
used to contain the phishing email to assess its level of damage to the system. Martin
Husak has introduced the use of honeypot as part of the automated detection process
for spam and phishing email. The author stated the tedious process for manually
process each email to detect phishing and also the report from user does not reliably
capture all the phishing email in the network [27].
The proposed framework consist of two parts namely phishing detection and
phishing incident processing. The phishing detection unit is made up of a high-
interactive honeypot mail server with specify filtering rule suite for phishing detection
 3.5 Honeytoken

Table 3.10 Summary of phishing honeypot

S/No Ref No Author Year Interaction Form of Purpose of Honeytoken Email server Phishing Capture
of honeypot honeypot honeypot propagation detection activity
3.5.1.1 [26] Shubhika 2014 Low- Virtual Research Passive None Spamtrap Honeypot
chauhan Interactive
3.5.1.2 [27] Martin 2014 High- Physical Production Active Honeypot Spamtrap None
Husak interactive mail server
31
32 3 Specialized Honeypot Applications

Table 3.11 Features for phishing honeypot

S/No Honeytoken Email server Phishing Capture activity
propagation detection
3.5.1.1 Passive None Spamtrap Honeypot
3.5.1.2 Passive and Honeypot mail Spamtrap None
Active server

and the spamtrap installed. The email address of the honeypot or honeytoken is made
known to the phisher via active and passive propagation. The honeypot accepts all
incoming email and does not forward or send message. The report of phishing email
is then reported to the incident processing unit. The phishing incident processing
is taken care by PhiGARo which automatically handle the phishing incident when
any phishing is reported to the system. The phishing incident process first start
by determine whether is the phishing material a URL or an email. Then it checks
the material with its database. Lastly, it interprets the result. The phishing incident
processing unit too accepts report from human. The process includes blocking the
malicious web site, update the phishing filter and inform the victim.
Summary for phishing detection honeypot: The two authors are engaging the issue
of phishing in a different manner. Table 3.11 shows framework in [26] focuses on
capturing and monitoring the activities of the phisher while the framework in [27] is
more on how to detect and prevent phishing. The honeytoken in both architectures
is used for different purposes. In [26], it is used to propagate the fake credential to
the phisher. In [27], it is used to propagate the existent of the mail server honeypot to
the phisher so as to receive phishing email. Both architectures have similarity such
as using spamtrap to detect the phishing email. The study of phishing does come
with a price, example phisher logs into the bank account and does a bank transfer.
Reference [26] has included this as the disadvantage of the proposed framework and
he also stresses that the bank should absorb all the expense.
The framework in [26] does have other setback which is not with the concept
introduced but with the willingness issue. The bank may refuse to cooperate with the
researcher to share its technology and the cost which is mentioned earlier on.
The framework in [27] does also have setback in regards to the detection of the
phishing email. It relies on two sources to detect phishing email, one is the email
received in the spamtrap and the report of phishing email from the legitimate user.
There is no mentioned about the detection of the phishing email from the mail server,
where the phishing email may slip through the eye of the ignorance user.

3.5.2 Insider Detection Honeypot

Insider attack is described as the damage to the interests of an organization by a

trusted individual with legitimate access to its network and system resources.
3.5 Honeytoken 33

Insider attack can be differentiated into two categories. One is the masqueraders
who pretend to be another system user and the other is traitor who has his/ her own
legitimate system credentials [28]. The motive of insider attack can also be classified
into two difference types namely, inadvertent (unintentional) and intentional.
Unlike external intrusion, internal intrusions are most likely done by trusted
employee or member in the management who may know the system well. Their
objective is not to destroy the system but after some information of high value which
is not available to the public for personal gain [29]. This act can be more devastating
than the damage done from the outside.
The current insider detection system can only detect the threat post-incidentally
and by then it will be too late as damage has taken place. Honeypot adopts the pre-
incident approach which can be uses to attract insider attack. This helps to ensure the
safeguard of the real system. One of the benefits of honeypot is it helps to improve
the management function in an organization system by revealing its problems via
compromised. Li Hong-Xia has proposed a management honeypot which used to
collect, detect and record the attack on management system. The management hon-
eypot borrows the idea of the network honeypot to reduce the deficient and patch
loophole of the management system.
The honeypot uses the game theory of the management, relevant mathematical
model and other management technologies [31]. The author defines the desire of
power and distribution of benefit as honey and the management system with loophole
as container fill with honey. As long as there are people try to pass through the
loophole for the honey, the game exists. The management honeypot is used to serve
as an early warning and is effective in capturing intruder internally.
Most researchers [24, 28, 32] propose the use of honeytoken with honeypot to
trap the insider by placing the token in an easily accessible location in the system.
This can be within the document folder, in an email application or within a honeypot.
Lance Spitzner presumes that the insider possess the knowledge of obtaining a
very specific information. He proposed the combined use of honeytoken and the
honeypot to detect insider attack. Three different honeytoken setups are proposed
that will trigger the alarm once insider is detected [24]. First, the honeytoken will
be triggered when the insider acts inappropriately. The honeytoken in this example
contains the user ID, password and the location of the fake server. Second, honeytoken
can be concealed in the file and email environment to be perceived as information of
high value to attract insider. Lastly, the honeytoken can also be implemented as part
of the organization search engine. It will be triggered when the insider perform an
unauthorized search or input highly sensitive keyword into the search engine.
The purpose of the honeytoken is to provide user ID and password that allow the
insider to use them to gain access to the server (honeypot) to retrieve a particular
piece of information which is believed to be of high value for personal gain.
Honeytoken can come in a more complex form such as document. A fake doc-
ument can be used to attract insider. Unlike the above mentioned, this document
contains hundreds of fake customer detail which is very tedious and time consuming
to create. Honeytoken generator has been introduced to assist security personnel to
 34

Table 3.12 Summary of insider detection honeypot

S/No Ref No Author Year Framework Interaction of Form of Purpose for Decoy form Detection
honeypot honeypot honeypot
3.5.2.1 [24] Lance 2003 Honeytoken High- Physical Production Honeytoken Misuse
Spitzner interactive honeytoken
3.5.2.2 [30] Praveen J U 2013 Honeypot High- Physical Production Honeypot Misbehavior
with interactive analysis
misbehavior
detector
3.5.2.3 [28] Brain Bowen 2010 Decoy High- Physical Production Honeytoken Misuse
document interactive honeytoken
distributor
3.5.2.4 [31] Li Hong-Xia 2010 Management High- Physical Production Honeypot Attack on
honeypot interactive loophole of
management
system
3.5.2.5 [32] Huseyin 2015 Honey data High- Virtual Production Honeytoken Misuse
Ulusoy interactive honeytoken
3 Specialized Honeypot Applications
3.5 Honeytoken 35

create such document. Before creating this document, several questions need to be
considered:
1. Who is this honeytoken targeting?
2. Can the insider easily distinguish between the real and the fake document?
3. How much fake information shall the document contains?
4. Which column of information should be changed or unchanged?
Brain Bowen has proposed the use of decoy document distributor (D3) system and
other sensors to detect and monitor the insider attack. The D3 system is a web-based
honeypot for generating and distributing decoys document or honeytoken. The whole
architecture includes decoy document distributor system which is the honeypot and,
sensor such as SONAR and host level sensor.
The decoy document distributor system automatically embeds multiple signal into
the decoy document to increase the probability of detection of document being misuse
[28]. The signals emitted, in case of decoy document being misused, is generated by
embedded honeytokens that are monitored, beacon that alert the SONAR sensor and
marker which enable detection at the host level sensor. Another functionality of host
level sensor is to monitor the anomalous user search action if the deviation of the file
search behavior protrude largely from the baseline of normal user search behavior.
Huseyin Ulusoy proposes a method to detect attacker by the use of honey data.
Honey data in reality is a form of honeytoken which is renamed by its author and is
part of the honeypot trap [32]. The system is composed of three phases. The first phase
is honey data generation and integration. In this phase, the honey data is generated
using the actual data by the data controller. The honey data and the actual data are
uploaded into the cloud. The honey data and the actual data are shuffled in such a
way that each data split is formed to contain at least one honey data instant. It is then
place in different position. Blacklist and whitelist are also created based upon the
position information (location of honey data). The second phase is trap setting. The
trap is running in kernel-mode and is used to monitor the file access system-calls.
The trap send an alert message to the data controller once the position information
and file request match the record in the blacklist. The last phase is map reduce job
tailoring. In this phase, the system is tailored to ensure that the legitimate user does
not access the honey data in the file system. Whitelist is used to ensure the above
requirement is met. The honey data comes in three scale levels. They are the honey
files, honey split and honey key-values.
The system ability to detect intruder by the probability of detecting an unautho-
rized data access which is set by the data controller and the amount of honey data
content in the files is dependent on the setting of the detection rate.
Anomaly-based filter can be used to detect insider attack by analysing the pattern
or flow. Such system will redirect the malicious user into a insider honeypot once
the IDS detects abnormal pattern or discover deviation excesses its threshold of the
normal flow. Praveen J U has proposed the use of misbehavior pattern detection
method for IDS to detect and redirect the intrusion packet to the honeypot. The
private/public keys are introduced in the proposed system to serve as a double security
measure alongside with the user name and password [30].
36 3 Specialized Honeypot Applications

The user has to first send an encrypted request for the ticket to a particular service
from the ticket generator. Upon received the encrypted service ticket from the ticket
generator, the user has to login and send the service ticket to the NIDS. The NIDS
will send the ticket to the ticket manager for verification. If the verification is pass,
the user will be directed to the file system else if the authentication failed, user will
be blacklisted and directed to the honeypot.
Summary for insider detection honeypot: Different authors has different opinion
on how to determine whether there is an insider attack. Table 3.12 reveals that frame-
work in [30, 32] are limited to masquerader insider attack whereas for framework in
[24, 28, 31] apply to both masquerader and traitor. Framework in [30, 32] assumes
that the intruder is not very familiar with the system and try to access to the system.
The whole concept is more efficient for detecting outsider attack rather than insider
attack. Using honeypot alone to detect insider attack provide limited information as
the attacker will not mingle in the honeypot for long period of time whether or not
he/she achieves his/her objective. The honeytoken proposes in [28, 32] allow admin-
istrator to continue to monitor even the intruder is no longer within the parameter of
the decoy system. Every action perform on the token will cause it to send feedback
back to the server.
The development of the insider detection has shifted from merely using the man-
ual honeytoken [24] to using IDS and honeypot [30] to the automated honeytoken
generator system and honeypot [32]. The development of the decoy file system (hon-
eypot) with the usage of the honeytoken file make the proposed framework in [28,
32] indistinct from the legitimate system. The concept proposed in [28, 32] make a
perfect solution; however, researchers still have to face the reality of the high level
of complexity in setting up the entire system.
All researchers who proposed the usage of honeytoken as part of the framework
face the great challenge in making the decision for proportion of ‘honeydata’ and
real data for the honeytoken needs to be established to prevent the trigger of the
suspicious alarm by the insider in regards to the data targeted. The proportion decides
is subjective and needs to rely extensively on the professional opinion on the higher
management of the organization who may be highly suspicious of insider.

3.6 Advanced Persistent Threat Honeypot

Advanced persistent threat (APT) is a well-organized attack that try to gain control
of the system in an organization in order to gain information for personal benefit.
The attack can consists of the usage of several sophisticated attack vector or simple
malware attack. The tools used in the most attack are modern state-of-the-art hacking
application. It can be customized or of the shelf malware tool. The objective of APT
is to remain invisible for as long as possible, move quietly from one compromised
host to the next without generating regular network traffic and gain total control of
the host [33].
3.6 Advanced Persistent Threat Honeypot 37

The attack is a very low and slow process and also to ensure that the malicious
activities cannot be observed by legitimate user. The intension of the attacker is
similar to insider attack as not to do damage to the system but to gain unlimited
access to the confidential information of the organization.
The first warnings against targeted email containing trojans to steal sensitive
information are published by UK and US CERT organisation in 2005 [36]. During that
time, the term “Advance Persistent Threat” is not being used. APT was later widely
cited by Colonel Freg commander of the 23rd Information Operations Squadron in
US Air Force.
APT attack comes in seven stages. They are:
1. The first stage is the initial compromise stage. Methods such as social engineering,
spear phishing, zero-day virus and steady drive-by download from commonly
visit web site are used to infect the targeted employee computer.
2. Second stage establish foothold in the targeted network. This is fulfil by using
tunnelling to access the network infrastructure, install a remote administration
software and create a backdoor.
3. The third stage escalate privileges to gain full control rights of the network. This
is done by using exploitation and password cracking software.
4. The fourth stage is network information consolidation stage. Information such as
trust relation and windows domain are gathered.
5. The fifth stage is lateral movement stage. Attacker will begin to compromise
other system and server and perform data harvesting on them.
6. The sixth stage, attack requires to maintain the connection to ensure continuous
control over the channel.
7. The seventh stage is also the final stage. Attacker downloads valuable data from
the victim’s network
The attack is often performed as a continuous process and is sometime being
described using singular expression such as “the” APT attack. Current security tech-
niques and tools find challenging to detect such attack especially stealth technique
such as tunnelling is being used. Researchers in [34, 35] have proposed the use of
honeypot to capture this attack.
Roman Jasek has proposed the use of multiple honeypot in several location of the
network to capture APT attack [34]. The proposed system consists of high-interactive
honeypot, low-interactive honeypot, honeypot for production and honeypot agent.
The honeypot agent acts like a normal human user possess the behavior of igno-
rance user to attract the attack. The low-interactive honeypots emit the known vulner-
ability into the network. The high-interactive honeypots allows attacker to interact
and compromise. The act of compromising the honeypot in the honeyfarm is recorded
and monitored by the administrator. Safety rules derive from the compromising act
is applied to the production system.
Honeypot can be implemented next to the actual server. This creates a mirror image
which can be used as a bait to attract attacker. Zainab Saud focuses on implementing
the honeypot to protect the more important facilities such as server [35]. The proposed
architecture include NIDS as a gateway to the server and low-interactive honeypot
 38

Table 3.13 Summary of APT honeypot

S/No Ref No Author Year Framework Interaction Other Form of Purpose of Detection Nature of
of honeypot honeypot honeypot honeypot method honeypot
3.6.1 [34] Roman 2013 APT High- Low- Physical Production Honeypot Active
Jasek detection interactive Interactive agent
system
3.6.2 [35] Zainab Saud 2015 APT Low- Nil Physical Production NIDS Active
Proactive interactive
detection
honeypot
3 Specialized Honeypot Applications
3.6 Advanced Persistent Threat Honeypot 39

to emit signal to attract the attacker. The focus of this system is to ensure that the
administrator receive a timely information of the intrusion once the honeypot is being
compromised. The task of the NIDS is to provide a detailed picture of the attack, its
log and alerts assist the administrator to analyze and correlate different events.
Summary for APT detection honeypot: In Table 3.13, the two frameworks proposed
trying to solve the issue of APT in a different level. Equal scale is impossible in this
case to be used for comparing the result in technological level or empirically. The
framework in [34] is designed to capture a full APT attack and redirect this attack to
a honeyfarm for monitoring and analytical work. The information of whole attack is
being recorded and stored in a database. The framework in [35] focuses on protecting
the prime facilities such as the server. It is assumed that the APT attack has already
occurred and is undetected in the network.
Both frameworks adopt the passive approach to lure the attacker to the honeypot
and both authors in their articles stated the belief that an advance persistent threat
attack has the ability to slip through the eye of intrusion detection system and honey-
pot is a good solution to capture the signal of such threat [34, 35]. Both frameworks
use static honeypot to emulate the vulnerability to attract APT attacker and to my
dismay, there is no dynamic honeypot proposed so far to tackle APT issue.

References

1. J.P. John, F. Yu, Y. Xie, A. Krishnamurthy, M. Abadi, Heat-seeking honeypots: design and
experience, in Proceedings of the 20th International Conference on World Wide Web (ACM,
2011), pp. 207–216
2. A. Schoeman, Amber: a zero-interaction honeypot and network enforcer with modular intelli-
gence, in Information Security for South Africa, 2013 (IEEE, 2013), pp. 1–7
3. S. Djanali, F. Arunanto, B.A. Pratomo, A. Baihaqi, H. Studiawan, A.M. Shiddiqi, Aggressive
web application honeypot for exposing attacker’s identity, in 1st International Conference
on Information Technology, Computer and Electrical Engineering (ICITACEE), 2014 (IEEE,
2014), pp. 212–216
4. J. Crist, Web based attacks (SANS, 2007)
5. Imperva, Imperva’s web application attack report (2011)
6. M. Akiyama, Y. Kawakoya, T. Hariu, Scalable and performance-efficient client honeypot on
high interaction system, in 2012 IEEE/IPSJ 12th International Symposium on Applications
and the Internet (SAINT) (IEEE, 2012), pp. 40–50
7. R. Shukla, M. Singh, Pythonhoneymonkey: detecting malicious web urls on client side honey-
pot systems, in 3rd International Conference on Reliability, Infocom Technologies and Opti-
mization (ICRITO) (Trends and Future Directions) (IEEE, 2014), pp. 1–5
8. T.-M. Koo, H.-C. Chang, Y.-T. Hsu, H.-Y. Lin, Malicious website detection based on honeypot
systems, in 2nd International Conference on Advances in Computer Science and Engineering
(CSE 2013) (Atlantis Press, 2013)
9. Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, S. King, Automated web
patrol with strider honeymonkeys, in Proceedings of the 2006 Network and Distributed System
Security Symposium (2006), pp. 35–49
10. B.K. Mirsha, U. Kumar, G. Sahoo, Defending polymorphic worms in computer network using
honeynet. Int. J. Eng. Sci. Technol. (2014)
11. S. Paul, B.K. Mishra, Honeypot-based signature generation for polymorphic worms. Int. J.
Secur. Appl. 8(6), 101–114 (2014)
40 3 Specialized Honeypot Applications

12. M.M. Mohammed, E. Aleisa, N. Ventura, Zero-day polymorphic worms detection using aho-
corasick algorithm
13. A.N.A. AlFraih, W. Chen, Design of a worm isolation and unknown worm monitoring system
based on honeypot, in International Conference on Logistics Engineering, Management and
Computer Science (LEMCS 2014) (Atlantis Press, 2014)
14. P. Jain, A. Sardana, Defending against internet worms using honeyfarm, in Proceedings of the
CUBE International Information Technology Conference (ACM, 2012), pp. 795–800
15. B.K. Mirsha, U. Kumar, G. Sahoo, Double-Sticky-Honeynet for Defending Viruses in Computer
Network, vol. 7 (2012), pp. 131–134
16. G. Portokalidis, H. Bos, Sweetbait: zero-hour worm detection and containment using honey-
pots. Elsevier J. Comput. Netw. (2005) (Special Issue on Security through Self-Protecting and
Self-Healing Systems)
17. D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, H. Owen, Honeystat: local worm
detection using honeypots, in Recent Advances in Intrusion Detection (Springer, 2004), pp.
39–58
18. I. Alberdi, E. Alata, V. Nicomette, P. Owezarski, M. Kaâniche, Shark: spy honeypot with
advanced redirection kit, in IEEE Workshop on Monitoring, Attack Detection and Mitigation
(MonAM07) (2007), pp. 47–52. (ps approach for preventing, detecting, and responding to ddos
attacks. Br. J. Appl. Sci. Technol. 5(5), 500, (2015))
19. S. Khattab, R. Melhem, D. Mossé, T. Znati, Honeypot back-propagation for mitigating spoof-
ing distributed denial-of-service attacks, in 20th International on Parallel and Distributed
Processing Symposium. IPDPS 2006 (IEEE, 2006), pp. 8–pp
20. R. Selvaraj, V.M. Kuthadi, T. Marwala, An effective odaids-hps approach for preventing, detect-
ing, and responding to DDoS attacks. Br. J. Appl. Sci. Technol. 5(5), 500 (2015)
21. S.S. Sadamate, V. Nandedkar, in Advance Honeypot Mechanism-the Hybrid Solution for
Enhancing Computer System Security with DoS, vol. 4 (2015)
22. J. B. Grizzard, V. Sharma, C. Nunnery, B.B. Kang, D. Dagon, Peer-to-peer botnets: overview
and case study, in Proceedings of the First Conference on First Workshop on Hot Topics in
Understanding Botnets (2007), pp. 1–1
23. S.M. Khattab, C. Sangpachatanaruk, D. Mossé, R. Melhem, T. Znati, Roaming honeypots for
mitigating service-level denial-of-service attacks, in 24th International Conference on Dis-
tributed Computing Systems, 2004. Proceedings (IEEE, 2004), pp. 328–337
24. L. Spitzner, Honeytokens: the other honeypot (2003)
25. M. Bercovitch, M. Renford, L. Hasson, A. Shabtai, L. Rokach, Y. Elovici, Honeygen: an
automated honeytokens generator, in 2011 IEEE International Conference on Intelligence and
Security Informatics (ISI) (IEEE, 2011), pp. 131–136
26. S. Chauhan, S. Shiwani, A honeypots based anti-phishing framework, in 2014 International
Conference on Control, Instrumentation, Communication and Computational Technologies
(ICCICCT) (IEEE, 2014), pp. 618–625
27. M. Husák, J. Cegan, Phigaro: automatic phishing detection and incident response framework,
in 2014 Ninth International Conference on Availability, Reliability and Security (ARES) (IEEE,
2014) pp. 295–302
28. B.M. Bowen, M.B. Salem, A.D. Keromytis, S.J. Stolfo, Monitoring technologies for mitigating
insider threats, in Insider Threats in Cyber Security (Springer, 2010), pp. 197–217
29. L. Spitzner, Honeypots: catching the insider threat, in 19th Annual on Computer Security
Applications Conference, 2003. Proceedings (IEEE, 2003), pp. 170–179
30. J. Praveen, P. Jayarekha, Identifying the misbehaving user in a network and trapping them
using honeypot
31. L. Hong-Xia, W. Pu, Z. Jian, Y. Xiao-Qiong, Exploration on the connotation of management
honeypot, in 2010 International Conference on E-Business and E-Government (ICEE) (IEEE,
2010) pp. 1152–1155
32. H. Ulusoy, M. Kantarcioglu, B. Thuraisingham, L. Khan, Honeypot based unauthorized data
access detection in mapreduce systems, in 2015 IEEE International Conference on Intelligence
and Security Informatics (ISI) (IEEE, 2015), pp. 126–131
References 41

33. P. Chen, L. Desmet, C. Huygens, A study on advanced persistent threats, in Communications

and Multimedia Security (Springer, 2014), pp. 63–72
34. R. Jasek, M. Kolarik, T. Vymola, APT detection system using honeypots, in Proceedings of the
13th International Conference on Applied Informatics and Communications (AIC’13) (WSEAS
Press, 2013), pp. 25–29
35. Z. Saud, M.H. Islam, Towards proactive detection of advanced persistent threat (APT) attacks
using honeypots, in Proceedings of the 8th International Conference on Security of Information
and Networks (ACM, 2015), pp. 154–157
36. E.M. Hutchins, M.J. Cloppert, R.M. Amin, Intelligence-driven computer network defense
informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warf.
Secur. Res. 1, 80 (2011)
Chapter 4
General Purposed Honeypot Applications

Abstract This chapter will discuss about the general-purposed honeypot concept.
Honeypot concept, such as the shadow honeypot, has incorporated into many hon-
eypot framework and being described as the norm for honeypot. There are also
sophisticated general purposed honeypot that can automatically adapt to the envi-
ronment in to monitor different attack or able to generate a response to a human
intruder. Such concept will also be discussed in-dept.

4.1 Dynamic Honeypot

One of the biggest challenges for honeypot technology is that it requires manually
update and configure to adapt to the environment it is in. Configuration for honeypot
is a vital ingredient for the honeypot to be blended into the environment to lure
attacker towards it. Any misconfiguration will lead to the consequences such as
missed detection, fail to trap attacker or compromised honeypot be used as a launch
pad to launch attack on the network.
Over the years, researchers have proposed a concept called dynamic honeypot. The
different between dynamic honeypot and static honeypot is its ability to automatically
adapt to the environment it is in. Dynamic honeypot uses the plug-n-play concept
which user can just connect it to the network and use without any configuration [6].
Dynamic honeypot does have a competitive edge when compare with its prede-
cessor. It is able to create a honeypot which can blend very well with the environment
it is in. The question is how this honeypot get the information about the environment.
Researchers [1–5] use fingerprint method to collect information about its environ-
ment and the system information. Fingerprint method can be classified into two
categories, namely passive method and active method.
Active fingerprint method uses active techniques such as port scanning to collect
the information of the server. It sends out traffic packet to the targeted host and
through the response to identify the role of each host in the network.
Xuxian Jiang proposes a catering honeypot that will actively collect information
from current network traffic and dynamically create honeypots that are likely to be

© The Author(s) 2018 43

C. K. NG et al., Honeypot Frameworks and their Applications:
A New Framework, SpringerBriefs on Cyber Security Systems and Networks,
https://doi.org/10.1007/978-981-10-7739-5_4
 Another Random Document on
Scribd Without Any Related Topics
 [129] Cette particularité se trouve dans un fragment
des Mémoires manuscrits de Bussy-Rabutin, cité par M.
de Monmerqué dans son édition des Lettres de Sévigné,
t. 1: ce fragment a été supprimé dans toutes les éditions
de ces Mémoires. Quant aux lettres de la cassette, Mme
de Motteville dit que «le roi et la reine sa mère les ayant
toutes lues, y virent des choses qui firent tort à beaucoup
de personnes.»

Ici l'imagination se perd en conjectures, pour deviner les crimes

énormes qu'on imputait au surintendant et qui ne furent pas
articulés contre lui dans son procès. On est entraîné malgré soi à
réfléchir sur la nouvelle d'Adelaïs, cette justification posthume de
Fouquet.
Le roi, qui était sans doute juge et partie dans cette cause, plus
scandaleuse que criminelle, se garda bien d'ordonner les
informations que réclamait Fouquet. Mais les copies de ces
lettres [130] se multiplièrent toutefois, de même que les originaux
qu'on fabriquait exprès tous les jours pour affliger les personnes les
plus respectables par leurs mœurs. «Par ces lettres, dit Mme de
Motteville (Mémoires, Collect. Petitot, 2e série, t. 40, p. 143), on vit
qu'il y avait des femmes et des filles qui passaient pour sages et
honnêtes, qui ne l'étaient pas. Il y en eut même de celles-là qui
souffrirent pour lui, qui firent voir que ce ne sont pas toujours les
plus aimables, les plus jeunes ni les plus galans, qui ont les
meilleures fortunes, et que c'est avec raison que les poètes ont feint
la fable de Danaé et de la pluie d'or.»
[130] Quelques-unes de ces curieuses lettres nous ont
été conservées: elles étaient dans les archives de la
Bastille, avec cette note écrite sur la liasse: «Toutes ces
copies ont été données à Limoges à M. de La Fresnaye, le
17 novembre 1661.» Les éditeurs des Mémoires
historiques sur la Bastille ont recueilli ces copies, dont
l'authenticité est incontestable; t. 1, p. 55 et suivantes.

La pourvoyeuse ordinaire de Fouquet, Mme Duplessis-Bellière, qui

s'était chargée de marchander les faveurs de Mlle de La Vallière, fut
exilée à Montbrison, et les demoiselles de Menneville et de
Montalais, qui avaient trempé dans la conspiration contre la fidélité
de la belle maîtresse du roi, furent envoyées dans un couvent,
malgré leur condition de filles d'honneur de la reine.
Cependant les soupçons restèrent dans les jeunes têtes de la
cour, au sujet des relations de Fouquet avec Mlle de La Vallière; car,
si d'une part on montrait une lettre de Mme Duplessis au
surintendant: «Je ne sais plus ce que je dis ni ce que je fais,
lorsqu'on résiste à vos intentions. Je ne puis sortir de colère, lorsque
je songe que cette demoiselle a fait la capable avec moi; pour
captiver sa bienveillance, je l'ai encensée par sa beauté qui n'est
pourtant pas grande, et puis lui ayant fait connaître que vous
empêcheriez qu'elle ne manquât de rien et que vous aviez vingt mille
pistoles pour elle, elle se gendarma contre moi, disant que vingt-cinq
mille n'étaient pas capables de lui faire faire un faux pas; et elle me
répéta cela avec tant de fierté, que, quoique je n'aie rien oublié pour
la radoucir avant que de me séparer d'elle, je crains fort qu'elle n'en
parle au roi; de sorte qu'il faudra prendre le devant; pour cela, ne
trouvez-vous pas à propos de dire, pour la prévenir, qu'elle vous a
demandé de l'argent et que vous lui en avez refusé [131] ?» d'une
autre part, on donnait une interprétation contraire à cette lettre de
Fouquet, qu'on supposait adressée à mademoiselle de La Vallière:
«Puisque je fais mon unique plaisir de vous aimer, vous ne devez pas
douter que je ne fasse ma joie de vous satisfaire; j'aurais pourtant
souhaité que l'affaire que vous avez désirée fût venue purement de
moi: mais je vois bien qu'il faut qu'il y ait toujours quelque chose qui
trouble ma félicité, et j'avoue, ma chère demoiselle, qu'elle serait
trop grande, si la fortune ne l'accompagnait quelquefois de quelques
traverses. Vous m'avez causé aujourd'hui mille distractions, en
parlant au roi; mais je me soucie fort peu de ses affaires, pourvu
que les nôtres aillent bien [132] .» Le voile des carmélites fut depuis
jeté sur ces souvenirs, qui n'avaient pas de quoi plaire à l'orgueilleux
prince.
 [131] Toute la lettre est imprimée à la p. 58, du t. 1
des Mémoires historiques sur la Bastille. M. de
Monmerqué, qui ne hasarde jamais une citation sans
remonter à la source originale, a pourtant reproduit cette
lettre dans une note des Mémoires de Conrard, ce qui fait
présumer qu'il l'avait trouvée dans les manuscrits de ce
laborieux compilateur.
[132] C'est l'abbé de Choisy qui rapporte cette lettre
(Mémoires, Coll. Petitot, 2e série, t. 63, p. 264); il la croit
adressée à Mlle de Montalais, l'une des maîtresses du
surintendant; mais cette fille d'honneur ne parlait pas au
roi, de manière à causer mille distractions à Fouquet. Les
éditeurs ont lu dans le manuscrit les vôtres au lieu des
nôtres, ce qui ne répond pas au sens général de la lettre.

Mais lorsque, vers l'année 1680, la veuve Scarron, devenue

marquise de Maintenon, parvint, à force de finesse, d'intrigue et de
fausseté, à supplanter Mme de Montespan, et à se guinder jusqu'au
lit royal, Louis XIV eut tout-à-coup les oreilles rebattues de ces
anciennes lettres découvertes dans la cassette de Fouquet, pièces de
conviction des mystères voluptueux de Saint-Mandé.
Alors on reproduisit ce billet de Mme Scarron: «Je ne vous
connais point assez pour vous aimer, et quand je vous connaîtrais,
peut-être vous aimerais-je moins. J'ai toujours fui le vice, et
naturellement je hais le péché; mais je vous avoue que je hais
encore davantage la pauvreté. J'ai reçu vos dix mille écus: si vous
voulez en apporter encore dix mille dans deux jours, je verrai ce que
j'aurai à faire.»
On commenta cet autre billet, plus concluant que le premier:
«Jusqu'ici j'étais si bien persuadée de mes forces, que j'aurais défié
toute la terre; mais j'avoue que la dernière conversation que j'ai eue
avec vous m'a charmée. J'ai trouvé dans votre entretien mille
douceurs, à quoi je ne m'étais pas attendue: enfin, si je vous vois
seul jamais, je ne sais ce qui arrivera [133] .»
[133] Ces deux billets sont dans les Mém. hist. sur la
Bastille, t. 1, p. 57. La Beaumelle, dans les Mémoires de
M me de Maintenon, t. 1, ch. 15, raconte, avec ses
 réticences ordinaires, l'anecdote à laquelle ces lettres ont
rapport. «Après la mort de Scarron, sa veuve alla
demander au surintendant la survivance de la pension
qu'il faisait au pauvre poète, et Fouquet voulut avoir les
bénéfices de sa libéralité: il envoya un écrin magnifique à
la belle veuve, qui, éclairée sur les intentions de ce
protecteur intéressé, refusa les diamans et garda sa
vertu.» La Beaumelle n'a pas réussi cependant à
innocenter la démarche de Mme Scarron auprès du sultan
de Saint-Mandé.

Ces billets-doux et d'autres prirent des voix offensantes propres à

chagriner le roi, qui avait disgracié son favori Lauzun pour le punir
de s'être caché sous le lit de Mme de Montespan, et qui sentait les
vieilles piqûres d'amour-propre aussi cuisantes que de nouvelles.
Ce fut bien pis quand on tira des lettres de Scarron une preuve
assez malhonnête des rendez-vous de Françoise d'Aubigné et de
Fouquet: «Mme Scarron, écrivait le cul-de-jatte au maréchal d'Albret,
a été à Saint-Mandé. Elle est fort satisfaite de la civilité de Mme la
surintendante, et je la trouve si férue de tous ses attraits, que j'ai
peur qu'il ne s'y mêle quelque chose d'impur?»
On se rappela une foule de passages des lettres de Scarron,
qu'on avait recueillies autrefois comme des chefs-d'œuvre de goût
dans les ruelles de l'hôtel Rambouillet. Ici, Mme Scarron avait gagné
des flacons d'argent aux loteries du surintendant; là, le mari
réclamait l'exécution des promesses faites à sa femme par Fouquet;
Scarron recommandait l'un après l'autre tous les parens de sa
femme, et mettait toujours sa femme en avant pour obtenir des
dons et des grâces de son héros, le plus généreux de tous les
hommes, aussi bien que le plus habile homme du siècle [134] .
[134] Voyez les lettres de Scarron dans ses Dernières
œuvres, Paris, 1752, in-12, t. 2. «La requête que je vous
envoie, écrit-il à Fouquet, est pour un parent de ma
femme, qui a toujours été bon serviteur du roi, et qui est
persuadé que vous me faites l'honneur de m'aimer.» Il
écrit une autre fois: «Cette affaire est la dernière
espérance de ma femme et de moi.» Il ne se lasse point
 de demander: «Je vous prie de vous souvenir de la
promesse que vous avez faite à ma femme touchant le
marquisat de son cousin de Circe.» Il ne rougit pas même
de son rôle d'importun: «Je crois qu'il ne se passe point
de jour que quelque chevalier ou quelque dame affligée
ne vous aille demander un don.»

Mais ce qui fournit surtout des armes à la malignité contre Mme

de Maintenon, ce fut le souvenir de la querelle de Scarron contre
Gilles Boileau, qui avait peu ménagé la femme du cul-de-jatte dans
cette épigramme:

Vois sur quoi ton erreur se fonde,

Scarron, de croire que le monde
Te va voir pour ton entretien:
Quoi! ne vois-tu pas, grosse bête,
Si tu grattais un peu ta tête
Que tu le devinerais bien [135] ?

[135] Malgré les apologies de La Beaumelle, qui

représente la jeunesse de Françoise d'Aubigné comme
très-édifiante, il paraît certain que cette amie de Ninon
menait une vie peu régulière, et fréquentait une
compagnie où les exemples de libertinage ne lui
manquaient pas, témoin ce passage d'une lettre de son
mari: «L'honneur de votre souvenir, écrivait-il au duc
d'Elbeuf, me consolera de l'absence de Mme Scarron, que
Mme de Montchevreuil m'a enlevée. J'ai grand'peur que
cette dame débauchée ne la fasse devenir sujette au vin
et aux femmes, et ne la mette sur les dents devant que
me la rendre.» Au reste, Scarron savait à quoi s'en tenir
sur la conduite de sa femme, qu'il révéla lui-même dans
une chanson, avec laquelle on tympanisait à la cour Mme
de Maintenon: cette chanson finit ainsi:

Pour porter à l'aise

Votre chien de cu,
Tous les jours une chaise
Coûte un bel écu
A moi, pauvre cocu.
 Scarron, piqué au vif d'avoir deviné, ne s'était pas contenté de
répondre par un débordement d'épigrammes grossières; il avait
appelé à son aide la protection de son bienfaiteur, qui fit cesser ce
combat poétique où Mme Scarron était exposée à de rudes vérités;
car Gilles Boileau menaçait de ne plus garder de mesures pour le
sexe; mais on lui ferma la bouche en lui remontrant que les coups
d'épigramme pourraient dégénérer en coups de bâton. Mme Scarron
avait eu l'esprit de ne pas daigner s'offenser de l'épigramme fort
insolente décochée contre elle; Fouquet s'en offensa et força Boileau
de récuser ses vers, avant que des personnes de qualité se
chargeassent d'office de venger l'honneur des dames. Scarron avoua
qu'il n'y avait rien de commun entre lui et sa femme, comme le lui
reprochait son adversaire, et il adressa le récit du débat satirique au
surintendant qui en était la cause indirecte [136] .
[136] Dernières œuvres de Scarron, éd. de 1752, t. 2,
p. 198 et suiv.

Les ennemis de Mme de Maintenon eurent beau jeu pour la

décrier, en exhumant ses anciennes galanteries et en faisant sonner
haut la somme dont Fouquet avait payé, vingt ans auparavant, ce
que le roi payait alors plus chèrement de sa gloire et de sa
couronne. «Mme de Montespan n'a rien oublié pour me nuire, écrivait
en 1679 Mme de Maintenon: elle a fait de moi le portrait le plus
affreux.» Elle écrivait à son frère vers la même époque: «Il n'y a rien
de nouveau dans les déchaînemens que l'on a contre moi [137] ;» et
dans une autre lettre: «Ne prenez point feu sur le mal que vous
entendez dire de moi. On est enragé, et on ne cherche qu'à me
nuire. Si on n'y réussit pas, nous en rirons; si l'on y réussit, nous
souffrirons avec courage. Veillez à vos discours par rapport à moi.
On vous en fait tenir de bien insensés, qu'on me répète avec
complaisance; du reste on s'accoutume à tout [137] .»
[137] Lettres de M me de Maintenon, 1756, t. 1, p.
178 et suiv.
 En 1676, la Brinvilliers avait accusé Fouquet de tentatives
d'empoisonnement, sans doute sur la personne du roi: «Admirez le
malheur, s'écrie Mme de Sévigné à cette occasion (lettre du 22
juillet), cette créature a refusé d'apprendre ce qu'on voulait et a dit
ce qu'on ne demandait pas; par exemple, elle a dit que M. Fouquet
avait envoyé Glazel, leur apothicaire empoisonneur, en Italie, pour
avoir une herbe qui fait du poison: elle a entendu dire cette belle
chose à Sainte-Croix. Voyez quel excès d'accablement, et quel
prétexte pour achever ce pauvre infortuné! Tout cela est bien
suspect; on ajoute encore bien des choses.» Cette dénonciation, que
les ennemis de Fouquet avaient soufflée sans doute à
l'empoisonneuse sur la sellette, rappela qu'on avait trouvé des
poisons sous les scellés mis en 1661 dans la maison de Saint-Mandé,
et qu'on avait autrefois soupçonné le surintendant de s'être défait du
cardinal Mazarin [138] .
[138] «On a dit qu'on avait trouvé des poisons chez
lui, et on eut quelque soupçon qu'il avait empoisonné le
feu cardinal.» Mémoires de M me de Motteville, Coll.
Petitot, 2e série, t. 40, p. 145. On lit dans les Lettres de
Guy-Patin, 7 mars 1661: «Il court un bruit que je tiens
faux, que l'on a découvert que le cardinal Mazarin est
mort empoisonné; ôtés les petits grains d'opium et un
peu de vin émétique que l'on peut lui avoir donnés, ses
veilles perpétuelles, sa tumeur œdémateuse, ses
faiblesses inopinées, ses suffocations nocturnes, son
dégoût universel et la perte d'appétit, en voilà plus qu'il
n'en faut pour mourir sans poison, mais c'est que l'on ne
peut empêcher les sots de parler.»

Au commencement de 1680, la Voisin, dont le procès fut la

continuation de celui de la Brinvilliers, ne manqua pas sans doute
d'accuser aussi Fouquet, elle qui imputait des homicides à Racine et
à La Fontaine!
Un vieux prêtre, Étienne Guibourg, complice et co-accusé de la
Voisin, déclara devant la Chambre ardente de l'Arsenal, qu'on avait
formé le complot d'empoisonner M. Colbert, et qu'un nommé Damy
avait été chargé d'exécuter ce crime qui ne réussit pas, la dose du
poison n'étant point assez forte pour causer la mort; il déclara en
outre «que M. Pinon-Dumartray, conseiller au parlement, avait des
liaisons avec lui, et qu'il lui avait dit qu'il avait dessein d'empoisonner
le roi, contre lequel il avait, disait-il, beaucoup de ressentiment de ce
qu'il avait fait emprisonner M. Fouquet, dont M. Pinon était
parent [139] .»
[139] Mémoires historiques sur la Bastille, t. 1, p. 138.
J'ai cherché à découvrir les interrogatoires et les
procédures de la Chambre des poisons; j'espérais y puiser
de plus amples détails sur l'accusation portée contre
Fouquet; mais j'ai su de M. Villenave que les pièces les
plus importantes avaient été détruites avant la révolution.
Cependant beaucoup de papiers relatifs à cette affaire
restaient encore, tirés des archives de la Bastille; M. de
Monmerqué les avait triés et analysés en partie à la
Bibliothèque de l'Arsenal, lorsqu'il s'occupait de sa
précieuse édition des Lettres de M me de Sévigné; depuis
quinze ans, ces papiers sont rentrés dans les greniers, et
nous n'avons pas réussi à les découvrir de nouveau,
malgré de nombreuses démarches pour en retrouver la
trace.

Le nom de Fouquet figura donc dans ce lugubre et mystérieux

procès dont les pièces furent anéanties avec soin, comme pour
effacer les vestiges des iniquités de la justice. Quelle devait être la
fureur du roi contre Fouquet, quand on voit Louis XIV, fanatisé par
Mme de Maintenon, envoyer à la Bastille son brave maréchal de
Luxembourg, exiler son ancienne maîtresse, la comtesse de
Soissons, et laisser traîner sur la sellette les plus illustres
personnages de sa cour, confrontés avec de vils scélérats qui, dans
l'espoir de se soustraire au bûcher, se rattachaient à tout ce qui était
puissant et honorable en France! Qu'on juge le fanatisme de Louis
XIV par ces paroles: «J'ai bien voulu que Mme la comtesse de
Soissons se soit sauvée; peut-être un jour en rendrai-je compte à
Dieu et à mes peuples [140] !»
[140] Lettres de M me de Sévigné, 24 janvier 1680.
On peut apprécier quelles intrigues avaient lieu dans le
 sein de la Chambre ardente, par ce passage d'une autre
lettre du 14 février 1680 (quinze jours avant la prétendue
mort de Fouquet): «La Chambre de l'Arsenal a
recommencé… Il y eut un homme qui n'est point nommé,
qui dit à M. de la Reynie: «Mais, monsieur, à ce que je
vois, nous ne travaillons ici que sur des sorcelleries et des
diableries dont le parlement de Paris ne reçoit point les
accusations. Notre commission est pour les poisons; d'où
vient que nous écoutons autre chose?» La Reynie fut
surpris et lui dit: «Monsieur, nous avons des ordres
secrets.—Monsieur, dit l'autre, faites-nous une loi et nous
obéirons comme vous; mais, n'ayant pas vos lumières, je
crois parler selon la raison de dire ce que je dis.» Je
pense que vous ne blâmez pas la droiture de cet homme,
qui pourtant ne veut pas être connu.»

Ce fut le dernier coup contre le pauvre prisonnier. Mais Louis XIV

avait reçu de belles leçons de piété dans ses conférences mystiques
avec Mme de Maintenon: il n'ordonna pas la mort réelle de Fouquet.

VI.
L'histoire du geôlier peut servir encore à éclaircir celle du
prisonnier.
M. Saint-Mars, qui eut tour à tour la garde de Fouquet et du
Masque de Fer, s'appelait Bénigne d'Auvergne, seigneur de Saint-
Mars. C'était un petit gentilhomme champenois, des environs de
Montfort-l'Amaury, qui n'avait aucune ressource de patrimoine
lorsqu'il fut admis dans la première compagnie des mousquetaires
du roi. Son exactitude dans le service lui fit obtenir le grade de
maréchal-de-logis à l'âge de trente-quatre ans, et, en cette qualité, il
contribua avec son capitaine d'Artagnan à l'arrestation de Fouquet.
Durant tout le procès, il remplit rigoureusement l'emploi de
surveillant auprès de l'accusé, et l'ardeur avec laquelle il s'acquittait
de son devoir attira sur lui l'attention du roi, qui s'applaudit d'avoir
trouvé l'homme qu'il cherchait pour l'attacher irrévocablement à la
garde de Fouquet, condamné à une détention perpétuelle. On le
nomma, en décembre 1664, capitaine d'une compagnie-franche,
avec le titre de commandant de la prison de Pignerol et les
appointemens de gouverneur de place forte (6000 livres), pour
garder Fouquet. Son autorité, à peu près absolue dans le donjon, se
trouvait indépendante de celle du lieutenant du roi, M. Lamothe de
Rissan, comme de celle du gouverneur de la ville, M. d'Herleville.
A peine installé dans son commandement, Saint-Mars, qui ne
voulait pas s'arrêter au début de sa fortune, se mit en mesure de
poursuivre ce chemin, en épousant une demoiselle de Moresant, fille
d'un simple bourgeois de Paris, mais sœur du commissaire des
guerres de Pignerol, et de la belle Mme Dufresnoy, maîtresse du
marquis de Louvois, qui avait fait créer pour elle une charge de
dame du lit de la reine. Il gagna donc les bonnes grâces de Louvois
par l'entremise de M. Dufresnoy, premier commis au département de
la guerre; et l'appui de Mme Dufresnoy ne lui a pas nui dans
l'occasion.
Tant que dura ostensiblement la prison de Fouquet, Saint-Mars
jouit d'un crédit considérable à la cour: il procurait des places, des
grades et des pensions aux gens qu'il recommandait à Louvois; il
balançait sans cesse l'autorité du lieutenant du roi et du gouverneur
de Pignerol réunis; il recevait tous les ans d'énormes gratifications
sur la cassette du roi. Enfin la manière dont il avait gardé Fouquet,
malgré toutes les tentatives faites pour sa délivrance, invita le roi à
remettre dans les mains de ce geôlier infatigable un nouveau
prisonnier plus difficile à conserver. Les ruses du comte de Lauzun
échouèrent encore contre la vigilance de Saint-Mars, à qui la mort
enleva, dit-on, le malheureux Fouquet en 1680; un an après, Lauzun
lui fut enlevé aussi par des lettres de grâce [141] .
[141] Mémoires de M. d'Artagnan (par Sandras de
Courtilz), Cologne, 1701, 3 vol. in-12, t. 3, p. 222 et 385.
Annales de la cour et de Paris pour les années 1697 et
1698 (par le même), Cologne, 1701, 2 vol. in-18, t. 2, p.
380. Ces deux ouvrages nomment la Moresanne, la
famille à laquelle appartenait la femme de Saint-Mars. Ce
 nom est écrit Damorezan dans les correspondances de
Louvois; Histoire de la détention des Philosophes, t. 1.
C'est d'après une lecture attentive de ces
correspondances, qu'on peut se fixer sur la nature des
pouvoirs confiés à Saint-Mars.

Cependant Saint-Mars, exclusivement occupé de la prison qu'il

gouvernait depuis plus de seize ans avec autant d'ordre que
d'adresse, refusa, en 1681, le commandement militaire de la
citadelle de Pignerol, que le roi lui offrait en récompense de ses
services, et n'accepta qu'à regret le gouvernement du fort d'Exilles,
vacant par la mort de M. de Lesdiguières: il s'y rendit la même
année avec deux prisonniers seulement, amenés de Pignerol chacun
dans une litière fermée. Ces prisonniers, qui n'avaient aucun
commerce, furent certainement le secrétaire du duc de Mantoue et
l'homme au masque. «Comme il y a toujours quelqu'un de mes deux
prisonniers malades, écrivait-il le 4 décembre 1681, ils me donnent
autant d'occupation que jamais j'en ai eue autour de ceux que j'ai
gardés [142] .» Ils restèrent dans les remèdes pendant plusieurs
années, et Matthioli mourut à Exilles: certainement Saint-Mars ne
transféra qu'un seul prisonnier aux îles Sainte-Marguerite, dont il fut
institué gouverneur en 1687.
[142] Voyez les lettres de Louvois et de Saint-Mars
recueillies aux archives des Affaires étrangères par MM.
Roux-Fazillac et Delort.

Ces changemens de résidence n'étaient peut-être pas sans

dangers et sans inconvéniens, puisque Saint-Mars les souhaitait peu;
et il ne se fût pas pressé de se rendre à son nouveau poste, sans un
ordre de Louvois, qui le força de partir immédiatement avec son
prisonnier malade. La mort du ministre qui avait toujours favorisé en
lui le beau-frère de Mme Dufresnoy n'influa pas sur son crédit à la
cour; car il avait marié son fils unique, qu'il perdit bientôt après, à la
fille de M. Desgranges, premier commis du comte de Pontchartrain,
secrétaire-d'état de la marine, puis chancelier de France; mais Saint-
Mars, qui était déjà fort vieux et gras [143] , désirait du repos: il
essaya de refuser, en 1698, le gouvernement de la Bastille, vacant
par la mort de M. de Bessemaux, et répondit que «s'il plaisait à Sa
Majesté de le laisser où il était, il y demeurerait volontiers.»
Barbezieux le força d'accepter sa nomination, et le roi cassa,
quelques jours après, une compagnie qui avait été créée tout exprès
pour la garde de Fouquet, et que Saint-Mars avait menée avec lui
aux îles Sainte-Marguerite et de Saint-Honorat, quoique la prétendue
mort de Fouquet semblât devoir motiver le licenciement de cette
compagnie. Saint-Mars alla donc à Paris avec son prisonnier et
toutes les personnes qui possédaient ce secret.
[143] Cette épithète doit s'entendre de la richesse de
Saint-Mars, car il est impossible de l'appliquer au portrait
physique de cet officier, que Renneville a peint de
couleurs tout-à-fait différentes: «C'était un petit vieillard,
dit-il dans le récit de la réception que lui fit ce gouverneur
de la Bastille en 1703, de très-maigre apparence,
branlant de la tête, des mains et de tout son corps.» Hist.
de la Bastille, t. 1, p. 32.

Ces personnes étaient aussi les mêmes qui avaient eu part à la

garde de Fouquet, et par conséquent leur fidélité se trouvait garantie
par l'épreuve du temps, non moins que par des raisons d'intérêt ou
de famille.
Saint-Mars, dès l'origine de son commandement à Pignerol,
s'était entouré de plusieurs de ses parens [144] qui le secondèrent
avec zèle, dans l'espoir de faire leur fortune: son cousin-germain, M.
de Blainvilliers, mousquetaire du roi, et lieutenant à la garde de M.
Fouquet, était souvent l'entremetteur des rapports confidentiels du
gouverneur au ministre, et des ordres du ministre au gouverneur: il
allait fréquemment de Pignerol à Versailles et à Saint-Germain [145] ,
pour y porter des dépêches secrètes concernant les affaires de la
prison; il suivit Saint-Mars au fort d'Exilles; mais tout fait supposer
qu'il mourut avant le passage de son parent au gouvernement de la
Bastille.
 [144] Voici l'indication de quelques titres trouvés
parmi d'anciens papiers relatifs à la terre de Blainvilliers;
M. Barbier d'Aucourt, qui les a découverts, a bien voulu
nous les communiquer pour ajouter aux renseignemens
que nous avions puisés dans l'ouvrage de Renneville sur
la famille de Saint-Mars, laquelle ne figure pas dans les
généalogies de Champagne, publiées en 1673 d'après les
Recherches faites sous la direction de M. de Caumartin, 2
vol. gr. in-fo.
«Le 20 juillet 1670, le sieur Zachée de Byot, écuyer,
seigneur de Blainvilliers, mousquetaire du roi et
lieutenant à la garde de M. Fouquet dans la citadelle de
Pignerol, prête foi et hommage pour le fief de
Blainvilliers.»
«Le 22 juillet 1670. Quittance de 500 liv. au nom de
M. de Blainvilliers, lieutenant à la garde de M. Fouquet
dans la citadelle de Pignerol, pour droits de lots et ventes,
à cause de l'acquisition qu'il a faite de Bénigne
d'Auvergne, sieur de Saint-Mars, son cousin germain, des
héritages qui lui appartenaient de la succession du sieur
de Blainvilliers, leur oncle, duquel ledit seigneur de Saint-
Mars était héritier pour une sixième portion, suivant le
partage qui en a été fait avec le sieur de Formanoir.»
«Le 12 mars 1671. Eloy de Formanoir, seigneur de
Corbest, tant en son nom à cause de damoiselle
Marguerite d'Auvergne, son épouse, que comme ayant les
droits cédés par écrit sous seing-privé, en date du 22
novembre 1664, de Bénigne d'Auvergne, seigneur de
Saint-Mars, maréchal-des-logis des mousquetaires du roi
et son lieutenant dans la citadelle de Pignerol, fait une
déclaration d'aveu pour le même fief.»
«Le 23 décembre 1714. Transaction pour une pièce de
terre entre le sieur Jean Presle, laboureur, et messire
Guillaume de Formanoir, chevalier, seigneur de Palteau,
demeurant ordinairement en ladite terre de Palteau, en
Bourgogne, messire Louis Joseph de Formanoir, seigneur
de Saint-Mars et chevalier de l'ordre militaire de Saint-
Louis, demeurant ordinairement à Montfort, et le sieur
Salmon, prêtre, fondé de procuration de messire Louis de
Formanoir, chevalier, seigneur d'Erimont, commandant
une compagnie pour le service de Sa Majesté aux îles
Sainte-Marguerite.»
 [145] Voyez la correspondance de Louvois,
notamment les lettres du 29 juillet 1678, 18 août 1679,
1er octobre 1679, etc., t. 1 de l'Histoire de la détention
des Philosophes: «J'ai entretenu le sieur de Blainvilliers,
écrit Louvois le 1er décembre 1678, et je continuerai à lui
parler de temps en temps dans les heures de loisir que je
pourrai avoir.»

Un neveu de Saint-Mars, nommé Guillaume de Formanoir, dit

Corbé, parce qu'il avait d'abord porté le titre de la seigneurie de
Corbest, fut, pendant plus de trente ans, le confident et l'auxiliaire
de son oncle, qu'il accompagna de Pignerol à la Bastille, en qualité
de sous-lieutenant, puis de lieutenant, dans la compagnie-franche
chargée de la surveillance des prisonniers: il était encore plus laid et
plus méchant que Saint-Mars, dont il espérait être le successeur;
mais, trompé dans son attente, il quitta le service du roi, et sortit
alors de la Bastille, où il était abhorré, pour se retirer en
Champagne, dans la terre de Palteau que son oncle en mourant lui
avait laissée avec d'autres biens. Ses friponneries, ses crimes, sont
marqués au fer rouge par Constantin de Renneville, qui en avait tant
souffert; mais l'infâme Corbé était devenu M. de Palteau, pour jouir
en paix du sang et des larmes de mille malheureux dont ses
richesses étaient le prix [146] .
[146] Inquisition française ou Histoire de la Bastille, t.
1, p. 76; t. 5, p. 406.

D'autres neveux de Saint-Mars remplirent long-temps des grades

presque héréditaires dans les compagnies-franches des prisons
d'état, en récompense du dévouement éprouvé de ce vieux gardien
de Fouquet et du Masque de Fer.
Le major Rosarges, dont le nom figure dans le Journal de
Dujonca et dans l'extrait mortuaire de Marchialy, était encore une
créature de Saint-Mars, qui l'amena des îles Sainte-Marguerite à la
Bastille, et le fit major du château. Ce provençal, le plus brutal des
hommes, avait passé toute sa vie auprès du gouverneur, et il mourut
le 19 mai 1705, les intestins brûlés par la quantité excessive d'eau-
de-vie qu'il avait bue [147] . Rosarges remplaçait Saint-Mars dans les
rares et courtes absences que celui-ci fut forcé de faire avec la
permission du ministre, et c'est lui sans doute que Saint-Mars
désigne sous ce titre: mon officier, en faisant mention de la
personne de confiance qui avait soin du prisonnier masqué, et qui ne
devait jamais lui parler [148] .
[147] Inquisition française ou Histoire de la Bastille, t.
1, p. 43, p. 79; t. 3, p. 393.
[148] Lettres de Louvois, du 4 décembre 1681, et de
Saint-Mars à Louvois, du 11 mars 1682 et du 20 janvier
1687; dans l'ouvrage de Roux-Fazillac.

Saint-Mars, arrivant à la Bastille, était encore accompagné du

nommé Lécuyer, qui le servait depuis trente ans, et qu'il fit capitaine
des portes. Ce vieillard, bien moins méchant que le major, avait
encore quelque espèce de crainte de Dieu. Le porte-clef Ru,
provençal, venait aussi des îles Sainte-Marguerite, à la suite du
Masque de Fer [149] . L'abbé Giraut, qui confessa cet inconnu à
l'article de la mort, ce bouc exécrable, comme l'appelle Renneville,
avait été confesseur des prisonniers aux îles Sainte-Marguerite, et
probablement à Pignerol, avant de passer comme aumônier à la
Bastille, où ses débauches et ses dilapidations eurent grand besoin
de la faveur spéciale de Saint-Mars pour n'être pas démasquées et
punies [150] . Il savait sans doute le nom et la condition du prisonnier
qu'il confessait.
[149] Inquisition française ou Histoire de la Bastille, t.
1, p. 54 et 79.
[150] Inquisition française ou Histoire de la Bastille, t.
1, p. 82.

Quant à Reilh, qui signa l'acte de décès sur les registres de Saint-
Paul, ce chirurgien était entré à la Bastille par la recommandation de
l'abbé Giraut; et comme il avait été frater dans une compagnie
d'infanterie, on peut présumer que l'apprentissage de ce frater eut
lieu aux îles Sainte-Marguerite sous les yeux de Saint-Mars, qui
donnait ses vieilles perruques et ses vieux justaucorps à ce sinistre
opérateur, aussi mal famé que sa médecine parmi les pensionnaires
de la prison [151] . Abraham Reilh, complaisant du gouverneur, qui
ajouta pour lui le titre et les appointemens d'apothicaire à ceux de
chirurgien du château, devait peut-être cette faveur à sa discrétion,
en cas qu'il fût le même frater qui trouva au bord de la mer une
chemise couverte d'écriture, et l'apporta sur-le-champ à Saint-Mars,
sans avoir rien lu de ce qu'elle contenait. Mais alors il ne faudrait pas
admettre le reste de la tradition qui raconte que ce frater fut trouvé
mort dans son lit.
[151] Idem, t. 1, p. 79.

Saint-Mars, en se rendant à la Bastille, avait obéi à contre-cœur,

comme s'il craignait de perdre bientôt son prisonnier, qui ne survécut
que quatre années et demie à sa translation, et Saint-Mars, qui avait
plus de quatre-vingts ans à cette époque, resta gouverneur jusqu'à
sa mort. Quand elle arriva, le 26 septembre 1708, il était
entièrement oublié du monde, auquel il avait dit adieu depuis 1661,
pour partager pendant près d'un demi-siècle la captivité d'une
grande victime [152] .
[152] Annales de la cour et de Paris, t. 2, p. 380 et
381. Inquisition française ou Histoire de la Bastille, t. 1, p.
73 et suiv.

Le caractère de Saint-Mars a été jugé diversement, selon les

temps et les personnes. «On dit que celui qui gardera M. Fouquet à
Pignerol est un fort honnête homme,» écrivait Mme de Sévigné, le 25
janvier 1665. «C'était un homme sage et exact dans le service,»
disent les Mémoires de d'Artagnan. «On jeta les yeux sur lui, dit
Constantin de Renneville qui ne pouvait qu'être partial au sortir de la
Bastille, parce qu'on crut ne pouvoir pas trouver d'homme, dans tout
le royaume, plus dur et plus inexorable. La férocité brutale avec
laquelle ce tyran traita cet illustre malheureux a quelque chose de si
terrible, qu'elle serait capable de faire rougir les Denis et les Néron.»
Il faut avouer que ce portrait est bien loin de ressembler à celui
qu'on peut extraire des correspondances de Louvois. Saint-Mars
était, ce me semble, d'une humeur sombre, froide, silencieuse, d'une
défiance continuelle et d'une fermeté inflexible: un secret d'état ne
courait aucun risque avec un pareil homme.
Il fit une fortune prodigieuse dans ses différens commandemens,
où il avait, sans compter le tour du bâton, des appointemens
considérables. «Certains prisonniers, qui avaient été enfermés aux
îles Sainte-Marguerite, l'accusaient d'avoir poussé la fureur jusqu'à
laisser mourir de faim et même faire étouffer plusieurs de ses
prisonniers, dont il ne laissait pas de toucher la pension, comme s'ils
eussent été vivans, long-temps après leur mort.» Quelles que
fussent les sources de ses richesses immenses, elles lui permirent
d'acheter en Champagne plusieurs terres seigneuriales, entre autres
celles de Dimon et de Palteau. Il fut nommé chevalier des ordres du
roi, bailli et gouverneur de Sens. Ces honneurs, ces dignités, ces
richesses, récompensaient le geôlier de Fouquet et du Masque de
Fer [153] .
[153] Annales de la cour et de Paris, t. 2, p. 380 et
381. Inquisition française, t. 1, p. 75 et 76. Voyez dans le
tome 1er de l'Histoire de la détention des Philosophes,
plusieurs ordonnances du roi pour paiement de
gratifications à Saint-Mars, en considération de ses
services et pour lui donner moyen de les continuer. L'un
de ces bons, du 30 janvier 1670, est de quinze mille
livres.

Les lettres de Saint-Mars prouvent qu'il désignait Fouquet par

cette qualification: mon prisonnier, quoique bien d'autres prisonniers
fussent sous sa garde, et qu'il continua toujours à employer le même
terme à l'égard du Masque de Fer, depuis la prétendue mort de
Fouquet: «Il y a des personnes qui sont quelquefois si curieuses,
écrivait-il de Pignerol à Louvois (le 12 avril 1670), de me demander
des nouvelles de mon prisonnier, ou le sujet pourquoi je fais faire
tant de retranchemens pour ma sûreté, que je suis obligé de leur
faire des contes jaunes pour me moquer d'eux [154] .» Il lui écrivait
d'Exilles, le 20 janvier 1687: «Je donnerai si bien mes ordres pour la
garde de mon prisonnier, que je puis bien vous en répondre [155] .»
Il lui écrivait des îles Sainte-Marguerite, le 3 mai 1687: «Je n'ai resté
que douze jours en chemin, à cause que mon prisonnier était
malade, à ce qu'il disait n'avoir pas autant d'air qu'il l'aurait souhaité.
Je puis vous assurer, monseigneur, que personne au monde ne l'a
vu, et que la manière dont je l'ai gardé et conduit pendant toute ma
route fait que chacun cherche à deviner qui peut être mon
prisonnier.» Or, quel était en effet le véritable prisonnier de Saint-
Mars, qui avait été nommé à la garde de Fouquet en 1664, et qui ne
fut chargé que par accessoire de garder d'autres prisonniers? N'est-
ce pas toujours le même personnage à différentes époques?
[154] T. 1 de l'Histoire de la détention des
Philosophes, p. 169.
[155] Voyez cette lettre et les suivantes dans les
ouvrages de MM. Roux-Fazillac et Delort.

Les ministres, dans leur correspondance, se servaient aussi d'une

dénomination semblable pour Fouquet et le Masque de Fer; Louvois,
en parlant du surintendant à Saint-Mars, dit fréquemment: votre
prisonnier, ou le prisonnier, comme faisait en 1691 Barbezieux,
parlant de l'homme au masque.
Quant à cette lettre de Barbezieux, datée de 1691, par laquelle
on fixe le temps de la captivité du Masque de Fer, ce temps ne se
rapporte pas absolument à celui que Fouquet aurait passé en prison,
dans le cas où il eût vécu jusqu'à cette année-là; mais Barbezieux,
en disant à Saint-Mars: Le prisonnier qui est sous votre garde depuis
vingt ans, n'a pas prétendu donner une date précise; et, léger
d'esprit comme il l'était, il a fort bien pu mettre vingt ans au lieu de
vingt-sept ans; d'ailleurs, ce jeune ministre, né en 1668, n'avait pas
vu commencer la détention de Fouquet, s'en était peu informé
comme d'un événement tout-à-fait indifférent, et savait seulement
par ouï-dire que ce malheureux était à Pignerol depuis plus de vingt
ans.
Le transport de Fouquet au fort de la Pérouse, en 1665, après le
désastre de l'explosion des poudrières à Pignerol, et son retour dans
cette prison en 1666, ressemblent de tout point aux passages du
prisonnier masqué au fort d'Exilles, à l'île de Sainte-Marguerite et à
la Bastille.
L'Instruction du roi, du 29 juin 1665, porte: «Capitaine Saint-
Mars, vous transférerez ledit Fouquet au fort de la Pérouse, vous
faisant escorter par les officiers et soldats de votre compagnie, et
vous servant, pour cet effet, de la voiture que vous jugerez la plus
convenable.»
Lorsqu'il s'agit de ramener Fouquet à Pignerol, Louvois écrit à
Saint-Mars, le 17 juillet 1666: «Il est inutile que je vous explique
toutes les précautions que Sa Majesté prend pour la sûreté du
prisonnier durant sa marche, mais je dois seulement vous assurer
que Sa Majesté se remet à votre prudence du temps et de la forme
de votre départ; elle se promet que vous prendrez si bien vos
précautions, que M. Fouquet ne pourra s'échapper de vos mains, et
qu'à l'exception de ceux qui ont travaillé à l'exécution desdits ordres,
et qui sont gens discrets et fidèles, personne n'a connaissance qu'ils
soient faits et envoyés [156] .»
[156] Voyez le premier volume de l'Histoire de la
détention des Philosophes, p. 94 et 131.

Saint-Mars écrit au ministre, le 20 janvier 1687: «Si je mène mon

prisonnier aux îles, je crois que la plus sûre voiture serait une chaise
couverte de toile cirée, de manière qu'il aurait assez d'air, sans que
personne le pût voir ni lui parler pendant la route, pas même mes
soldats, que je choisirai pour être proche de la chaise, qui serait
moins embarrassante qu'une litière qui pourrait se rompre [157] .»
Durant ce voyage, le Masque de Fer était dans cette chaise fermée,
et Saint-Mars le suivait en litière, comme lors de la translation du
prisonnier à la Bastille. N'est-ce pas en effet un pareil voyage que M.
de Palteau a décrit dans sa lettre?
[157] Cette lettre a été extraite des archives des
Affaires étrangères par Roux-Fazillac.
 Enfin les précautions qu'on prenait pour rendre sûre la prison du
Masque de Fer avaient été aussi employées pour Fouquet.
Voici ce que Saint-Mars écrivait du fort d'Exilles, à Louvois, le 11
mars 1682: «Mes prisonniers (l'un des deux était l'homme au
masque) peuvent entendre parler le monde qui passe au chemin qui
est au bas de la tour où ils sont; mais eux, quand ils voudraient, ne
sauraient se faire entendre; ils peuvent voir les personnes qui
seraient sur la montagne qui est devant leurs fenêtres; mais on ne
saurait les voir, à cause des grilles qui sont au-devant de leurs
chambres. J'ai deux sentinelles de ma compagnie, nuit et jour, des
deux côtés de la tour, à une distance raisonnable, qui voient
obliquement la fenêtre des prisonniers: il leur est consigné
d'entendre si personne ne leur parle et si ils ne crient pas par leur
fenêtre, et de faire marcher les passans qui s'arrêteraient dans le
chemin ou sur le penchant de la montagne. Ma chambre étant jointe
à la tour, qui n'a d'autre vue que du côté de ce chemin, fait que
j'entends et vois tout, et même mes deux sentinelles qui sont
toujours alertes par ce moyen-là. Pour le dedans de la tour, je l'ai fait
séparer d'une manière où le prêtre qui leur dit la messe ne les peut
voir, à cause d'un tambour que j'ai fait faire, qui couvre leurs doubles
portes. Les domestiques, qui leur portent à manger, mettent ce qui
fait de besoin aux prisonniers sur une table qui est là, et mon
lieutenant (Rosarges, sans doute) leur porte (en présence de Saint-
Mars) [158] .»
[158] Extraite des mêmes archives par le même.

Louvois écrivait à Saint-Mars, le 30 juillet 1666: «Il ne se peut

rien ajouter aux précautions que vous prenez pour la garde de M.
Fouquet, et je ne saurais vous donner d'autre conseil que de vous
convier à continuer comme vous avez commencé.» Le 14 février
1667: «Comme par les écritures du prisonnier, il paraît qu'il souhaite
qu'il ait vue du côté des chapelles qui sont sur la montagne, il sera
de votre soin d'empêcher qu'il ne puisse rien voir de ce côté-là.» Le
7 décembre 1669: «Vous ferez fort bien de mettre les fenêtres de M.
Fouquet en état que pareille chose ne puisse plus arriver (Fouquet
avait parlé aux sentinelles), et veiller exactement qu'il ne puisse rien
voir sans que vous le découvriez.» Le 1er janvier 1670: «Les
jalousies de fil d'archal que vous ferez mettre à ses fenêtres ne
feront point l'effet que celles de bois, à moins que vous ne les
fassiez faire de même forme, c'est-à-dire qu'il y ait autant de plein
que de vide.» Le 26 mars 1670: «Je vous prie de visiter
soigneusement le dedans et le dehors du lieu où il est enfermé, et
de le mettre en état que le prisonnier ne puisse voir ni être vu de
personne, et ne puisse parler à qui que ce soit, ni entendre ceux qui
voudraient lui dire quelque chose [159] .» La garde de Fouquet
semblait donc aussi difficile et non moins importante que celle du
Masque de Fer.
[159] Ces lettres se trouvent dans le t. 1 de l'Histoire
de la détention des Philosophes.

M. Dujonca, que Mme de Sévigné traite d'ami, avait, ce semble,

des qualités humaines et sociales qu'on n'appréciait guère chez un
lieutenant du roi à la Bastille: «Ses bonnes qualités l'emportaient
beaucoup sur les autres. Il était officieux, affable, doux, honnête;
mais ceux qui se plaignaient de lui l'accusaient d'être inquiet, vif,
remuant, d'une sévérité outrée, et de ne dire jamais la vérité.» M.
Dujonca avait consigné sur son journal l'entrée du Masque de Fer à
la Bastille: peut-être chercha-t-il à pénétrer ce secret d'état qui avait
été mortel à plusieurs personnes indiscrètes.
Le 29 septembre 1706, il fut, nous apprend Renneville, attaqué
brusquement des douleurs de la mort, que l'on feignit être causée
par une colique. «Corbé (Blainvilliers ou Formanoir) ne permit jamais
que personne parlât à ce malade, qui mourut sans administration de
sacremens et sans aucune consolation.»
Renneville revient ailleurs sur cette mort, qu'il attribue à Corbé,
lequel aurait voulu s'emparer d'une somme considérable reçue par
M. Dujonca, peu de jours avant sa soudaine maladie. «Ru disait
hautement à tous les prisonniers que c'était Corbé qui avait fait
empoisonner M. Dujonca. M. d'Argenson, soit qu'il se doutât du sujet
d'une mort si inopinée, ordonna qu'on fît l'ouverture du corps; mais
pas un des parens n'y fut appelé, et l'opération fut faite par le même
chirurgien (Reilh, sans doute) que Ru protestait avoir préparé la
médecine fatale [160] .»
[160] L'Inquisition française, t. 1, p. 77 et 78; t. 2, p.
351, et t. 4, p. 212.

On pourrait penser que M. Dujonca avait reconnu Fouquet sous

le masque de velours noir, et confié ce terrible mystère à Mme de
Sévigné, qui alla elle-même voir le lieutenant du roi à la Bastille, le 6
août 1703, trois mois avant la mort de Marchialy!
Ne saurait-on invoquer, à l'appui de cette présomption, l'amitié
qui existait, entre Mme de Grignan, fille de Mme de Sévigné, et cette
dame Lebret, femme de l'intendant de Provence, chargée des
acquisitions de linge fin et de dentelles à Paris, pour l'usage du
prisonnier des îles Ste-Marguerite [161] ? N'était-ce pas un dernier
service que Fouquet retranché de la vie par anticipation, recevait
encore de ses anciens amis, qui n'osaient néanmoins mettre en
doute sa mort, de peur de la rendre nécessaire et irrécusable?
[161] Œuvres de Saint-Foix, t. 5, p. 271, note.

Il serait facile d'étendre ainsi les inductions qui ajouteraient sans

doute quelque crédit, à une opinion fondée plus solidement sur des
faits et des dates.

Le Masque de Fer était le surintendant Fouquet!

Nous avons foi en notre système: nous regardons Colbert comme

l'inventeur de la nouvelle captivité de Fouquet, mort de son vivant,
sous le masque d'un prisonnier inconnu, et nous pensons que ce
raffinement de vengeance ou de politique contre le malheureux
surintendant est un fait moins important, mais plus honteux à la
mémoire de Louis XIV, que les dragonnades et la révocation de l'édit
de Nantes. Voilà pourquoi les descendans du grand roi l'ont caché
avec tant de soin pour l'honneur de la royauté.
 Tel est le cœur humain: il étale avec orgueil un crime hardi et
brillant; mais il couvre de ses plus sombres replis une mauvaise
action entachée de lâcheté et de bassesse.

FIN.
*** END OF THE PROJECT GUTENBERG EBOOK L'HOMME AU
MASQUE DE FER ***

Updated editions will replace the previous one—the old editions

will be renamed.

Creating the works from print editions not protected by U.S.

copyright law means that no one owns a United States
copyright in these works, so the Foundation (and you!) can copy
and distribute it in the United States without permission and
without paying copyright royalties. Special rules, set forth in the
General Terms of Use part of this license, apply to copying and
distributing Project Gutenberg™ electronic works to protect the
PROJECT GUTENBERG™ concept and trademark. Project
Gutenberg is a registered trademark, and may not be used if
you charge for an eBook, except by following the terms of the
trademark license, including paying royalties for use of the
Project Gutenberg trademark. If you do not charge anything for
copies of this eBook, complying with the trademark license is
very easy. You may use this eBook for nearly any purpose such
as creation of derivative works, reports, performances and
research. Project Gutenberg eBooks may be modified and
printed and given away—you may do practically ANYTHING in
the United States with eBooks not protected by U.S. copyright
law. Redistribution is subject to the trademark license, especially
commercial redistribution.

START: FULL LICENSE

THE FULL PROJECT GUTENBERG LICENSE
 PLEASE READ THIS BEFORE YOU DISTRIBUTE OR USE THIS WORK

To protect the Project Gutenberg™ mission of promoting the

free distribution of electronic works, by using or distributing this
work (or any other work associated in any way with the phrase
“Project Gutenberg”), you agree to comply with all the terms of
the Full Project Gutenberg™ License available with this file or
online at www.gutenberg.org/license.

Section 1. General Terms of Use and

Redistributing Project Gutenberg™
electronic works
1.A. By reading or using any part of this Project Gutenberg™
electronic work, you indicate that you have read, understand,
agree to and accept all the terms of this license and intellectual
property (trademark/copyright) agreement. If you do not agree
to abide by all the terms of this agreement, you must cease
using and return or destroy all copies of Project Gutenberg™
electronic works in your possession. If you paid a fee for
obtaining a copy of or access to a Project Gutenberg™
electronic work and you do not agree to be bound by the terms
of this agreement, you may obtain a refund from the person or
entity to whom you paid the fee as set forth in paragraph 1.E.8.

1.B. “Project Gutenberg” is a registered trademark. It may only

be used on or associated in any way with an electronic work by
people who agree to be bound by the terms of this agreement.
There are a few things that you can do with most Project
Gutenberg™ electronic works even without complying with the
full terms of this agreement. See paragraph 1.C below. There
are a lot of things you can do with Project Gutenberg™
electronic works if you follow the terms of this agreement and
help preserve free future access to Project Gutenberg™
electronic works. See paragraph 1.E below.
1.C. The Project Gutenberg Literary Archive Foundation (“the
Foundation” or PGLAF), owns a compilation copyright in the
collection of Project Gutenberg™ electronic works. Nearly all the
individual works in the collection are in the public domain in the
United States. If an individual work is unprotected by copyright
law in the United States and you are located in the United
States, we do not claim a right to prevent you from copying,
distributing, performing, displaying or creating derivative works
based on the work as long as all references to Project
Gutenberg are removed. Of course, we hope that you will
support the Project Gutenberg™ mission of promoting free
access to electronic works by freely sharing Project Gutenberg™
works in compliance with the terms of this agreement for
keeping the Project Gutenberg™ name associated with the
work. You can easily comply with the terms of this agreement
by keeping this work in the same format with its attached full
Project Gutenberg™ License when you share it without charge
with others.

1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside
the United States, check the laws of your country in addition to
the terms of this agreement before downloading, copying,
displaying, performing, distributing or creating derivative works
based on this work or any other Project Gutenberg™ work. The
Foundation makes no representations concerning the copyright
status of any work in any country other than the United States.

1.E. Unless you have removed all references to Project

Gutenberg:

1.E.1. The following sentence, with active links to, or other

immediate access to, the full Project Gutenberg™ License must
appear prominently whenever any copy of a Project
Gutenberg™ work (any work on which the phrase “Project
Gutenberg” appears, or with which the phrase “Project
Gutenberg” is associated) is accessed, displayed, performed,
viewed, copied or distributed:

This eBook is for the use of anyone anywhere in the United

States and most other parts of the world at no cost and
with almost no restrictions whatsoever. You may copy it,
give it away or re-use it under the terms of the Project
Gutenberg License included with this eBook or online at
www.gutenberg.org. If you are not located in the United
States, you will have to check the laws of the country
where you are located before using this eBook.

1.E.2. If an individual Project Gutenberg™ electronic work is

derived from texts not protected by U.S. copyright law (does not
contain a notice indicating that it is posted with permission of
the copyright holder), the work can be copied and distributed to
anyone in the United States without paying any fees or charges.
If you are redistributing or providing access to a work with the
phrase “Project Gutenberg” associated with or appearing on the
work, you must comply either with the requirements of
paragraphs 1.E.1 through 1.E.7 or obtain permission for the use
of the work and the Project Gutenberg™ trademark as set forth
in paragraphs 1.E.8 or 1.E.9.

1.E.3. If an individual Project Gutenberg™ electronic work is

posted with the permission of the copyright holder, your use and
distribution must comply with both paragraphs 1.E.1 through
1.E.7 and any additional terms imposed by the copyright holder.
Additional terms will be linked to the Project Gutenberg™
License for all works posted with the permission of the copyright
holder found at the beginning of this work.

1.E.4. Do not unlink or detach or remove the full Project

Gutenberg™ License terms from this work, or any files
 containing a part of this work or any other work associated with
Project Gutenberg™.

1.E.5. Do not copy, display, perform, distribute or redistribute

this electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1
with active links or immediate access to the full terms of the
Project Gutenberg™ License.

1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if
you provide access to or distribute copies of a Project
Gutenberg™ work in a format other than “Plain Vanilla ASCII” or
other format used in the official version posted on the official
Project Gutenberg™ website (www.gutenberg.org), you must,
at no additional cost, fee or expense to the user, provide a copy,
a means of exporting a copy, or a means of obtaining a copy
upon request, of the work in its original “Plain Vanilla ASCII” or
other form. Any alternate format must include the full Project
Gutenberg™ License as specified in paragraph 1.E.1.

1.E.7. Do not charge a fee for access to, viewing, displaying,

performing, copying or distributing any Project Gutenberg™
works unless you comply with paragraph 1.E.8 or 1.E.9.

1.E.8. You may charge a reasonable fee for copies of or

providing access to or distributing Project Gutenberg™
electronic works provided that:

• You pay a royalty fee of 20% of the gross profits you derive
from the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
 payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”

• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt
that s/he does not agree to the terms of the full Project
Gutenberg™ License. You must require such a user to return or
destroy all copies of the works possessed in a physical medium
and discontinue all use of and all access to other copies of
Project Gutenberg™ works.

• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.

• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.

1.E.9. If you wish to charge a fee or distribute a Project

Gutenberg™ electronic work or group of works on different
terms than are set forth in this agreement, you must obtain
permission in writing from the Project Gutenberg Literary
Archive Foundation, the manager of the Project Gutenberg™
trademark. Contact the Foundation as set forth in Section 3
below.

1.F.

1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on,
transcribe and proofread works not protected by U.S. copyright
law in creating the Project Gutenberg™ collection. Despite these
efforts, Project Gutenberg™ electronic works, and the medium
on which they may be stored, may contain “Defects,” such as,
but not limited to, incomplete, inaccurate or corrupt data,
transcription errors, a copyright or other intellectual property
infringement, a defective or damaged disk or other medium, a
computer virus, or computer codes that damage or cannot be
read by your equipment.

1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except

for the “Right of Replacement or Refund” described in
paragraph 1.F.3, the Project Gutenberg Literary Archive
Foundation, the owner of the Project Gutenberg™ trademark,
and any other party distributing a Project Gutenberg™ electronic
work under this agreement, disclaim all liability to you for
damages, costs and expenses, including legal fees. YOU AGREE
THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE, STRICT
LIABILITY, BREACH OF WARRANTY OR BREACH OF CONTRACT
EXCEPT THOSE PROVIDED IN PARAGRAPH 1.F.3. YOU AGREE
THAT THE FOUNDATION, THE TRADEMARK OWNER, AND ANY
DISTRIBUTOR UNDER THIS AGREEMENT WILL NOT BE LIABLE
TO YOU FOR ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE OR INCIDENTAL DAMAGES EVEN IF YOU GIVE
NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.

1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you

discover a defect in this electronic work within 90 days of
receiving it, you can receive a refund of the money (if any) you
paid for it by sending a written explanation to the person you
received the work from. If you received the work on a physical
medium, you must return the medium with your written
explanation. The person or entity that provided you with the
defective work may elect to provide a replacement copy in lieu
of a refund. If you received the work electronically, the person
or entity providing it to you may choose to give you a second
opportunity to receive the work electronically in lieu of a refund.
If the second copy is also defective, you may demand a refund
in writing without further opportunities to fix the problem.

1.F.4. Except for the limited right of replacement or refund set

forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’,
WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.

1.F.5. Some states do not allow disclaimers of certain implied

warranties or the exclusion or limitation of certain types of
damages. If any disclaimer or limitation set forth in this
agreement violates the law of the state applicable to this
agreement, the agreement shall be interpreted to make the
maximum disclaimer or limitation permitted by the applicable
state law. The invalidity or unenforceability of any provision of
this agreement shall not void the remaining provisions.

1.F.6. INDEMNITY - You agree to indemnify and hold the

Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and
distribution of Project Gutenberg™ electronic works, harmless
from all liability, costs and expenses, including legal fees, that
arise directly or indirectly from any of the following which you
do or cause to occur: (a) distribution of this or any Project
Gutenberg™ work, (b) alteration, modification, or additions or
deletions to any Project Gutenberg™ work, and (c) any Defect
you cause.

Section 2. Information about the Mission

of Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new
computers. It exists because of the efforts of hundreds of
volunteers and donations from people in all walks of life.

Volunteers and financial support to provide volunteers with the

assistance they need are critical to reaching Project
Gutenberg™’s goals and ensuring that the Project Gutenberg™
collection will remain freely available for generations to come. In
2001, the Project Gutenberg Literary Archive Foundation was
created to provide a secure and permanent future for Project
Gutenberg™ and future generations. To learn more about the
Project Gutenberg Literary Archive Foundation and how your
efforts and donations can help, see Sections 3 and 4 and the
Foundation information page at www.gutenberg.org.

Section 3. Information about the Project

Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-
profit 501(c)(3) educational corporation organized under the
laws of the state of Mississippi and granted tax exempt status
by the Internal Revenue Service. The Foundation’s EIN or
federal tax identification number is 64-6221541. Contributions
to the Project Gutenberg Literary Archive Foundation are tax
deductible to the full extent permitted by U.S. federal laws and
your state’s laws.

The Foundation’s business office is located at 809 North 1500

West, Salt Lake City, UT 84116, (801) 596-1887. Email contact
links and up to date contact information can be found at the
Foundation’s website and official page at
www.gutenberg.org/contact
Welcome to Our Bookstore - The Ultimate Destination for Book Lovers
Are you passionate about books and eager to explore new worlds of
knowledge? At our website, we offer a vast collection of books that
cater to every interest and age group. From classic literature to
specialized publications, self-help books, and children’s stories, we
have it all! Each book is a gateway to new adventures, helping you
expand your knowledge and nourish your soul
Experience Convenient and Enjoyable Book Shopping Our website is more
than just an online bookstore—it’s a bridge connecting readers to the
timeless values of culture and wisdom. With a sleek and user-friendly
interface and a smart search system, you can find your favorite books
quickly and easily. Enjoy special promotions, fast home delivery, and
a seamless shopping experience that saves you time and enhances your
love for reading.
Let us accompany you on the journey of exploring knowledge and
personal growth!

ebookball.com