This chapter studies the activities of cyber attackers on a large scale honeypot running for more than 2 years. A honeypot is a set of online computers that welcome attackers and let them perform their attacks. The chapter presents how to classify complex distributed sessions of attacks. The first part of this chapter analyzes the illegal activities performed by attackers using the data collected during two years of attacks: logged sessions, intrusion detection system alerts, mandatory access control system alerts. The study of these illegal activities allows to understand the global motivations of the cyber attackers, their technical skills and the geographical location of the attackers and their targets. The second part of this chapter presents generic methods to rebuild the illegal activities appearing on several attacked hosts. By correlating information collected by multiple sources (loggers, monitors, detectors) both watching at the network and the operations occurring on each system, we provide precise and high level characterization of attacks. The proposed method follows an incremental approach that characterizes attacks from basic ones to highly complex malicious activities, including largely distributed attacks (migrating/hopping attacks, distributed denials of service). This work reveals the global goals of attackers that take control of multiple hosts to launch massive attacks on big universities, industries, or governmental organisations. Experimental results of these forensic and high level characterization methods are presented using the collected data of our large-scale honeypot.