ABSTRACT
Many malicious activities on the Web today make use of compromised Web servers, because these servers often have high pageranks and provide free resources. Attackers are therefore constantly searching for vulnerable servers. In this work, we aim to understand how attackers find, compromise, and misuse vulnerable servers. Specifically, we present heat-seeking honeypots that actively attract attackers, dynamically generate and deploy honeypot pages, then analyze logs to identify attack patterns.
Over a period of three months, our deployed honeypots, despite their obscure location on a university network, attracted more than 44,000 attacker visits from close to 6,000 distinct IP addresses. By analyzing these visits, we characterize attacker behavior and develop simple techniques to identify attack traffic. Applying these techniques to more than 100 regular Web servers as an example, we identified malicious queries in almost all of their logs.
- Bing. http://www.bing.com.Google Scholar
- DShield Web Honeypot Project. http://sites.google.com/site/webhoneypotsite/.Google Scholar
- Glasstopf Honeypot Project. http://glastopf.org/.Google Scholar
- Most web attacks come via compromised legitimate websites. http://www.computerweekly.com/Articles/2010/06/18/241655/Most-web-attacks-come-via-compromised%-legitimate-wesites.htm.Google Scholar
- PlanetLab. http://www.planet-lab.org/.Google Scholar
- Snort : a free light-weight network intrustion detection system for UNIX and Windows. http://www.snort.org/.Google Scholar
- Spam SEO trends & statistics. http://research.zscaler.com/2010/07/spam-seo-trends-statistics-part-ii.html.Google Scholar
- Google Hack Honeypot, 2005. http://ghh.sourceforge.net/.Google Scholar
- P. Baecher, M. Koetter, M. Dornseif, and F. Freiling. The Nepenthes platform: An efficient approach to collect malware. In Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), 2006. Google ScholarDigital Library
- G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI), 2002. Google ScholarDigital Library
- D. Eichmann. The RBSE Spider - balancing effective search against Web load, 1994.Google Scholar
- J. P. John, F. Yu, Y. Xie, M. Abadi, and A. Krishnamurthy. Searching the Searchers with SearchAudit. In Proceedings of the 19th USENIX Security Symposium, 2010. Google ScholarDigital Library
- C. Kreibich and J. Crowcroft. Honeycomb: Creating intrusion detection signatures using honeypots. In Proceedings of the 2nd Workshop on Hot Topics in Networks (HotNets), 2003.Google Scholar
- T. Moore and R. Clayton. Evil searching: Compromise and recompromise of internet hosts for phishing. In Proceedings of the 13th International Conference on Financial Cryptography and Data Security, 2009. Google ScholarDigital Library
- A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware on the web. In Proceedings of the 13th Annual Symposium on Network and Distributed System Security (NDSS), 2006.Google Scholar
- N. Provos. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium, 2004. Google ScholarDigital Library
- N. Provos, J. McClain, and K. Wang. Search worms. In Proceedings of the 4th ACM Workshop on Recurring Malcode (WORM), 2006. Google ScholarDigital Library
- S. Small, J. Mason, F. Monrose, N. Provos, and A. Stubblefield. To catch a predator: a natural language approach for eliciting malicious payloads. In Proceedings of the 17th USENIX Security Symposium, 2008. Google ScholarDigital Library
- Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: Signatures and characteristics. In Proceedings of the ACM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), 2008. Google ScholarDigital Library
- V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha. An architecture for generating semantics-aware signatures. In Proceedings of the 14th USENIX Security Symposium, 2005. Google ScholarDigital Library
- Yi. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King. Automated Web Patrol with Strider HoneyMonkeys. In Proceedings of the 13th Annual Symposium on Network and Distributed System Security (NDSS), 2006.Google Scholar
- F. Yu, Y. Xie, and Q. Ke. SBotMiner: Large scale search bot detection. In Proceedings of the 3rd ACM International Conference on Web Search and Data Mining (WSDM), 2010. Google ScholarDigital Library
Index Terms
- Heat-seeking honeypots: design and experience
Recommendations
Honeypots: concepts, approaches, and challenges
ACM-SE 45: Proceedings of the 45th annual southeast regional conferenceInformation security is a growing concern today for organizations and individuals alike. This has led to growing interest in more aggressive forms of defense to supplement the existing methods. One of these methods involves the use of honeypots. A ...
Collecting Autonomous Spreading Malware Using High-Interaction Honeypots
Information and Communications SecurityAbstractAutonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop ...
Intrusion detection system using honeypots and swarm intelligence
ACAI '11: Proceedings of the International Conference on Advances in Computing and Artificial IntelligenceAs the number and size of the Network and Internet traffic increase and the need for the intrusion detection grows in step to reduce the overhead required for the intrusion detection and diagnosis, it has made public servers increasingly vulnerable to ...
Comments