Abstract
Client honeypots visit and interact with suspect web sites in order to detect and collect information about malware. Malicious websites may cause a number of activities to be performed on a victim’s system; each activity is performed in different stages. We use a state machine to represent the activities performed by the malicious web page into pre-defined states. These states can be used to summarise interactions with malicious web pages using the same state machine structure. The states are then passed to a clustering algorithm to group similar malicious web page exploits in order to better understand how software can be developed to better respond to such attacks. The outputs of the clustering algorithm are categorized to build up groups of similar states that represent the malicious activities performed on the victim’s system. The benefit of using this process is to build families of malicious web pages with similar behaviours (behaviour families) leading to the development of common approaches to deal with such exploits.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Spitzner, L.: Honeypots: Tracking Hackers, 1st edn. Addison-Wesley Professional, Reading (2002)
Witten, J., Frank, F.: Data Mining: Practical Machine Learning Tools and Techniques, 2nd edn. Morgan Kaufmann, San Francisco (2005)
Windows Workflow Foundation, http://msdn.microsoft.com/en-us/netframework/aa663328.aspx (Accessed August 5, 2009)
Capture-HPC (2008), https://projects.honeynet.org/capture-hpc (Accessed February 1, 2009)
Song, I.-Y., Eder, J., Nguyen, T.M. (eds.): DaWaK 2007. LNCS, vol. 4654. Springer, Heidelberg (2007)
Vijaya, P., Murty, M., Subramaniana, D.: Efficient bottom-up hybrid hierarchical clusteringnext term techniques for protein sequence classification. Pattern Recognition Bioinformatics 39(12), 2344–2355 (2006)
Manning, C., Raghavan, P., Schütze, H.: Introduction to Information Retrieval. Cambridge University Press, Cambridge (2008)
Provos, N., Holz, T.: Virtual Honeypots: from Botnet Tracking to Intrusion Detection, 1st edn. Addison-Wesley Professional, Reading (2007)
Seifert, C.: Know Your Enemy: Behind the Scenes of Malicious Web Servers (2007), http://honeynet.org/book/export/html/181 (Accessed March 1, 2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Alosefer, Y., Rana, O. (2010). Clustering Client Honeypot Data to Support Malware Analysis. In: Setchi, R., Jordanov, I., Howlett, R.J., Jain, L.C. (eds) Knowledge-Based and Intelligent Information and Engineering Systems. KES 2010. Lecture Notes in Computer Science(), vol 6279. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15384-6_59
Download citation
DOI: https://doi.org/10.1007/978-3-642-15384-6_59
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15383-9
Online ISBN: 978-3-642-15384-6
eBook Packages: Computer ScienceComputer Science (R0)