research-article

An efficient visitation algorithm to improve the detection speed of high-interaction client honeypots

Authors:

Minkyu ParkAuthors Info & Claims

RACS '11: Proceedings of the 2011 ACM Symposium on Research in Applied Computation

Pages 266 - 271

https://doi.org/10.1145/2103380.2103435

Published: 02 November 2011 Publication History

Get Access

Abstract

Drive-by-download attacks are client-side attacks that originate from web servers that are visited by web browsers. While many web browsers are vulnerable to the drive-by-download attacks, the cost of detecting malicious web pages that launch drive-by-download attacks is expensive. High-interaction client honeypots are security devices capable of detecting malicious web pages; however, their slow and expensive operations in web page visiting have been considered as a problem. The high-interaction client honeypots employ a visitation algorithm to pinpoint which page has made an unauthorized change of system state when any unauthorized change of the system state occurred after visiting suspicious web pages. To improve the performance of the high-interaction client honeypots, we propose a new visitation algorithm, logarithmic divide-and-conquer (LDAC), for identifying malicious web pages. The LDAC algorithm is an enhanced version of the existing binary divide-and-conquer (BDAC) algorithm. If any system state is abnormally changed after having visited k suspicious web pages concurrently, our LDAC algorithm divides the buffer of k pages into [log₂k] pieces and recursively visits the pieces until the malicious page or pages are identified, while the BDAC splits the buffer into k/2 portions. Experimental results show that the LDAC has improved performance of the system up to 15 percent compared to the BDAC algorithm.

References

[1]

M. Egele, P. Wurzinger, C. Kruegel and E. Kirda, "Defending browsers against drive-by downloads: Mitigating heap spraying code injection attacks", 2009. Available from http://www.iseclab.org/papers/driveby.pdf; accessed on 15 May 2010.

Google Scholar

[2]

B. Endicott-popovsky, J. Narvaez, C. Seifert, D. A. Frincke, L. R. O'Neil, and C. Aval, "Use of deception to improve client honeypot detection of drive-by-download attacks", Proc. of the 5th International Conference on Foundations of Augmented Cognition (FAC), 2009.

Digital Library

Google Scholar

[3]

N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. "The Ghost in the Browser: Analysis of Web-based Malware", USENIX Workshop (Hot Topics in Understanding Botnet), 2007.

Digital Library

Google Scholar

[4]

J. Zhuge, T. Holz, C. Song, J. Guo, X. Han, and W. Zou, "Studying malicious websites and the underground economy on the Chinese web," University of Mannheim, Tech. Rep., 2007.

Google Scholar

[5]

M. Cova, C. Kruegel, G. Vigna, "Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code", IW3C2, Apr. 2010.

Digital Library

Google Scholar

[6]

J. Narvaez, B. Endicott-Popovsky, C. Seifert, C. U. Aval, and D. A. Frincke "Drive-by-Downloads", Proc. of Hawaii International Conf. on System Sciences (HICSS), pp. 1--10, Jan. 2010

Digital Library

Google Scholar

[7]

C. Seifert, "Cost-effective Detection of Drive-by-Download Attacks with Hybrid Client Honeypots," Ph. D. Thesis, Computer Science Dept., Victoria University of Wellington, 2010.

Google Scholar

[8]

C. Seifert, I. Welch and P. Komisarczuk, "Application of divide-and-conquer algorithm paradigm to improve the detection speed of high interaction client honeypots", ACM SAC, Mar. 2008.

Digital Library

Google Scholar

[9]

C. Seifert, P. Komisarczuk, and I. Welch, "True Positive Cost Curve: A Cost-Based Evaluation Method for High-Interaction Client Honeypots", SECUREWARE, 2009.

Digital Library

Google Scholar

[10]

Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King, "Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities," NDSS, 2006.

Google Scholar

[11]

C. Seifert, "Know Your Enemy: Malicious Web Servers," The Honeynet Project, KYE paper, Aug. 2007. http://www.honeynet.org

Google Scholar

[12]

The Honeynet Project (Capture-HPC), https://projects.honeynet.org/capture-hpc/

Google Scholar

[13]

Client Honeypot, Wikipedia, http://en.wikipedia.org/wiki/Client_honeypot

Google Scholar

Cited By

View all

Verma ASaha RKumar GConti MKim T(2024)PREVIR: Fortifying Vehicular Networks Against Denial of Service AttacksIEEE Access10.1109/ACCESS.2024.338299212(48301-48320)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3382992
Verma ASaha RKumar NKumar GTai-Hoon-Kim (2022)A detailed survey of denial of service for IoT and multimedia systems: Past, present and futuristic developmentMultimedia Tools and Applications10.1007/s11042-021-11859-z81:14(19879-19944)Online publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1007/s11042-021-11859-z
Hamed TErnst JKremer S(2017)A Survey and Taxonomy on Data and Pre-processing Techniques of Intrusion Detection SystemsComputer and Network Security Essentials10.1007/978-3-319-58424-9_7(113-134)Online publication date: 13-Aug-2017
https://doi.org/10.1007/978-3-319-58424-9_7
Show More Cited By

Index Terms

An efficient visitation algorithm to improve the detection speed of high-interaction client honeypots
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Collecting Autonomous Spreading Malware Using High-Interaction Honeypots
Information and Communications Security
Abstract
Autonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop ...
Collecting autonomous spreading malware using high-interaction honeypots
ICICS'07: Proceedings of the 9th international conference on Information and communications security

Autonomous spreading malware in the form of worms or bots has become a severe threat in today's Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop ...
Detection of malicious web pages based on hybrid analysis

Malicious web pages have become an increasingly serious threat to web security in recent years. In this paper, we propose a new detection method that consists of static and dynamic analyses for detecting malicious web pages. Static analysis utilizes ...

Comments

Information & Contributors

Information

Published In

RACS '11: Proceedings of the 2011 ACM Symposium on Research in Applied Computation

November 2011

355 pages

ISBN:9781450310871

DOI:10.1145/2103380

General Chairs:
Rex E. Gantenbein
University of Wyoming
,
Tei-Wei Kuo
National Taiwan University, Taiwan

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

RACS '11

Sponsor:

SIGAPP
ACCT
CUSST
KIISE

RACS '11: Research in Applied Computation Symposium

November 2 - 5, 2011

Florida, Miami

Acceptance Rates

Overall Acceptance Rate 393 of 1,581 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
166
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Verma ASaha RKumar GConti MKim T(2024)PREVIR: Fortifying Vehicular Networks Against Denial of Service AttacksIEEE Access10.1109/ACCESS.2024.338299212(48301-48320)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3382992
Verma ASaha RKumar NKumar GTai-Hoon-Kim (2022)A detailed survey of denial of service for IoT and multimedia systems: Past, present and futuristic developmentMultimedia Tools and Applications10.1007/s11042-021-11859-z81:14(19879-19944)Online publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1007/s11042-021-11859-z
Hamed TErnst JKremer S(2017)A Survey and Taxonomy on Data and Pre-processing Techniques of Intrusion Detection SystemsComputer and Network Security Essentials10.1007/978-3-319-58424-9_7(113-134)Online publication date: 13-Aug-2017
https://doi.org/10.1007/978-3-319-58424-9_7
Puttaroo MKomisarczuk Pde Amorim RPoet RMuttukrishnan R(2014)Challenges in developing Capture-HPC exclusion listsProceedings of the 7th International Conference on Security of Information and Networks10.1145/2659651.2659717(334-338)Online publication date: 9-Sep-2014
https://dl.acm.org/doi/10.1145/2659651.2659717
Feng GZhang CZhang Q(2014)A Design of Linkage Security Defense System Based on HoneypotTrustworthy Computing and Services10.1007/978-3-662-43908-1_9(70-77)Online publication date: 27-Jun-2014
https://doi.org/10.1007/978-3-662-43908-1_9

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Collecting Autonomous Spreading Malware Using High-Interaction Honeypots

Collecting autonomous spreading malware using high-interaction honeypots

Detection of malicious web pages based on hybrid analysis

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations