Use of Deception to Improve Client Honeypot Detection of Drive-by-Download Attacks

  • Barbara Endicott-Popovsky
  • Julia Narvaez
  • Christian Seifert
  • Deborah A. Frincke
  • Lori Ross O’Neil
  • Chiraag Aval
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5638)


This paper presents the application of deception theory to improve the success of client honeypots at detecting malicious web page attacks from infected servers programmed by online criminals to launch drive-by-download attacks. The design of honeypots faces three main challenges: deception, how to design honeypots that seem real systems; counter-deception, techniques used to identify honeypots and hence defeating their deceiving nature; and counter counter-deception, how to design honeypots that deceive attackers. The authors propose the application of a deception model known as the deception planning loop to identify the current status on honeypot research, development and deployment. The analysis leads to a proposal to formulate a landscape of the honeypot research and planning of steps ahead.


deception counter-deception honeypots drive-by-downloads  cyber-attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Finisterre, K.: The Five Ws of Citect ODBC Vulnerability CVE-2008-2639 (2008),
  2. 2.
    Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Pearson Education, Boston (2008)Google Scholar
  3. 3.
    Tan, P., Kumar, V.: Discovery of Web Robot Sessions Based on their Navigational Patterns. Data Mining and Knowledge Discovery 6(1), 9–35 (2002)CrossRefGoogle Scholar
  4. 4.
    Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley, Boston (2003)Google Scholar
  5. 5.
    Cohen, F.: The Use of Deception Techniques: Honeypots and Decoys. In: Bidgoli, H. (ed.) Handbook of Information Security, vol. 3, pp. 646–655. John Wiley & Sons, Chichester (2006)Google Scholar
  6. 6.
    Cheswick, B.: An Evening with Berferd in which a Cracker is Lured, Endured, and Studied (1991),
  7. 7.
    Riden J., Seifert C.: A Guide to Different Kinds of Honeypots. Security Focus (2008),
  8. 8.
    Seifert, C., Steenson, R.: Capture - Honeypot Client. Honeynet Project (2006),
  9. 9.
    Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A Crawler-based Study of Spyware on the Web. In: 13th Annual Network and Distributed System Security Symposium, The Internet Society, San Diego (2006)Google Scholar
  10. 10.
    Seifert, C., Welch, I., Komisarczuk, P.: HoneyC - The Low-Interaction Client Honeypot. In: NZCSRCS, Hamilton (2007),
  11. 11.
    Ikinci, A., Holz, T., Freiling, F.: Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients. In: Sicherheit, Saarbruecken (2008)Google Scholar
  12. 12.
    Carpenter, M., Liston, T., Skoudis, E.: Hiding Virtualization from Attackers and Malware. IEEE Security & Privacy 5(3), 62–65 (2007)CrossRefGoogle Scholar
  13. 13.
    Longman: Dictionary of American English. Longman, White Plains (1983)Google Scholar
  14. 14.
    Bell, J.B., Whaley, B.: Cheating and Deception. Transaction Publishers, Edison (1991)Google Scholar
  15. 15.
    Rowe, N.C.: Measuring the Effectiveness of Honeypot Counter-Counterdeception. In: Proc. of the 39th Hawaii International Conference on System Sciences, vol. 6, p. 129c. IEEE Xplore (2006)Google Scholar
  16. 16.
    The Honeynet Project: Know Your Enemy: Learning About Security Threats. Pearson Education, Boston (2004)Google Scholar
  17. 17.
    Spitzner, L.: Honeypots: Catching the Insider Threat. In: Proc of the 19th Annual- Computer Security Applications Conference, pp. 170–179. IEEE Xplore (2003)Google Scholar
  18. 18.
    Lakhani, A.D.: A dissertation on Deception Techniques Using Honeypots. Information Security Group, Royal Holloway, University of LondonGoogle Scholar
  19. 19.
    Khattab, S.M., Sangpachatanaruk, C., Moss, D., Melhem, R., Znati, T.: Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks. In: Proc. of the 24th ICDCS 2004, pp. 328–337. IEEE Computer Society, Washington (2004)Google Scholar
  20. 20.
    Barford, P., Yegneswaran, V.: An Inside Look at Botnets. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Advances in Information Security, vol. 27, pp. 171–191. Springer, US (2007)Google Scholar
  21. 21.
    Harris, S., Harper, A., Eagle, C., Ness, J.: Gray Hat Hacking. McGraw-Hill, New York (2007)Google Scholar
  22. 22.
    Dornseif, M., Holz, T., Klein, C.N.: NoSEBrEaK - Attacking Honeynets. In: Proc. of the IEEE Workshop on Information Assurance and Security, pp. 123–129. IEEE Xplore (2004)Google Scholar
  23. 23.
    Dittrich, D.: VMWare Detection?. (2004),
  24. 24.
    Zdrnja, B.: More Tricks from Conficker and VM Detection. SANS Internet Storm Center (2009),
  25. 25.
    Spitzner, L.: Sebek. The Honeynet Project,
  26. 26.
    Quist, D., Smith, V.: Detecting the Presence of Virtual Machines Using the Local Data Table. Offensive Computing,
  27. 27.
    Lallous: The Code Project. Detect if Your Program Is Running Inside a Virtual Machine (2005),
  28. 28.
    Rutkowska, J.: Red Pill or How to Detect VMM Using (Almost) One CPU (2004),
  29. 29.
  30. 30.
    Santos, E., Johnson, G.: Toward Detecting Deception in Intelligent Systems. In: Proc. SPIE the International Society for Optical Engineering, vol. 5423, pp. 130–141. SPIE, Bellingham (2004)Google Scholar
  31. 31.
    Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility Is Not Transparency: VMM Detection Myths and Realities. In: Proceedings of the 11th USENIX workshop on hot topics in operating systems (2007),
  32. 32.
    Zalewski, M.: The New p0f: 2.0.8 (2006-09-06),
  33. 33.
    Ruef, M.: Browserrecon Project,
  34. 34.
    Hoffman, B.: Circumventing Automated JavaScript Analysis. In Black Hat USA, Las Vegas (2008),
  35. 35.
    Seifert, C., Welch, I., Komisarczuk, P.: Taxonomy of Honeypots. Technical Report CS-TR-0. School of Mathematical and Computing Sciences. Victoria University of Wellington (2006)Google Scholar
  36. 36.
    Pejovic, V., Kovacevic, I., Bojanic, S., Leita, C., Popovic, J., Nieto-Taladriz, O.: Migrating a HoneyDepot to Hardware. In: The International Conference on Emerging Security Information, Systems, and Technologies, pp. 151–156. IEEE Xplore (2007)Google Scholar
  37. 37.
    Rowe, N.C.: Deception in Defense of Computer Systems from Cyber Attack. In: Janczewski, L.J., Colarik, A.M. (eds.) Cyber Warfare and Cyber Terrorism, pp. 97–104. IGI Global, Hershey (2008)Google Scholar
  38. 38.
    Rowe, N.C., Goh, H.C.: Thwarting Cyber-Attack Reconnaissance with Inconsistency and Deception. In: Proc. of the IEEE Workshop on Information Assurance United States Military Academy, West Point, NY, pp. 151–158. IEEE Xplore (2007)Google Scholar
  39. 39.
    Watson, D.: GDH Global Distributed Honeynet. The Honeynet Project (2007),
  40. 40.
    European Network of Affined Honeypots: About NoAH,
  41. 41.
    European Network of Affined Honeypots: honey@home,
  42. 42.
    Cohen, F.: The Use of Deception Techniques: Honeypots and Decoys,

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Barbara Endicott-Popovsky
    • 1
  • Julia Narvaez
    • 1
  • Christian Seifert
    • 2
  • Deborah A. Frincke
    • 3
  • Lori Ross O’Neil
    • 3
  • Chiraag Aval
    • 1
  1. 1.University of WashingtonWashingtonUSA
  2. 2.Victoria University of Wellington School of Engineering and Computer ScienceVictoria UniversityWellingtonNew Zealand
  3. 3.Pacific Northwest National LaboratoryRichlandUSA

Personalised recommendations