Advertisement

Use of Deception to Improve Client Honeypot Detection of Drive-by-Download Attacks

  • Barbara Endicott-Popovsky
  • Julia Narvaez
  • Christian Seifert
  • Deborah A. Frincke
  • Lori Ross O’Neil
  • Chiraag Aval
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5638)

Abstract

This paper presents the application of deception theory to improve the success of client honeypots at detecting malicious web page attacks from infected servers programmed by online criminals to launch drive-by-download attacks. The design of honeypots faces three main challenges: deception, how to design honeypots that seem real systems; counter-deception, techniques used to identify honeypots and hence defeating their deceiving nature; and counter counter-deception, how to design honeypots that deceive attackers. The authors propose the application of a deception model known as the deception planning loop to identify the current status on honeypot research, development and deployment. The analysis leads to a proposal to formulate a landscape of the honeypot research and planning of steps ahead.

Keywords

deception counter-deception honeypots drive-by-downloads  cyber-attacks 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Finisterre, K.: The Five Ws of Citect ODBC Vulnerability CVE-2008-2639 (2008), http://www.milw0rm.com/papers/221
  2. 2.
    Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Pearson Education, Boston (2008)Google Scholar
  3. 3.
    Tan, P., Kumar, V.: Discovery of Web Robot Sessions Based on their Navigational Patterns. Data Mining and Knowledge Discovery 6(1), 9–35 (2002)CrossRefGoogle Scholar
  4. 4.
    Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley, Boston (2003)Google Scholar
  5. 5.
    Cohen, F.: The Use of Deception Techniques: Honeypots and Decoys. In: Bidgoli, H. (ed.) Handbook of Information Security, vol. 3, pp. 646–655. John Wiley & Sons, Chichester (2006)Google Scholar
  6. 6.
    Cheswick, B.: An Evening with Berferd in which a Cracker is Lured, Endured, and Studied (1991), http://www.cheswick.com/ches/cv/main.html
  7. 7.
    Riden J., Seifert C.: A Guide to Different Kinds of Honeypots. Security Focus (2008), http://www.securityfocus.com/infocus/1897/3
  8. 8.
    Seifert, C., Steenson, R.: Capture - Honeypot Client. Honeynet Project (2006), https://projects.honeynet.org/capture-hpc
  9. 9.
    Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A Crawler-based Study of Spyware on the Web. In: 13th Annual Network and Distributed System Security Symposium, The Internet Society, San Diego (2006)Google Scholar
  10. 10.
    Seifert, C., Welch, I., Komisarczuk, P.: HoneyC - The Low-Interaction Client Honeypot. In: NZCSRCS, Hamilton (2007), http://www.mcs.vuw.ac.nz/~cseifert/blog/images/seifert-honeyc.pdf
  11. 11.
    Ikinci, A., Holz, T., Freiling, F.: Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients. In: Sicherheit, Saarbruecken (2008)Google Scholar
  12. 12.
    Carpenter, M., Liston, T., Skoudis, E.: Hiding Virtualization from Attackers and Malware. IEEE Security & Privacy 5(3), 62–65 (2007)CrossRefGoogle Scholar
  13. 13.
    Longman: Dictionary of American English. Longman, White Plains (1983)Google Scholar
  14. 14.
    Bell, J.B., Whaley, B.: Cheating and Deception. Transaction Publishers, Edison (1991)Google Scholar
  15. 15.
    Rowe, N.C.: Measuring the Effectiveness of Honeypot Counter-Counterdeception. In: Proc. of the 39th Hawaii International Conference on System Sciences, vol. 6, p. 129c. IEEE Xplore (2006)Google Scholar
  16. 16.
    The Honeynet Project: Know Your Enemy: Learning About Security Threats. Pearson Education, Boston (2004)Google Scholar
  17. 17.
    Spitzner, L.: Honeypots: Catching the Insider Threat. In: Proc of the 19th Annual- Computer Security Applications Conference, pp. 170–179. IEEE Xplore (2003)Google Scholar
  18. 18.
    Lakhani, A.D.: A dissertation on Deception Techniques Using Honeypots. Information Security Group, Royal Holloway, University of LondonGoogle Scholar
  19. 19.
    Khattab, S.M., Sangpachatanaruk, C., Moss, D., Melhem, R., Znati, T.: Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks. In: Proc. of the 24th ICDCS 2004, pp. 328–337. IEEE Computer Society, Washington (2004)Google Scholar
  20. 20.
    Barford, P., Yegneswaran, V.: An Inside Look at Botnets. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Advances in Information Security, vol. 27, pp. 171–191. Springer, US (2007)Google Scholar
  21. 21.
    Harris, S., Harper, A., Eagle, C., Ness, J.: Gray Hat Hacking. McGraw-Hill, New York (2007)Google Scholar
  22. 22.
    Dornseif, M., Holz, T., Klein, C.N.: NoSEBrEaK - Attacking Honeynets. In: Proc. of the IEEE Workshop on Information Assurance and Security, pp. 123–129. IEEE Xplore (2004)Google Scholar
  23. 23.
    Dittrich, D.: VMWare Detection?. Virus.org (2004), http://lists.virus.org/honeypots-0411/msg00044.html
  24. 24.
    Zdrnja, B.: More Tricks from Conficker and VM Detection. SANS Internet Storm Center (2009), http://isc.sans.org/diary.html?storyid=5842
  25. 25.
    Spitzner, L.: Sebek. The Honeynet Project, http://www.honeynet.org/project/sebek
  26. 26.
    Quist, D., Smith, V.: Detecting the Presence of Virtual Machines Using the Local Data Table. Offensive Computing, http://www.offensivecomputing.net
  27. 27.
    Lallous: The Code Project. Detect if Your Program Is Running Inside a Virtual Machine (2005), http://www.codeproject.com/KB/system/VmDetect.aspx?display=Print
  28. 28.
    Rutkowska, J.: Red Pill or How to Detect VMM Using (Almost) One CPU (2004), http://invisiblethings.org/papers/redpill.html
  29. 29.
  30. 30.
    Santos, E., Johnson, G.: Toward Detecting Deception in Intelligent Systems. In: Proc. SPIE the International Society for Optical Engineering, vol. 5423, pp. 130–141. SPIE, Bellingham (2004)Google Scholar
  31. 31.
    Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility Is Not Transparency: VMM Detection Myths and Realities. In: Proceedings of the 11th USENIX workshop on hot topics in operating systems (2007), http://www.usenix.org/event/hotos07/tech/full_papers/garfinkel/garfinkel_html
  32. 32.
    Zalewski, M.: The New p0f: 2.0.8 (2006-09-06), http://lcamtuf.coredump.cx/p0f.shtml
  33. 33.
    Ruef, M.: Browserrecon Project, http://www.computec.ch/projekte/browserrecon
  34. 34.
    Hoffman, B.: Circumventing Automated JavaScript Analysis. In Black Hat USA, Las Vegas (2008), www.blackhat.com/presentations/bh-usa-08/Hoffman/Hoffman-BH2008-CircumventingJavaScript.ppt
  35. 35.
    Seifert, C., Welch, I., Komisarczuk, P.: Taxonomy of Honeypots. Technical Report CS-TR-0. School of Mathematical and Computing Sciences. Victoria University of Wellington (2006)Google Scholar
  36. 36.
    Pejovic, V., Kovacevic, I., Bojanic, S., Leita, C., Popovic, J., Nieto-Taladriz, O.: Migrating a HoneyDepot to Hardware. In: The International Conference on Emerging Security Information, Systems, and Technologies, pp. 151–156. IEEE Xplore (2007)Google Scholar
  37. 37.
    Rowe, N.C.: Deception in Defense of Computer Systems from Cyber Attack. In: Janczewski, L.J., Colarik, A.M. (eds.) Cyber Warfare and Cyber Terrorism, pp. 97–104. IGI Global, Hershey (2008)Google Scholar
  38. 38.
    Rowe, N.C., Goh, H.C.: Thwarting Cyber-Attack Reconnaissance with Inconsistency and Deception. In: Proc. of the IEEE Workshop on Information Assurance United States Military Academy, West Point, NY, pp. 151–158. IEEE Xplore (2007)Google Scholar
  39. 39.
    Watson, D.: GDH Global Distributed Honeynet. The Honeynet Project (2007), http://www.ukhoneynet.org/PacSec07_David_Watson_Global_Distributed_Honeynet.pdf
  40. 40.
    European Network of Affined Honeypots: About NoAH, http://www.fp6-noah.org/about
  41. 41.
    European Network of Affined Honeypots: honey@home, http://www.honeyathome.org
  42. 42.
    Cohen, F.: The Use of Deception Techniques: Honeypots and Decoys, http://all.net/journal/deception/Deception_Techniques_.pdf

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Barbara Endicott-Popovsky
    • 1
  • Julia Narvaez
    • 1
  • Christian Seifert
    • 2
  • Deborah A. Frincke
    • 3
  • Lori Ross O’Neil
    • 3
  • Chiraag Aval
    • 1
  1. 1.University of WashingtonWashingtonUSA
  2. 2.Victoria University of Wellington School of Engineering and Computer ScienceVictoria UniversityWellingtonNew Zealand
  3. 3.Pacific Northwest National LaboratoryRichlandUSA

Personalised recommendations