Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attacks

Mitsuaki AKIYAMA  Makoto IWAMURA  Yuhei KAWAKOYA  Kazufumi AOKI  Mitsutaka ITOH  

IEICE TRANSACTIONS on Communications   Vol.E93-B   No.5   pp.1131-1139
Publication Date: 2010/05/01
Online ISSN: 1745-1345
DOI: 10.1587/transcom.E93.B.1131
Print ISSN: 0916-8516
Type of Manuscript: Special Section PAPER (Special Section on Technology and Architecture for Sustainable Growth of the Internet)
malware,  client honeypot,  intrusion detection,  

Full Text: PDF(2.3MB)>>
Buy this Article

Nowadays, the number of web-browser targeted attacks that lead users to adversaries' web sites and exploit web browser vulnerabilities is increasing, and a clarification of their methods and countermeasures is urgently needed. In this paper, we introduce the design and implementation of a new client honeypot for drive-by-download attacks that has the capacity to detect and investigate a variety of malicious web sites. On the basis of the problems of existing client honeypots, we enumerate the requirements of a client honeypot: 1) detection accuracy and variety, 2) collection variety, 3) performance efficiency, and 4) safety and stability. We improve our system with regard to these requirements. The key features of our developed system are stepwise detection focusing on exploit phases, multiple crawler processing, tracking of malware distribution networks, and malware infection prevention. Our evaluation of our developed system in a laboratory experiment and field experiment indicated that its detection variety and crawling performance are higher than those of existing client honeypots. In addition, our system is able to collect information for countermeasures and is secure and stable for continuous operation. We conclude that our system can investigate malicious web sites comprehensively and support countermeasures.