Client Honeypot Multiplication with High Performance and Precise Detection

Mitsuaki AKIYAMA  Takeshi YAGI  Youki KADOBAYASHI  Takeo HARIU  Suguru YAMAGUCHI  

IEICE TRANSACTIONS on Information and Systems   Vol.E98-D   No.4   pp.775-787
Publication Date: 2015/04/01
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2014ICP0002
Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security―Against Cyberattacks―)
Category: Attack Monitoring & Detection
client honeypot,  drive-by download,  web-based malware,  process sandbox,  intrusion detection,  

Full Text: PDF(892.7KB)>>
Buy this Article

We investigated client honeypots for detecting and circumstantially analyzing drive-by download attacks. A client honeypot requires both improved inspection performance and in-depth analysis for inspecting and discovering malicious websites. However, OS overhead in recent client honeypot operation cannot be ignored when improving honeypot multiplication performance. We propose a client honeypot system that is a combination of multi-OS and multi-process honeypot approaches, and we implemented this system to evaluate its performance. The process sandbox mechanism, a security measure for our multi-process approach, provides a virtually isolated environment for each web browser. It prevents system alteration from a compromised browser process by I/O redirection of file/registry access. To solve the inconsistency problem of file/registry view by I/O redirection, our process sandbox mechanism enables the web browser and corresponding plug-ins to share a virtual system view. Therefore, it enables multiple processes to be run simultaneously without interference behavior of processes on a single OS. In a field trial, we confirmed that the use of our multi-process approach was three or more times faster than that of a single process, and our multi-OS approach linearly improved system performance according to the number of honeypot instances. In addition, our long-term investigation indicated that 72.3% of exploitations target browser-helper processes. If a honeypot restricts all process creation events, it cannot identify an exploitation targeting a browser-helper process. In contrast, our process sandbox mechanism permits the creation of browser-helper processes, so it can identify these types of exploitations without resulting in false negatives. Thus, our proposed system with these multiplication approaches improves performance efficiency and enables in-depth analysis on high interaction systems.