Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attacks

Akiyama, Mitoshi; Iwamura, Masatsugu; Kawakoya, Yuhei; Aoki, Kazufumi; Itoh, Masatoshi

doi:10.1587/transcom.e93.b.1131

Cited by 49 publications

(27 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The input of the proposed system is a URL blacklist constructed and maintained by a client honeypot Marionette [13] and the sandbox BotnetWatcher [14] , which can analyze online malware while preventing infection to other hosts. Our data-gathering period was from August 02, 2011 to October 01, 2014.…”

Section: Pre-processingmentioning

confidence: 99%

“…We use three tools to verify the URLs extracted by URL filtration: the Marionette web client honeypot [13] , antivirus software, and VirusTotal [23]. The Marionette client can trace the redirection generated by drive-by-download attacks and identify the malware distribution URL.…”

Section: Url Verificationmentioning

confidence: 99%

“…Marionette [13] is a high-interaction honeypot that analyzes suspicious URLs dynamically in a virtual machine's browser. Generally, only one version of a browser or plug-in is applied to the high-interaction honeypot to assure efficient analysis.…”

Section: Url Verificationmentioning

confidence: 99%

See 2 more Smart Citations

Automating URL Blacklist Generation with Similarity Search Approach

Sun

Akiyama

Yagi

et al. 2016

IEICE Trans. Inf. & Syst.

Self Cite

View full text Add to dashboard Cite

SUMMARYModern web users may encounter a browser security threat called drive-by-download attacks when surfing on the Internet. Drive-by-download attacks make use of exploit codes to take control of user's web browser. Many web users do not take such underlying threats into account while clicking URLs. URL Blacklist is one of the practical approaches to thwarting browser-targeted attacks. However, URL Blacklist cannot cope with previously unseen malicious URLs. Therefore, to make a URL blacklist effective, it is crucial to keep the URLs updated. Given these observations, we propose a framework called automatic blacklist generator (AutoBLG) that automates the collection of new malicious URLs by starting from a given existing URL blacklist. The primary mechanism of AutoBLG is expanding the search space of web pages while reducing the amount of URLs to be analyzed by applying several pre-filters such as similarity search to accelerate the process of generating blacklists. AutoBLG consists of three primary components: URL expansion, URL filtration, and URL verification. Through extensive analysis using a high-performance web client honeypot, we demonstrate that AutoBLG can successfully discover new and previously unknown drive-by-download URLs from the vast web space. key words: drive-by-download, URL blacklist, search space, machine learning, web client honeypot

show abstract

Section: Pre-processingmentioning

confidence: 99%

Section: Url Verificationmentioning

confidence: 99%

See 1 more Smart Citation

Automating URL Blacklist Generation with Similarity Search Approach

Sun

Akiyama

Yagi

et al. 2016

IEICE Trans. Inf. & Syst.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Steps 1 and 2 involve generating templates from outbound traffic captured in our sandbox system [11] running malware samples (malware traffic). Our malware samples were obtained from our high-interaction honeyclient [12], [13]. Steps 3 and 4 involve matching traffic with templates based on two criteria: the similarity to the templates and the rarity of each element in the templates.…”

Section: System Overviewmentioning

confidence: 99%

“…The sandbox supports executable files only in Microsoft Windows environments. These malware samples were collected using the honeyclient [12], [13] crawling public blacklists such as MDL [15] and hpHosts [16] and some commercial blacklists from August 2011 to August 2013. Table 2 lists the number of malware samples in each dataset, number and ratio of samples detected by antivirus software, number of unique malware family names, and number of HTTP requests.…”

Section: Datasetsmentioning

confidence: 99%

BotProfiler: Detecting Malware-Infected Hosts by Profiling Variability of Malicious Infrastructure

Chiba

Yagi

Akiyama

et al. 2016

IEICE Trans. Commun.

Self Cite

View full text Add to dashboard Cite

SUMMARY Ever-evolving malware makes it difficult to prevent it from infecting hosts. Botnets in particular are one of the most serious threats to cyber security, since they consist of a lot of malware-infected hosts. Many countermeasures against malware infection, such as generating networkbased signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system in order to achieve more accurate detection of malware-infected hosts. We focused on the key idea that malicious infrastructures, such as malware samples or command and control, tend to be reused instead of created from scratch. Our research verifies this idea and proposes here a new system to profile the variability of substrings in HTTP requests, which makes it possible to identify invariable keywords based on the same malicious infrastructures and to generate more accurate templates. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.

show abstract