Conferences in Research and Practice in Information Technology
  

Online Version - Last Updated - 20 Jan 2012

 

 
Home
 

 
Procedures and Resources for Authors

 
Information and Resources for Volume Editors
 

 
Orders and Subscriptions
 

 
Published Articles

 
Upcoming Volumes
 

 
Contact Us
 

 
Useful External Links
 

 
CRPIT Site Search
 
    

YALIH, Yet Another Low Interaction Honeyclient

Mansoori, M., Welch, I. and Fu, Q.

    Low-interaction honeyclients employ static detection techniques such as signatures, heuristic or anomaly detection in the identification of malicious websites. They are associated with low detection rate and failure to identify zero-day and obfuscated attacks. This paper presents a low-interaction client honeypot that employs multiple signature detection engines in combination with de-obfuscation and de-minification of JavaScript code to improve the detection of attack signatures. Pattern matching in the process of identifying the static malicious code characteristics through using regular expressions, provides additional layer of detection. YALIH can achieve low false positive and false negative rate while significantly reducing scanning time and required hardware resources compared to a high interaction client honeypot. YALIH's virtual browser can handle cookies, redirection and mimic popular browser headers and imitate referrer information. Our experiments with real-world malicious websites demonstrate that similar to Web Spam, malicious websites utilize referrer tracking and cloaking techniques to deliver malicious content to selected users visiting the target domain from specific referrer websites.
Cite as: Mansoori, M., Welch, I. and Fu, Q. (2014). YALIH, Yet Another Low Interaction Honeyclient. In Proc. Twelfth Australasian Information Security Conference (AISC 2014) Auckland, New Zealand. CRPIT, 149. Parampalli, U. and Welch, I. Eds., ACS. 7-15
pdf (from crpit.com) pdf (local if available) BibTeX EndNote GS