|
| | | |
YALIH, Yet Another Low Interaction Honeyclient
Mansoori, M., Welch, I. and Fu, Q.
Low-interaction honeyclients employ static detection techniques such as signatures, heuristic or anomaly detection in the identification of malicious websites. They are associated with low detection rate and failure to identify zero-day and obfuscated attacks. This paper presents a low-interaction client honeypot that employs multiple signature detection engines in combination with de-obfuscation and de-minification of JavaScript code to improve the detection of attack signatures. Pattern matching in the process of identifying the static malicious code characteristics through using regular expressions, provides additional layer of detection. YALIH can achieve low false positive and false negative rate while significantly reducing scanning time and required hardware resources compared to a high interaction client honeypot. YALIH's virtual browser can handle cookies, redirection and mimic popular browser headers and imitate referrer information. Our experiments with real-world malicious websites demonstrate that similar to Web Spam, malicious websites utilize referrer tracking and cloaking techniques to deliver malicious content to selected users visiting the target domain from specific referrer websites. |
Cite as: Mansoori, M., Welch, I. and Fu, Q. (2014). YALIH, Yet Another Low Interaction Honeyclient. In Proc. Twelfth Australasian Information Security Conference (AISC 2014) Auckland, New Zealand. CRPIT, 149. Parampalli, U. and Welch, I. Eds., ACS. 7-15 |
(from crpit.com)
(local if available)
|
|