YALIH, Yet Another Low Interaction Honeyclient

Abstract

Low-interaction honeyclients employ static detection techniques such as signatures, heuristic or anomaly detection in the identification of malicious websites. They are associated with low detection rate and failure to identify zero-day and obfuscated attacks. This paper presents a low-interaction client honeypot that employs multiple signature detection engines in combination with de-obfuscation and de-minification of JavaScript code to improve the detection of attack signatures. Pattern matching in the process of identifying the static malicious code characteristics through using regular expressions, provides additional layer of detection. YALIH can achieve low false positive and false negative rate while significantly reducing scanning time and required hardware resources compared to a high interaction client honeypot. YALIH’s virtual browser can handle cookies, redirection and mimic popular browser headers and imitate referrer information. Our experiments with realworld malicious websites demonstrate that similar to Web Spam, malicious websites utilize referrer tracking and cloaking techniques to deliver malicious content to selected users visiting the target domain from specific referrer websites.

10 Figures and Tables

Cite this paper

@inproceedings{Mansoori2014YALIHYA, title={YALIH, Yet Another Low Interaction Honeyclient}, author={Masood Mansoori and Ian Welch and Qiang Fu}, booktitle={AISC}, year={2014} }