An efficient visitation algorithm to improve the detection speed of high-interaction client honeypots

  • Authors:

  • Hong-Geun Kim;Dong-Jin Kim;Seong-Je Cho;Moonju Park;Minkyu Park

  • Affiliations:

  • KISA, Seoul, Korea;Dankook University, Gyeonggi, Korea;Dankook University, Gyeonggi, Korea;University of Incheon, Incheon, Korea;Konkuk University, Chungbuk, Korea

  • Venue:
  • Proceedings of the 2011 ACM Symposium on Research in Applied Computation
  • Year:
  • 2011

Quantified Score

Hi-index 0.00

Visualization

Abstract

Drive-by-download attacks are client-side attacks that originate from web servers that are visited by web browsers. While many web browsers are vulnerable to the drive-by-download attacks, the cost of detecting malicious web pages that launch drive-by-download attacks is expensive. High-interaction client honeypots are security devices capable of detecting malicious web pages; however, their slow and expensive operations in web page visiting have been considered as a problem. The high-interaction client honeypots employ a visitation algorithm to pinpoint which page has made an unauthorized change of system state when any unauthorized change of the system state occurred after visiting suspicious web pages. To improve the performance of the high-interaction client honeypots, we propose a new visitation algorithm, logarithmic divide-and-conquer (LDAC), for identifying malicious web pages. The LDAC algorithm is an enhanced version of the existing binary divide-and-conquer (BDAC) algorithm. If any system state is abnormally changed after having visited k suspicious web pages concurrently, our LDAC algorithm divides the buffer of k pages into [log2k] pieces and recursively visits the pieces until the malicious page or pages are identified, while the BDAC splits the buffer into k/2 portions. Experimental results show that the LDAC has improved performance of the system up to 15 percent compared to the BDAC algorithm.