short-paper

Towards an Automatic Generation of Low-Interaction Web Application Honeypots

Authors:

Martin Härterich,

Martin JohnsAuthors Info & Claims

ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

Article No.: 27, Pages 1 - 6

https://doi.org/10.1145/3230833.3230839

Published: 27 August 2018 Publication History

Abstract

Low-interaction honeypots (LIHPs) are a well-established tool to monitor malicious activities by emulating the appearance and behavior of a real system. However, existing honeypots share a common problem: Anyone aware of their existence can easily fingerprint and subsequently avoid them.

In this paper, we present Chameleon, our work towards an automatic generation of LIHPs for web applications. Chameleon creates honeypot versions of existing systems through automatic network interaction with the real application and builds response templates from the observed response traffic. By comparing similar responses, variable parts are identified and imitated with these templates. On run-time, the best matching template is chosen to respond to an incoming network request. This approach allows a large-scale deployment of Honeypots in a highly scalable fashion: No manual effort is needed in honeypot generation and a single instance of Chameleon can emulate a large number of heterogeneous systems simultaneously. Thus, a LIHP infrastructure for a company's full application landscape can be created, deployed and operated automatically with little effort and minimal technical resource requirements in a timely fashion.

We document our prototypical implementation for HTTP(S) and our practical experiments with the generated honeypots in the wild. The results are promising: The generated honeypots are indistinguishable for popular fingerprinting tools and the received traffic shows no difference to traffic directed at real systems.

References

[1]

Weidong Cui, Vern Paxson, Nicholas Weaver, and Randy H Katz. Protocol-independent adaptive replay of application dialog. In NDSS, 2006.

[2]

Neil Fraser. Diff strategies. {online}, https://neil.fraser.name/writing/diff/, 2006.

[3]

Corrado Leita, Ken Mermoud, and Marc Dacier. Scriptgen: an automated script generation tool for honeyd. In ACM ACSAC, pages 12--pp. IEEE, 2005.

Digital Library

[4]

Eric Limer. How hackers wrecked the internet using dvrs and webcams. {online}, http://www.popularmechanics.com/technology/infrastructure/a23504/mirai-botnet-internet-of-things-ddos-attack/, October 2016.

[5]

Ryan McGeehan and Greg Smith. Google hack honeypot. {online}, http://ghh.sourceforge.net, 2005.

[6]

Webb Miller and Eugene W Myers. A file comparison program. Software: Practice and Experience, 15(11):1025--1040, 1985.

[7]

Iyatiti Mokube and Michele Adams. Honeypots: concepts, approaches, and challenges. In Proceedings of the 45th annual southeast regional conference, pages 321--326. ACM, 2007.

Digital Library

[8]

B Mphago, O Bagwasi, B Phofuetsile, and H Hlomani. Deception in dynamic web application honeypots: Case of glastopf. In Proceedings of the International Conference on Security and Management (SAM), page 104, 2015.

[9]

Michael Mueter, Felix Freiling, Thorsten Holz, and Jeanna Matthews. A generic toolkit for converting web applications into high-interaction honeypots. University of Mannheim, 280, 2008.

[10]

Eugene W Myers. Ano (nd) difference algorithm and its variations. Algorithmica, 1(1-4):251--266, 1986.

Digital Library

[11]

Fabien Pouget and Marc Dacier. White paper: Honeypot, honeynet: A comparative survey. Technical report, RR-03-082, Institut Eurecom, 2003.

[12]

DShield Project. Dshield web honeypot project. {online}, https://sites.google.com/site/webhoneypotsite, 2011.

[13]

HiHAT Project. High-interaction honeypot analysis tool. {online}, http://hihat.sourceforge.net, 2007.

[14]

Niels Provos and Thorsten Holz. Virtual honeypots: from botnet tracking to intrusion detection. Pearson Education, 2007.

Digital Library

[15]

Lukas Rist, Sven Vetsch, Marcel Kossin, and Michael Mauer. Know your tools: Glastopf-a dynamic, low-interaction web application honeypot. The Honeynet Project, 4, 2010.

[16]

Sam Small, Joshua Mason, Fabian Monrose, Niels Provos, and Adam Stubblefield. To catch a predator: A natural language approach for eliciting malicious payloads. In USENIX Security Symposium, pages 171--184, 2008.

Digital Library

[17]

Dean Sysman, Gadi Evron, and Itamar Sher. Breaking honeypots for fun and profit. {online}, https://media.ccc.de/v/32c3-7277-breaking_honeypots_for_fun_and_profit, 2015.

Cited By

Dara NShankar PArvind PSingh V(2024)Intelligent Insight into IoT Threats: Leveraging Advanced Analytics with Honeypots for Anomaly Detection2024 IEEE 9th International Conference for Convergence in Technology (I2CT)10.1109/I2CT61223.2024.10543511(1-6)Online publication date: 5-Apr-2024
https://doi.org/10.1109/I2CT61223.2024.10543511
Fan HTan QTan RNie B(2023)HoneyDecoy: A Comprehensive Web-Based Parasitic Honeypot System for Enhanced Cybersecurity2023 IEEE Smart World Congress (SWC)10.1109/SWC57546.2023.10448731(1-8)Online publication date: 28-Aug-2023
https://doi.org/10.1109/SWC57546.2023.10448731
Silaen KMeyliana MWarnars HPrabowo HHidayanto AAnggreainy M(2023)Usefulness of Honeypots Towards Data Security: A Systematic Literature Review2023 International Workshop on Artificial Intelligence and Image Processing (IWAIIP)10.1109/IWAIIP58158.2023.10462777(422-427)Online publication date: 1-Dec-2023
https://doi.org/10.1109/IWAIIP58158.2023.10462777
Show More Cited By

Recommendations

Heat-seeking honeypots: design and experience
WWW '11: Proceedings of the 20th international conference on World wide web

Many malicious activities on the Web today make use of compromised Web servers, because these servers often have high pageranks and provide free resources. Attackers are therefore constantly searching for vulnerable servers. In this work, we aim to ...
Collecting Autonomous Spreading Malware Using High-Interaction Honeypots
Information and Communications Security
Abstract
Autonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop ...
Collecting autonomous spreading malware using high-interaction honeypots
ICICS'07: Proceedings of the 9th international conference on Information and communications security

Autonomous spreading malware in the form of worms or bots has become a severe threat in today's Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

August 2018

603 pages

ISBN:9781450364485

DOI:10.1145/3230833

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

Universität Hamburg: Universität Hamburg

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 August 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Short-paper
Research
Refereed limited

Funding Sources

Bundesministerium für Bildung und Forschung

Conference

ARES 2018

ARES 2018: International Conference on Availability, Reliability and Security

August 27 - 30, 2018

Hamburg, Germany

Acceptance Rates

ARES '18 Paper Acceptance Rate 128 of 260 submissions, 49%;

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
201
Total Downloads

Downloads (Last 12 months)34
Downloads (Last 6 weeks)4

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Dara NShankar PArvind PSingh V(2024)Intelligent Insight into IoT Threats: Leveraging Advanced Analytics with Honeypots for Anomaly Detection2024 IEEE 9th International Conference for Convergence in Technology (I2CT)10.1109/I2CT61223.2024.10543511(1-6)Online publication date: 5-Apr-2024
https://doi.org/10.1109/I2CT61223.2024.10543511
Fan HTan QTan RNie B(2023)HoneyDecoy: A Comprehensive Web-Based Parasitic Honeypot System for Enhanced Cybersecurity2023 IEEE Smart World Congress (SWC)10.1109/SWC57546.2023.10448731(1-8)Online publication date: 28-Aug-2023
https://doi.org/10.1109/SWC57546.2023.10448731
Silaen KMeyliana MWarnars HPrabowo HHidayanto AAnggreainy M(2023)Usefulness of Honeypots Towards Data Security: A Systematic Literature Review2023 International Workshop on Artificial Intelligence and Image Processing (IWAIIP)10.1109/IWAIIP58158.2023.10462777(422-427)Online publication date: 1-Dec-2023
https://doi.org/10.1109/IWAIIP58158.2023.10462777
Shahid WAslam BAbbas HAfzal HKhalid S(2022)A deep learning assisted personalized deception system for countering web application attacksJournal of Information Security and Applications10.1016/j.jisa.2022.10316967(103169)Online publication date: Jun-2022
https://doi.org/10.1016/j.jisa.2022.103169
Yamamoto MKakei SSaito S(2021)FirmPot: A Framework for Intelligent-Interaction Honeypots Using Firmware of IoT Devices2021 Ninth International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW53999.2021.00074(405-411)Online publication date: Nov-2021
https://doi.org/10.1109/CANDARW53999.2021.00074
Almoqbel MXu S(2019)Computational Mining of Social Media to Curb TerrorismACM Computing Surveys10.1145/334210152:5(1-25)Online publication date: 13-Sep-2019
https://dl.acm.org/doi/10.1145/3342101

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents