Cost-effective Detection of Drive-by-Download Attackswith Hybrid Client Honeypots

摘要

With the increasing connectivity of and reliance on computers and networks,important aspects of computer systems are under a constant threat.In particular, drive-by-download attacks have emerged as a new threat tothe integrity of computer systems. Drive-by-download attacks are clientsideattacks that originate fromweb servers that are visited byweb browsers.As a vulnerable web browser retrieves a malicious web page, the maliciousweb server can push malware to a user's machine that can be executedwithout their notice or consent.The detection of malicious web pages that exist on the Internet is prohibitivelyexpensive. It is estimated that approximately 150 million maliciousweb pages that launch drive-by-download attacks exist today. Socalledhigh-interaction client honeypots are devices that are able to detectthese malicious web pages, but they are slow and known to miss attacks.Detection ofmaliciousweb pages in these quantitieswith client honeypotswould cost millions of US dollars.Therefore, we have designed a more scalable system called a hybridclient honeypot. It consists of lightweight client honeypots, the so-calledlow-interaction client honeypots, and traditional high-interaction clienthoneypots. The lightweight low-interaction client honeypots inspect webpages at high speed and forward only likely malicious web pages to thehigh-interaction client honeypot for a final classification.For the comparison of client honeypots and evaluation of the hybridclient honeypot system, we have chosen a cost-based evaluation method:the true positive cost curve (TPCC). It allows us to evaluate client honeypotsagainst their primary purpose of identification of malicious webpages. We show that costs of identifying malicious web pages with thedeveloped hybrid client honeypot systems are reduced by a factor of ninecompared to traditional high-interaction client honeypots.The five main contributions of our work are: High-Interaction Client Honeypot The first main contribution ofour work is the design and implementation of a high-interactionclient honeypot Capture-HPC. It is an open-source, publicly availableclient honeypot research platform, which allows researchers andsecurity professionals to conduct research on malicious web pagesand client honeypots. Based on our client honeypot implementationand analysis of existing client honeypots, we developed a componentmodel of client honeypots. This model allows researchers toagree on the object of study, allows for focus of specific areas withinthe object of study, and provides a framework for communication ofresearch around client honeypots. True Positive Cost Curve As mentioned above, we have chosen acost-based evaluationmethod to compare and evaluate client honeypotsagainst their primary purpose of identification ofmaliciouswebpages: the true positive cost curve. It takes into account the uniquecharacteristics of client honeypots, speed, detection accuracy, and resourcecost and provides a simple, cost-based mechanism to evaluateand compare client honeypots in an operating environment. Assuch, the TPCC provides a foundation for improving client honeypottechnology. The TPCC is the second main contribution of our work. Mitigation of Risks to the Experimental Design with HAZOP - Mitigationof risks to internal and external validity on the experimentaldesign using hazard and operability (HAZOP) study is the thirdmain contribution. This methodology addresses risks to intent (internalvalidity) as well as generalizability of results beyond the experimentalsetting (external validity) in a systematic and thoroughmanner. Low-Interaction Client Honeypots - Malicious web pages are usuallypart of a malware distribution network that consists of severalservers that are involved as part of the drive-by-download attack.Development and evaluation of classification methods that assesswhether a web page is part of a malware distribution network is thefourth main contribution.Hybrid Client Honeypot System - The fifth main contribution is thehybrid client honeypot system. It incorporates the mentioned classificationmethods in the form of a low-interaction client honeypotand a high-interaction client honeypot into a hybrid client honeypotsystemthat is capable of identifying malicious web pages in a cost effectiveway on a large scale. The hybrid client honeypot system outperformsa high-interaction client honeypot with identical resourcesand identical false positive rate.