Previous [ 1] [ 2] [ 3] [ 4] [ 5] [ 6] [ 7] [ 8] [ 9] [ 10]

@

Journal of Information Science and Engineering, Vol. 28 No. 4, pp. 911-924 (September 2012)

Efficient Detection of Malicious Web Pages Using High-Interaction Client Honeypots*

HONG-GEUN KIM1, DONGJIN KIM2, SEONG-JE CHO2,+, MOONJU PARK3 AND MINKYU PARK4
1Korea Internet Security Agency
Seoul, 138-950 Korea
2Department of Computer Science
Dankook University
Gyeonggi, 448-701 Korea
3Department of Computer Science and Engineering
University of Incheon
Incheon, 406-772 Korea
4Department of Computer Engineering
Konkuk University
Chungbuk, 380-701 Korea

Drive-by-download attacks are client-side attacks that originate from web servers clients visit. High-interaction client honeypots identify malicious web pages by directly visiting the web pages and are very useful. However, they still have shortcomings that must be addressed: long inspection time and possibility of not detecting certain attacks such as time bombs. To address these problems, we propose a new detection method to identify web pages with time bombs. The proposed method introduces a pattern-based static analysis for detecting time bombs efficiently. A high-interaction client honeypot performs the static analysis before carrying out execution-based dynamic analysis. The static analysis classifies sample web pages into two groups, the first one assumed to be time-bombs and the second one assumed to be no time-bombs. We then perform dynamic analysis for the first using sequential visitation algorithm with long classification delay and for the second using divide-and-conquer visitation algorithm with short classification delay. Experimental results demonstrate that our method is more accurate and costs less than conventional methods.

Keywords: high-interaction client honeypot, malicious web page, visitation algorithm, logarithmic divide-and-conquer (LDAC) algorithm, detection method, time bombs, static analysis

Full Text () Retrieve PDF document (201209_06.pdf)

Received May 31, 2011; accepted March 31, 2012.
Communicated by Jiman Hong, Junyoung Heo and Tei-Wei Kuo.
* This work was supported partly by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MEST) (No. 2011-0026301), and by the National IT Industry Promotion Agency (NIPA) under the program of Software Engineering Technologies Development.
+ Corresponding author.