207:
capability to collect suspicious URLs from malicious website databases, Bing API, inbox and SPAM folder through POP3 and IMAP protocol. It can perform
Javascript extraction, de-obfuscation and de-minification of scripts embedded within a website and can emulate referrer, browser agents and handle redirection, cookies and sessions. Its visitor agent is capable of fetching a website from multiple locations to bypass geo-location and IP cloaking attacks. YALIH can also generate automated signatures to detect variations of an attack. YALIH is available as an open source project.
79:
changes as they occur. Second, Capture is designed to be scalable. A central
Capture server is able to control numerous clients across a network. Third, Capture is supposed to be a framework that allows to utilize different clients. The initial version of Capture supports Internet Explorer, but the current version supports all major browsers (Internet Explorer, Firefox, Opera, Safari) as well as other HTTP aware client applications, such as office applications and media players.
91:. It was the first open source client honeypot and is a mix of Perl, C++, and Ruby. HoneyClient is state-based and detects attacks on Windows clients by monitoring files, process events, and registry entries. It has integrated the Capture-HPC real-time integrity checker to perform this detection. HoneyClient also contains a crawler, so it can be seeded with a list of initial URLs from which to start and can then continue to traverse web sites in search of client-side malware.
106:
approach to interacting with servers in order to identify zero-day exploits. HoneyMonkey initially crawls the web with a vulnerable configuration. Once an attack has been identified, the server is reexamined with a fully patched configuration. If the attack is still detected, one can conclude that the attack utilizes an exploit for which no patch has been publicly released yet and therefore is quite dangerous.
70:). Since no immediate, detectable state change occurred, the client honeypot is likely to incorrectly classify the server as safe even though it did successfully perform its attack on the client. Finally, if the client honeypots are running in virtual machines, then an exploit may try to detect the presence of the virtual environment and cease from triggering or behave differently.
115:
application (e.g. browser, office application, etc.) It monitors whether executable instructions are executed in data area of memory (which would indicate a buffer overflow exploit has been triggered). With such an approach, SHELIA is not only able to detect exploits, but is able to actually ward off exploits from triggering.
206:
YALIH (Yet
Another Low Interaction Honeyclient) is a low Interaction Client honeypot developed by Masood Mansoori from the honeynet chapter of the Victoria University of Wellington, New Zealand and designed to detect malicious websites through signature and pattern matching techniques. YALIH has the
132:
WEF is an implementation of an automatic drive-by-download – detection in a virtualized environment, developed by Thomas Müller, Benjamin Mack and Mehmet
Arziman, three students from the Hochschule der Medien (HdM), Stuttgart during the summer term in 2006. WEF can be used as an active HoneyNet with
123:
The
Spycrawler developed at the University of Washington is yet another browser based (Mozilla) high interaction client honeypot developed by Moshchuk et al. in 2005. This client honeypot is not available for download. The Spycrawler is state based and detects attacks on clients by monitoring files,
65:
High interaction client honeypots are very effective at detecting unknown attacks on clients. However, the tradeoff for this accuracy is a performance hit from the amount of system state that has to be monitored to make an attack assessment. Also, this detection mechanism is prone to various forms of
23:
are active security devices in search of malicious servers that attack clients. The client honeypot poses as a client and interacts with the server to examine whether an attack has occurred. Often the focus of client honeypots is on web browsers, but any client that interacts with servers can be part
145:
Low interaction client honeypots are easier to deploy and operate than high interaction client honeypots and also perform better. However, they are likely to have a lower detection rate since attacks have to be known to the client honeypot in order for it to detect them; new attacks are likely to go
141:
Low interaction client honeypots differ from high interaction client honeypots in that they do not utilize an entire real system, but rather use lightweight or simulated clients to interact with the server. (in the browser world, they are similar to web crawlers). Responses from servers are examined
154:
HoneyC is a low interaction client honeypot developed at
Victoria University of Wellington by Christian Seifert in 2006. HoneyC is a platform independent open source framework written in Ruby. It currently concentrates driving a web browser simulator to interact with servers. Malicious servers are
105:
HoneyMonkey is a web browser based (IE) high interaction client honeypot implemented by
Microsoft in 2005. It is not available for download. HoneyMonkey is state based and detects attacks on clients by monitoring files, registry, and processes. A unique characteristic of HoneyMonkey is its layered
163:
Monkey-Spider is a low-interaction client honeypot initially developed at the
University of Mannheim by Ali Ikinci. Monkey-Spider is a crawler based client honeypot initially utilizing anti-virus solutions to detect malware. It is claimed to be fast and expandable with other detection mechanisms.
78:
Capture is a high interaction client honeypot developed by researchers at
Victoria University of Wellington, NZ. Capture differs from existing client honeypots in various ways. First, it is designed to be fast. State changes are being detected using an event based model allowing to react to state
61:
High interaction client honeypots are fully functional systems comparable to real systems with real clients. As such, no functional limitations (besides the containment strategy) exist on high interaction client honeypots. Attacks on high interaction client honeypots are detected via inspection of
215:
miniC is a low interaction client honeypot based on wget retriever and Yara engine. It is designed to be light, fast and suitable for retrieval of a large number of websites. miniC allows to set and simulate referrer, user-agent, accept_language and few other variables. miniC was designed at New
52:
Analogous to traditional server honeypots, client honeypots are mainly classified by their interaction level: high or low; which denotes the level of functional interaction the server can utilize on the client honeypot. In addition to this there are also newly hybrid approaches which denotes the
44:
A client honeypot is composed of three components. The first component, a queuer, is responsible for creating a list of servers for the client to visit. This list can be created, for example, through crawling. The second component is the client itself, which is able to make a requests to servers
176:
PhoneyC is a low-interaction client developed by Jose
Nazario. PhoneyC mimics legitimate web browsers and can understand dynamic content by de-obfuscating malicious content for detection. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular
197:
Thug is a low-interaction client honeypot developed by Angelo Dell'Aera. Thug emulates the behaviour of a web browser and is focused on detection of malicious web pages. The tool uses Google V8 Javascript engine and implements its own Document Object Model (DOM). The most important and unique
114:
Shelia is a high interaction client honeypot developed by Joan Robert Rocaspana at Vrije Universiteit Amsterdam. It integrates with an email reader and processes each email it receives (URLs & attachments). Depending on the type of URL or attachment received, it opens a different client
62:
the state of the system after a server has been interacted with. The detection of changes to the client honeypot may indicate the occurrence of an attack against that has exploited a vulnerability of the client. An example of such a change is the presence of a new or altered file.
48:
In addition to these components, client honeypots are usually equipped with some sort of containment strategy to prevent successful attacks from spreading beyond the client honeypot. This is usually achieved through the use of firewalls and virtual machine sandboxes.
399:, Komisarczuk, P., Muschevici, R. and Welch, I., Justifying the Need for Forensically Ready Protocols: A Case Study of Identifying Malicious Web Servers Using Client Honeypots. in 4th Annual IFIP WG 11.9 International Conference on Digital Forensics, Kyoto, 2008.
31:
There are several terms that are used to describe client honeypots. Besides client honeypot, which is the generic classification, honeyclient is the other term that is generally used and accepted. However, there is a subtlety here, as "honeyclient" is actually a
198:
features of Thug are: the ActiveX controls handling module (vulnerability module), and static + dynamic analysis capabilities (using Abstract Syntax Tree and Libemu shellcode analyser). Thug is written in Python under GNU General Public License.
124:
processes, registry, and browser crashes. Spycrawlers detection mechanism is event based. Further, it increases the passage of time of the virtual machine the Spycrawler is operating in to overcome (or rather reduce the impact of) time bombs.
45:
identified by the queuer. After the interaction with the server has taken place, the third component, an analysis engine, is responsible for determining whether an attack has taken place on the client honeypot.
146:
unnoticed. They also suffer from the problem of evasion by exploits, which may be exacerbated due to their simplicity, thus making it easier for an exploit to detect the presence of the client honeypot.
19:
are security devices whose value lie in being probed and compromised. Traditional honeypots are servers (or devices that expose server services) that wait passively to be attacked.
66:
evasion by the exploit. For example, an attack could delay the exploit from immediately triggering (time bombs) or could trigger upon a particular set of conditions or actions (
251:. The projects goal is to develop a complete client honeypot system, based on existing client honeypot solutions and a crawler specially for the bulk processing of URLs.
504:
353:
494:
142:
directly to assess whether an attack has taken place. This could be done, for example, by examining the response for the presence of malicious strings.
480:
Presentation by Websense on their Honeyclient infrastructure and the next generation of Honeyclients they are currently working; April 2008 at RSA-2008
530:
489:
189:. SpyBye allows a web master to determine whether a web site is malicious by a set of heuristics and scanning of content against the ClamAV engine.
36:
that could also refer to the first known open source client honeypot implementation (see below), although this should be clear from the context.
87:
HoneyClient is a web browser based (IE/FireFox) high interaction client honeypot designed by Kathy Wang in 2004 and subsequently developed at
237:
455:
Stuurman, Thijs, Verduin, Alex. Honeyclients - Low interaction detection method. Technical Report. University of Amsterdam. February 2008.
224:
Hybrid client honeypots combine both low and high interaction client honeypots to gain from the advantages of both approaches.
315:
417:
342:
Feinstein, Ben. Caffeine Monkey: Automated Collection, Detection and Analysis of JavaScript. BlackHat USA. Las Vegas, 2007.
177:
framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.
620:
407:
Application of divide-and-conquer algorithm paradigm to improve the detection speed of high interaction client honeypots
155:
detected by statically examining the web server's response for malicious strings through the usage of Snort signatures.
520:
540:
531:
https://web.archive.org/web/20071204172932/http://handlers.dshield.org/rdanford/pub/2nd_generation_honeyclients.ppt
336:
462:. In 13th Annual Network and Distributed System Security Symposium (NDSS). San Diego, 2006. The Internet Society.
479:
350:
560:
630:
676:
550:
484:
460:
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities
133:
a complete virtualization architecture underneath for rollbacks of compromised virtualized machines.
402:
Seifert, C. Know Your Enemy: Behind The Scenes Of Malicious Web Servers. The Honeynet Project. 2007.
164:
The work has started as a diploma thesis and is continued and released as Free Software under the
469:. Proceedings of the 2008 Workshop on the Economics of Information Security. Hanover, June 2008.
443:
True Positive Cost Curve: A Cost-Based Evaluation Method for High-Interaction Client Honeypots,
333:
Defending Browsers against Drive-by Downloads: Mitigating Heap-spraying Code Injection Attacks,
428:
438:
in 14th Australasian Conference on Information Security and Privacy (ACISP), Brisbane, 2009.
367:. In 13th Annual Network and Distributed System Security Symposium (NDSS). San Diego, 2006.
368:
16:
232:
The HoneySpider network is a hybrid client honeypot developed as a joint venture between
8:
452:
in Austalasian Telecommunication Networks and Applications Conference, Adelaide, 2008.
621:
https://web.archive.org/web/20070322205829/http://www.xnos.org/security/overview.html
311:
521:
https://web.archive.org/web/20100131222145/https://projects.honeynet.org/capture-hpc
458:
Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S. and King, S.
499:
396:
357:
541:
https://web.archive.org/web/20100131222101/https://projects.honeynet.org/honeyc/
670:
600:
347:
Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients
242:
186:
467:
Studying Malicious Websites and the Underground Economy on the Chinese Web
233:
100:
570:
319:
67:
561:
https://web.archive.org/web/20180430012758/http://www.honeyspider.net/
409:. 23rd Annual ACM Symposium on Applied Computing. Ceara, Brazil, 2008.
631:
https://web.archive.org/web/20100220013531/http://code.mwcollect.org/
580:
465:
Zhuge, Jianwei, Holz, Thorsten, Guo, Jinpeng, Han, Xinhui, Zou, Wei.
33:
660:
650:
551:
https://archive.today/20070410162806/http://www.honeyclient.org/trac
434:
C. Seifert, V. Delwadia, P. Komisarczuk, D. Stirling, and I. Welch,
216:
Zealand Honeynet chapter of the Victoria University of Wellington.
590:
495:
Video of Michael Davis' Client Honeypot Presentation at HITB 2006
392:. Proceedings of the 2007 HotBots. Cambridge, April 2007. USENIX.
388:
Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.
248:
500:
Video of Kathy Wang's Presentation of HoneyClient at Recon 2005
376:
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
450:
Identification of Malicious Web Pages with Static Heuristics,
88:
53:
usage of both high and low interaction detection techniques.
436:
Measurement Study on Malicious Web Servers in the.nz Domain,
412:
Seifert, C., Steenson, R., Holz, T., Yuan, B., Davis, M. A.
185:
SpyBye is a low interaction client honeypot developed by
640:
610:
165:
25:
381:
Provos, N., Mavrommatis, P., Abu Rajab, M., Monrose, F.
390:
The Ghost In The Browser: Analysis of Web-based Malware
363:
Moshchuk, A., Bragin, T., Gribble, S.D. and Levy, H.M.
286:
268:
287:"SURF is de ICT-coöperatie van onderwijs en onderzoek"
505:
Video of Wolfgarten's presentation at CCC conference
331:M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda,
158:
668:
227:
94:
385:. Google Technical Report. Google, Inc., 2008.
308:Client-Honeypots: Exploring Malicious Websites
416:. The Honeynet Project. 2007. (available at
335:Secure Systems Lab, 2009, p. Available from
171:
425:HoneyC: The Low-Interaction Client Honeypot
423:Seifert, C., Welch, I. and Komisarczuk, P.
405:Seifert, C., Komisarczuk, P. and Welch, I.
365:A Crawler-based Study of Spyware on the Web
345:Ikinci, A, Holz, T., Freiling, F.C. :
109:
601:http://www.cs.vu.nl/~herbertb/misc/shelia/
448:C. Seifert, P. Komisarczuk, and I. Welch,
441:C. Seifert, P. Komisarczuk, and I. Welch,
219:
566:
269:"Nationaal Cyber Security Centrum - NCSC"
636:
556:
546:
626:
669:
616:
414:Know Your Enemy: Malicious Web Servers
127:
576:
571:http://monkeyspider.sourceforge.net/
526:
516:
431:, Hamilton, New Zealand. April 2007.
395:Seifert, C., Endicott-Popovsky, B.,
266:
606:
596:
536:
427:. Proceedings of the 2007 NZCSRCS.
56:
13:
656:
646:
581:https://code.google.com/p/phoneyc/
136:
24:of a client honeypot (for example
14:
688:
661:https://github.com/Masood-M/miniC
651:https://github.com/masood-m/yalih
586:
490:Virtuelle Leimrouten (in German)
473:
118:
378:. Addison-Wesley. Boston, 2007.
159:Monkey-Spider (dead since 2008)
39:
591:https://github.com/buffer/thug
279:
260:
82:
73:
1:
300:
254:
228:HoneySpider (dead since 2013)
95:HoneyMonkey (dead since 2010)
383:All Your iFRAMEs Point to Us
7:
445:in SECURWARE, Athens, 2009.
306:Jan Göbel, Andreas Dewald,
10:
693:
310:, Oldenbourg Verlag 2010,
98:
325:
180:
172:PhoneyC (dead since 2015)
149:
510:
351:Sicherheit 2008: 407-421
339:, accessed May 15, 2009.
210:
201:
110:SHELIA (dead since 2009)
220:Hybrid Client Honeypots
192:
641:http://nz-honeynet.org
611:http://www.spybye.org/
429:University of Waikato
374:Provos, N., Holz, T.
28:, ssh, email, etc.).
485:The Honeynet Project
369:The Internet Society
267:NCSC (14 May 2013).
320:This book at Amazon
356:2013-01-02 at the
128:Web Exploit Finder
677:Computer security
316:978-3-486-70526-3
684:
663:
653:
643:
633:
623:
613:
603:
593:
583:
573:
563:
553:
543:
533:
523:
295:
294:
283:
277:
276:
264:
246:
234:NASK/CERT Polska
57:High interaction
21:Client Honeypots
692:
691:
687:
686:
685:
683:
682:
681:
667:
666:
513:
476:
358:Wayback Machine
328:
303:
298:
285:
284:
280:
265:
261:
257:
240:
230:
222:
213:
204:
195:
183:
174:
161:
152:
139:
137:Low interaction
130:
121:
112:
103:
97:
85:
76:
59:
42:
12:
11:
5:
690:
680:
679:
665:
664:
654:
644:
634:
624:
614:
604:
594:
584:
574:
564:
554:
544:
534:
524:
512:
509:
508:
507:
502:
497:
492:
487:
482:
475:
472:
471:
470:
463:
456:
453:
446:
439:
432:
421:
410:
403:
400:
393:
386:
379:
372:
361:
343:
340:
327:
324:
323:
322:
302:
299:
297:
296:
278:
258:
256:
253:
229:
226:
221:
218:
212:
209:
203:
200:
194:
191:
182:
179:
173:
170:
160:
157:
151:
148:
138:
135:
129:
126:
120:
117:
111:
108:
99:Main article:
96:
93:
84:
81:
75:
72:
58:
55:
41:
38:
9:
6:
4:
3:
2:
689:
678:
675:
674:
672:
662:
658:
655:
652:
648:
645:
642:
638:
635:
632:
628:
625:
622:
618:
615:
612:
608:
605:
602:
598:
595:
592:
588:
585:
582:
578:
575:
572:
568:
565:
562:
558:
555:
552:
548:
545:
542:
538:
535:
532:
528:
525:
522:
518:
515:
514:
506:
503:
501:
498:
496:
493:
491:
488:
486:
483:
481:
478:
477:
474:Presentations
468:
464:
461:
457:
454:
451:
447:
444:
440:
437:
433:
430:
426:
422:
419:
415:
411:
408:
404:
401:
398:
394:
391:
387:
384:
380:
377:
373:
370:
366:
362:
359:
355:
352:
348:
344:
341:
338:
334:
330:
329:
321:
317:
313:
309:
305:
304:
292:
288:
282:
274:
270:
263:
259:
252:
250:
244:
239:
235:
225:
217:
208:
199:
190:
188:
178:
169:
167:
156:
147:
143:
134:
125:
119:UW Spycrawler
116:
107:
102:
92:
90:
80:
71:
69:
63:
54:
50:
46:
37:
35:
29:
27:
22:
18:
657:
647:
637:
627:
617:
607:
597:
587:
577:
567:
557:
547:
537:
527:
517:
466:
459:
449:
442:
435:
424:
418:honeynet.org
413:
406:
389:
382:
375:
364:
346:
332:
307:
290:
281:
272:
262:
231:
223:
214:
205:
196:
187:Niels Provos
184:
175:
162:
153:
144:
140:
131:
122:
113:
104:
86:
77:
64:
60:
51:
47:
43:
40:Architecture
30:
20:
15:
397:Frincke, D.
337:iseclab.org
273:www.ncsc.nl
241: [
101:HoneyMonkey
83:HoneyClient
74:Capture-HPC
68:logic bombs
301:Literature
255:References
238:GOVCERT.NL
34:homograph
17:Honeypots
671:Category
354:Archived
291:SURF.nl
249:SURFnet
609:
326:Papers
314:
181:SpyBye
150:HoneyC
659:
649:
639:
629:
619:
599:
589:
579:
569:
559:
549:
539:
529:
519:
511:Sites
245:]
211:miniC
202:YALIH
89:MITRE
312:ISBN
247:and
193:Thug
349:.
166:GPL
26:ftp
673::
318:,
289:.
271:.
243:nl
236:,
168:.
420:)
371:.
360:,
293:.
275:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.