WIXLIB

Jhilam Biswas et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 5 (4) , 2014, 5776-5780the system to save some information like IP addresses,number of user visits to the website, etc. Thus, there shouldbe some kind of exclude lists to prohibit false positives.Client honeypots operating in different networks can reportthe collected information findings to central sites that cancorrelate the data. The analysis synthesized enables theoperator to keep track of collected information. Clienthoneypot can be run in virtual machines as Vmware. This ishelpful to easily reset the machine to the clean state after acompromise on the system takes place.IV.INVISIBILITY OF CLIENT HONEYPOTSClient honeypots also show “invisibility” feature similar toserver honeypots. Invisibility of client honeypot meanspreventing malicious websites from detecting the HTTPrequest that is sent by client honeypot. There are variousissues relating to the invisibility in client honeypots. Theyare anti-crawling techniques, virtual environment detection,geo-location attacks, and IP blacklisting. All these issueswill be discussed briefly.A. Anti-Crawling TechniquesAutomated crawlers allow malicious servers to fingerprintclient honeypots. They normally send requests to resourceswhich are invisible to human user and hence malicious websites are able to detect crawlers. These websites then ceasetriggering. This problem is difficult to solve, thus thecrawler should be refined to behave as identical to abrowser as possible. Also, client honeypots would sendmany http requests to crawl websites. Anti-crawlers can beused to limit the amount of http request per IP. To mitigatethis problem, intelligent crawling is used instead ofcrawling the whole web site, by looking for suspicious filesas scripts and images.B. Virtual Environment DetectionUse of VMware which is a virtual machine is a good choicefor resetting the client honeypot after the system has beencompromised. However, presence of virtual machines canbe detected by attackers using several methods; a detectioncode can be incorporated in the exploit page to detect thevirtual environment, and hence the malicious site can stoptriggering the exploit, behave differently, block honeypotIP or do something else to keep hidden from detection.C. Geo-location AttacksSome attacks target users at specific geographical places.Attackers can find out the location of visitors, and thenattack visitors in certain country or location. This issue canbe handled by two approaches. First being implementationby allowing running honeypot across many differentnetworks. Second approach can be using TOR service torun client honeypots behind various proxies.D. IP BlacklistingAs malicious websites can detect presence of honeypots byvarious means, they can even block honeypot IP. It is notpossible to hide client honeypot behavior completely,nevertheless it becomes hard to tackle this countertechnique unless we operate honeypots using various ISPs.This will force the malicious site to block various ISPs,which deprives the attacker from a large percentage of hisvictims.www.ijcsit.comV.DETECTION ISSUESDetection accuracy can be expressed by the rate at whichfalse negatives and false positives occur. In the light ofdetection approaches discussed in the previous section,various detection problems have been discussed.A. Human Behavior SimulationThe ultimate aim of client honeypots is to achieve the samebehavior as humans which might not be possible due toabsence of full features. This problem is more visible whendialog boxes pop up. A user is left with typically twooptions; either to accept the request or to deny it. Thewebsite might react differently depending on the userselection. It can even introduce dialog boxes and ask theuser to fill out; the user then has to click the OK button toprove he/she is human and not a spam, and the web sitedrops a cookie to suppress the dialog box for future visits.In this case, user input is necessary to determine theserver’s response. Malicious website even can useCAPTCHA, which is a type of challenge-response test, tocounter client honeypot. Using such response tests allowthe malicious website to hide its malicious activity fromclient honeypot. At the same time, the end users will bedeceived into believing that such website is trying toprotect itself against a spam abuse.B. Delayed ExploitA delayed exploit is also an important issue that needs to beconsidered when implementing high interaction clienthoneypots. Sometimes, there may be a delay between initialinfection and complete compromise. Low interactionhoneypots will not be evaded by this delay, as they applydirectly pattern-matching algorithm on the server’sresponse.This delay might be due to any or all of these three possiblereasons: Downloading more malware: Generally, a webpage first successfully exploits vulnerability inclient application; then downloads a process toinstall more malware on the system. In such casethe download process consumes some time. In themeantime, client honeypot has already acceptedanother web page. Logic Bombs:Logic bombs are exploitscontained on a malicious web page in which theexploit triggers only after a given period of timeand hence they also delay the compromise. User-Triggered Exploits. This scenario ariseswhen the exploit needs a user action to trigger,such as mouse clicking. Correct pages are neededto be flagged so that user can get to know whichpage actually triggered and started thecompromise.C. Real-Time State Change CheckState changes checks can find out whether the web pagehas modified or changed something on client system. It canbe performed periodically but there will be some delay.Such checks are unreliable, since installed malware mayalso install rootkit which may further hide subsequentmalware instances, and thus make it hard to detect anychanges. Therefore, the integrity check should beperformed in real-time.5778

Jhilam Biswas et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 5 (4) , 2014, 5776-5780D. Attacks Against Internal Security PoliciesIn the present scenario high interaction client honeypotscannot detect exploits that do not make any persistent-statechanges .Thus, present high interaction client honeypotsmight neglect attacks that are targeted at violating theinternal security policies of the browser.E. 0day and Beclouding Attacks0day and beclouding attacks may not be detected by lowinteraction client honeypots. The reason being that thedetection algorithm used by low interaction clienthoneypots depend on implementing signatures for knownattacks. On the other hand, a high interaction clienthoneypots may detect these attacks if they try to make anychange on the system state.VI.EFFECTIVNESS OF CLIENT HONEYPOTSClient honeypot is sometimes also referred as computerhuman interaction tool. The effectiveness of clienthoneypots can be measured by the accuracy, reliability andcompleteness of the tasks a client honeypot performs.Broadly four factors are used to measure the effectivenessof a client honeypot. They are speed, detection, accuracyand invisibility. All the four factors are discussed briefly.A. SpeedSpeed of client honeypots can be expressed by number ofsites that can be connected and inspected in a given timeperiod. It has significance in describing the ability of theclient honeypot to identify malicious servers quickly and tosafeguard client user against them. The speed of clienthoneypots depends on various factors such as hardware,network connection, etc. It also depends on the clienthoneypot implementation which means more complex theimplementation, slower the honeypots are. Detectionalgorithms play an important role in speeding up thedetection process.B. Detection AccuracyClient honeypot should have high accuracy rate whiledetecting malicious servers. Detection accuracy can bemeasured by rate at which false positives (FPs) and falsenegatives (FNs) occur. With high interaction clienthoneypots, FP rate can be neglected; hence FN rate drivesthe accuracy of detection of malicious web pages. With lowinteraction client honeypots both FP and FN can beexpected to exist. Hence both FP and FN has to be takencare of while detection. The ability of client honeypots todetect malicious contents in website is influenced by boththe type of honeypot and also the operating environmentcharacteristics.C. InvisibilityThe value of honeypots depend on the amount of data thatit has gathered about the attacker after being probed. Unlikeserver honeypots, client honeypots do not use deception tolure malicious server to initiate attack. However, clienthoneypots should be kept undetectable by maliciouswebsites which can cease exploits trigger. Thus keeping theclient honeypots hidden allows it to gather more and moreinformation and eventually identifying more attackers.www.ijcsit.comFig 2: Effectiveness factors in client honeypotsVII. CLIENT HONEYPOT INTEGRATIONTill date, there is no compact client honeypot developmentthat integrates various detection mechanism andcapabilities of both low and high interaction honeypots thatare available in public. More so, no open source clienthoneypots are integrated with commercial tools like webbrowsers to provide real-time security for the end-user. It isa herculean task to deploy client honeypot that would allowbulk processing of URLs acquired from different sourceswith different confidence and priority levels. Clienthoneypots are a budding new technology used to secureclient-side system sturdily. Thus, they have to deal withlarge web space, various web technologies, evasiontechniques, various browser behavior and strong integrationwith operating system. However, client honeypots stillbeing a developing, immature technology, various tools arenot available and open for public research. Clienthoneypots need to operate as a service, rather than just aresearch tool to inspect some contents. Thus, there is a needfor elastic frameworks which allow easier integration withthe latest client honeypots, and enable to analyze thedetection of large space of attacks trends.VIII. DISCUSSIONIn this current generation of the Internet, a large number ofmalware exploit vulnerabilities in client applications. Thisis the main motivation of developing client honeypots.Lately, client honeypots have been greatly used in variousareas in network security. They can be used a useful tool toevaluate websites by examining websites contents whichhelps to identify malicious sites, applications, files, etc.They can be effectively used to evaluate and test client userapplications. Web browser being the most preferable targetfor attackers, researchers use client honeypots to test webbrowser security. To add to the list, client honeypots areable to identify and detect various client-side attacks.Integrity checks can be effective in discovering newthreats; this can be of great help to change the configurationand security policy to prevent such attacks. Lastly, clienthoneypots can help in mapping malicious neighborhoodsbecause malicious websites typically redirect to anothermalicious web sites [20].Implementation of client honeypot should depend on thegoals of honeypots and circumstances of operating.5779

Jhilam Biswas et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 5 (4) , 2014, 5776-5780Choosing honeypots specification are required to meetthese goals as they expose the full functional spectrum of acomputer system for the attacker to interact with andtherefore allow for collection of the desired data [7].Attacker uses various hiding and evading so that they arenot detected. Thus, developing efficient protectionmechanisms against malicious websites attacks requireseffective analysis tools which allow studying currentattacks and foreseen future attacks. For instance, manymalicious sites attack a client side only once in a giventimeframe, then all subsequent requests are redirected toharmless sites such as search engines. This aims to holddown the analysis and keep hidden from further tracking.Therefore, an analysis tool should have the ability to recordand reply all requests and responses involved in a detectedattack. Till now, open source client honeypot systems havenot leveraged the benefits of using both low and highinteraction solutions together. With combining lowinteraction honeypot and high interaction honeypot, ascalable architecture can be achieved at constant levels offalse negatives. Low interaction components can be used tosearch quickly for potential malicious sites, tag them assuspicious and only then hand them over to the highinteraction component for detailed analysis. To check if thelow interaction component is missing some attacks, a smallpercentage of URLs can be passed over to the highinteraction component and the results from bothcomponents are compared.[7], [11].Theoretically, highinteraction components can be used to extract signatures ofthreats, which can then be used in low interactioncomponents.IX.CONCLUSIONSClient honeypot is a new technology that aims to overcomethe weakness of server honeypots and other security toolsin dealing with client side attacks. Client honeypots use twoapproaches to detect client-side attacks: pattern matchingand integrity check. Each approach has benefits andshortcomings.There are several detection issues with the case of clienthoneypots which are needed to be addressed. Nevertheless,some implementations need to be thought of with regard toclient honeypots so as to increase its effectiveness be it interms speed or detection accuracy or both. Invisibility isalso a big issue regarding client honeypots which needs tobe dealt with. Current client honeypots are still in thedeveloping phase. They have various shortcomings relatingto their inability to detect and evade various attacks bymalicious attackers. In this paper, we introduced factors tomeasure the effectiveness of client honeypots: speed,detection accuracy and invisibility.This is a review paper that gives an overview on clienthoneypots. It talks in depth about various aspects of clienthoneypots like attacks, objective, invisibility, detection andeffectiveness of client honeypots. The concept of honeypotsbeing a new technology, they come in to help in three waysthat is prevention, detection and how users react to anattack. Not only do client honeypots become cost-effectiveto deploy and maintain, but they also have a betterintegration into the organization network. This paper can bewww.ijcsit.comof immense help to the novice as well as the experienced inthe field of network security with the help of clienthoneypots.ACKNOWLEDGEMENTSincere thanks to the professors of the Department ofElectronics and Communication and the department ofInformation and Communication Technology for providingexcellent laboratory facilities to carry out the research studyand gather valuable knowledge on ][11][12][13][14][15][16][17][18]Ren Liu. China virus status & Internet Security Report 02/eda7daf7970448608b2881d97c9a1868.shtm.VMware n efficient approach tocollect malware. In Proceedings of 9thSymposium on Recent Advances in Intrusion Detection (RAID’06),2006.Paul Baecher, Markus Koetter, Thorsten Holz, MaximillianDornseif, and Felix C. Freiling. The nepenthes platform: An efficientapproach to collect malware. In Proceedings of 9th Symposium onRecent Advances in Intrusion Detection (RAID’06), 2006.Jan Goebel, Thorsten Holz, and Carsten Willems. Measurement andAnalysis of Autonomous Spreading Malware in a UniversityEnvironment. In Proceeding of 4th Conference on Detection ofIntrusions & Malware, and Vulnerability Assessment (DIMVA’07),2007.Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and AndreasTerzis. A multifaceted approach to understanding the botnetphenomenon. In Proceedings of the 6th ACM SIGCOMMConference on Internet Measurement, ACM Press, New York, NY,USA, 2006, pp. 41–52J. Zhuge, T. Holz, X. Han, C. Song, and W. Zou. Collectingautonomous spreading malware using high-interaction honeypots. InProceedings of ICICS’07, 2007.Roger A. Grimes.Tracking malware with honeyclients. /77378 16OPsecadvise1.html.Kathy Wang.Using Honeyclient to Detect New Attacks. InProceedings of RECON 2005, Crowne Plaza Montreal, Canada,2005.Y.M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski,S. Chen,and S. T. King. Automated web patrol with strider honeymonkeys:Finding web sites that exploit browser vulnerabilities. In Proceedingsof 13th Network and Distributed System Security Symposium(NDSS’06), nts/686slides itePapers/WSLabsOverview.pdf.The Honeynet Project. Know Your Enemy: Malicious Web Servers,August 2007. http://www.honeynet.org/papers/C. Clementson,” Client-Side Threats and a Honeyclient-BasedDefense Mechanism, Honeyscout”, Master’s Thesis, LinköpingUniversity Electronic Press, 2009.C. Seifert, “Know Your Enemy: Behind the Scenes of ://www.honeynet.org/papers/wekC. Seifert, Improving Detection Speed and Accuracy with HybridClient Honeypots, Victoria University of Wellington, PhD Thesis,2008.C. Seifert, R. Steenson, T. Holz, Y. Bing, and M. A. Davis, “Knowyour enemy: Malicious web servers.” The /mws/M. Pennock, S. Lawrence, and L. C. Giles, “Methods for SamplingPages Uniformly from the World Wide Web”,In AAAIFallSymposium on Using Uncertainty within Computation(NorthFalmouth 2001), pp 121–128.5780

high interaction client honeypots. High interaction client honeypot gives an attacker the oppurtunity to interact with real system rather than simulation. State changes check mechanism is a process that enables high interaction honeypots to detect security violations. Various client honeypots use approaches such as HoneyClient,