Developing Internet Security: The Honeyclient
10:30am 17 September 2010
Peter Komisarczuk FNZCS ITCP
Professor of Computing, Thames Valley Uni, UK
Drive-by-downloads have developed from a relatively rare occurrence in 2005 to a serious Internet security risk in 2010. A drive-by-download occurs when a web client interacts with a web server and receives a crafted exploit targeted at exploiting the client system in some way, perhaps to install a key logger program or to recruit the machine into a botnet for spam or DDOS attacks. The security industry now estimates that 1 in 150 websites are now malicious in nature.
Victoria University has developed techniques for detecting malicious attacks using tools called client honeypots or honeyclients since 2006. Our work has developed Capture-HPC, Capture-BAT and HoneyC, which are open source systems that actively seek out malicious servers and detect client exploits using API hooking on the Windows operating systems. Victoria University has also undertaken a long term scan sponsored by InternetNZ of the .nz domain looking for attacks.
The honeyclient systems have developed over the years from supporting Windows XP through to Windows 7.0 and to a wide variety of web browsers. There are also tools available from the Mitre Corporation and from the Giraffe chapter of the Honeynet Project. The attack space has changed significantly from 2006, when Internet Explorer 6.0 was the predominant attack vector for attackers, through to today where the browser space is much more fragmented and includes Firefox, IE 6, 7 and 8, and Chrome. Furthermore the PDA phone has developed into a mini PC and has become another attack vector using drive-by-download techniques. The mobile phone space has also developed significantly with new operating systems being released and capabilities for wider interaction with the Internet.
Currently researchers at Victoria University are developing AI techniques for automating the detection of state-changes denoting malicious activity and how honeyclients can be used effectively for detecting mobile phone exploits. This paper provides a review of drive-by-downloads, honeyclient developments and the changes required as the attack landscape changes. There are opportunities to develop these open source systems to create whitebox tools for the international and national Internet security industry.
About Peter Komisarczuk
Peter Komisarczuk was a Senior Lecturer at Victoria University from 2003 to 2010 before accepting a Professor position at Thames Valley University in the UK for 2010.
He researched and taught in computer science, networking and distributed systems, specifically in cognitive radio, Internet security and Internet protocols. He is currently Senior Lecturer at Victoria University and Professor of Computing at Thames Valley University UK.
