Web-based Honeypot Decoys
Michael Müter just finished his diploma thesis entitled "Web-based Honeypot Decoys".
Abstract
Honeypots are a well known technique in order to gain more information about the proceeding of attackers in communication networks. With the constant growth of the Internet web applications have become more and more attractive and worthwhile targets for attackers. The web-based honeypots that exist so far exclusively focus on a low-interaction approach which only allows to monitor and observe a very limited amount of information about an attack.
In this work we extend the concept of honeypots and develop a generic high-interaction web-based honeypot toolkit. The toolkit allows to transform an arbitrary web application into a high-interaction web-based honeypot, which can capture and record every single step an attacker performs at a system. In order to monitor and analyse the large amounts of data a high-interaction system accumulates, we furthermore develop a tool which supports the process of gaining the important information out of the collected data. We demonstrate the success of our approach by presenting different results and examples we obtained with our implementation during the last months.
Background
A web application is an application running on a web server, thus offering services to users over a network. The user interaction is done via a web browser, with which the user can enter data, and the results are presented as web pages. This new type of applications is becoming more and more popular due to several advantages over traditional applications. First, web applications offer an easy
deployment process: The user can use his web browser to access it, and does not have to install an additional program. If the application is upgraded to a new version, this process is transparent to the end user, who does not have to update anything. Moreover, most web applications are platform independent and can be accessed from a wide number of locations, resulting in a return of the "thin client" paradigm. On the other hand, all these facts lead to web applications becoming a more and more attractive target for attackers and new threats are emerging.
A honeypot is an information system ressource whose value lies in unauthorized or illicit use of that ressource. With the help of these "electronic decoys", it is possible to learn more about attacks in communication networks. For example, this methodology helped to learn more about the background of bots & botnets or phishing.
The question is now: Can the concept of honeypots also be applied to the area of web applications?
Task
Explore the possibilities to use the concept of honeypots in the area of web applications. In the first step, prior work in this area has to be examined in order to find out the current state of the art. Afterwards, a web-based honeypot decoy system should be implemented that is capable of learning more about ongoing attacks.
The web-based honeypot emulates a couple of real web-applications, for example phpMyAdmin and PHP-Nuke. These emulations are strictly observed to learn more about the background. In addition, the emulation should be able to interpret ongoing attacks to extract as much information as possible. All collected data is centralized to enable a mechanism for data correlation.
The resulting honeypot is tested in the wild to learn more about attacks against web applications to show the usefulness of this approach.
Abstract
Honeypots are a well known technique in order to gain more information about the proceeding of attackers in communication networks. With the constant growth of the Internet web applications have become more and more attractive and worthwhile targets for attackers. The web-based honeypots that exist so far exclusively focus on a low-interaction approach which only allows to monitor and observe a very limited amount of information about an attack.
In this work we extend the concept of honeypots and develop a generic high-interaction web-based honeypot toolkit. The toolkit allows to transform an arbitrary web application into a high-interaction web-based honeypot, which can capture and record every single step an attacker performs at a system. In order to monitor and analyse the large amounts of data a high-interaction system accumulates, we furthermore develop a tool which supports the process of gaining the important information out of the collected data. We demonstrate the success of our approach by presenting different results and examples we obtained with our implementation during the last months.
Background
A web application is an application running on a web server, thus offering services to users over a network. The user interaction is done via a web browser, with which the user can enter data, and the results are presented as web pages. This new type of applications is becoming more and more popular due to several advantages over traditional applications. First, web applications offer an easy
deployment process: The user can use his web browser to access it, and does not have to install an additional program. If the application is upgraded to a new version, this process is transparent to the end user, who does not have to update anything. Moreover, most web applications are platform independent and can be accessed from a wide number of locations, resulting in a return of the "thin client" paradigm. On the other hand, all these facts lead to web applications becoming a more and more attractive target for attackers and new threats are emerging.
A honeypot is an information system ressource whose value lies in unauthorized or illicit use of that ressource. With the help of these "electronic decoys", it is possible to learn more about attacks in communication networks. For example, this methodology helped to learn more about the background of bots & botnets or phishing.
The question is now: Can the concept of honeypots also be applied to the area of web applications?
Task
Explore the possibilities to use the concept of honeypots in the area of web applications. In the first step, prior work in this area has to be examined in order to find out the current state of the art. Afterwards, a web-based honeypot decoy system should be implemented that is capable of learning more about ongoing attacks.
The web-based honeypot emulates a couple of real web-applications, for example phpMyAdmin and PHP-Nuke. These emulations are strictly observed to learn more about the background. In addition, the emulation should be able to interpret ongoing attacks to extract as much information as possible. All collected data is centralized to enable a mechanism for data correlation.
The resulting honeypot is tested in the wild to learn more about attacks against web applications to show the usefulness of this approach.
".
