Identifying and Analyzing Web Server Attacks
Abstract: Client honeypots can be used to identify malicious web servers that attack web browsers and push malware to client machines. Merely recording network traffic is insufficient to perform comprehensive forensic analyses of such attacks. Custom tools are required to access and analyze network protocol data. Moreover, specialized methods are required to perform a behavioral analysis of an attack, which helps determine exactly what transpired on the attacked system. This paper proposes a record/replay mechanism that enables forensic investigators to extract application data from recorded network streams and allows applications to interact with this data in order to conduct behavioral analyses. Implementations for the HTTP and DNS protocols are presented and their utility in network forensic investigations is demonstrated.
- Research Organization:
- Pacific Northwest National Lab. (PNNL), Richland, WA (United States)
- Sponsoring Organization:
- USDOE
- DOE Contract Number:
- AC05-76RL01830
- OSTI ID:
- 983441
- Report Number(s):
- PNNL-SA-73587; TRN: US201014%%206
- Resource Relation:
- Related Information: Advances in Digital Forensics IV, 151-161
- Country of Publication:
- United States
- Language:
- English
Similar Records
ShadowNet: An Active Defense Infrastructure for Insider Cyber Attack Prevention
Millions of targets under attack: a macroscopic characterization of the DoS ecosystem