Justifying the need for forensically ready protocols: A case study of identifying malicious web servers using client honeypots

Seifert, Christian; Endicott-Popovsky, Barbara E; Frincke, Deborah A; Komisarczuk, Peter; Muschevici, Radu; Welch, Ian D

Title: Justifying the need for forensically ready protocols: A case study of identifying malicious web servers using client honeypots

Full Record
Other Related Research

Abstract

Abstract: Client honeypot technology can find malicious web servers that attack web browsers and push malware, so called drive-by-downloads, to the client machine. Merely recording the network traffic is insufficient to perform an efficient forensic analysis of the attack. Custom tools need to be developed to access and examine the embedded data of the network protocols. Once the information is extracted from the network data, it cannot be used to perform a behavioral analysis on the attack, therefore limiting the ability to answer what exactly happened on the attacked system. Implementation of a record/ replay mechanism is proposed that allows the forensic examiner to easily extract application data from recorded network streams and allows applications to interact with such data for behavioral analysis purposes. A concrete implementation of such a setup for HTTP and DNS protocols using the HTTP proxy Squid and DNS proxy pdnsd is presented and its effect on digital forensic analysis demonstrated.

Authors:: Seifert, Christian; Endicott-Popovsky, Barbara E; Frincke, Deborah A; Komisarczuk, Peter; Muschevici, Radu; Welch, Ian D

Publication Date:: Thu Jan 03 00:00:00 EST 2008

Research Org.:: Pacific Northwest National Lab. (PNNL), Richland, WA (United States)

Sponsoring Org.:: USDOE

OSTI Identifier:: 983444

Report Number(s):: PNNL-SA-73586
TRN: US201014%%207

DOE Contract Number:: AC05-76RL01830

Resource Type:: Conference

Resource Relation:: Conference: Proceedigns of the 4th Annual IFIP WG 11.9 International Conference on Digital Forensics, 151-161

Country of Publication:: United States

Language:: English

Subject:: 97 MATHEMATICAL METHODS AND COMPUTING; COMPUTER NETWORKS; SECURITY; DETECTION; SABOTAGE; Security; Digital Forensics; Client Honeypots; Network Forensics

Citation Formats


                    Seifert, Christian, Endicott-Popovsky, Barbara E, Frincke, Deborah A, Komisarczuk, Peter, Muschevici, Radu, and Welch, Ian D. Justifying the need for forensically ready protocols: A case study of identifying malicious web servers using client honeypots.  United States: N. p., 2008. 
        Web.

Copy to clipboard


                    Seifert, Christian, Endicott-Popovsky, Barbara E, Frincke, Deborah A, Komisarczuk, Peter, Muschevici, Radu, & Welch, Ian D. Justifying the need for forensically ready protocols: A case study of identifying malicious web servers using client honeypots.  United States.

Copy to clipboard


                    Seifert, Christian, Endicott-Popovsky, Barbara E, Frincke, Deborah A, Komisarczuk, Peter, Muschevici, Radu, and Welch, Ian D. 2008.  
        "Justifying the need for forensically ready protocols: A case study of identifying malicious web servers using client honeypots".  United States.

Copy to clipboard


                    
@article{osti_983444,

  title        = {Justifying the need for forensically ready protocols: A case study of identifying malicious web servers using client honeypots},

  author       = {Seifert, Christian and Endicott-Popovsky, Barbara E and Frincke, Deborah A and Komisarczuk, Peter and Muschevici, Radu and Welch, Ian D},

  abstractNote = {Abstract: Client honeypot technology can find malicious web servers that attack web browsers and push malware, so called drive-by-downloads, to the client machine. Merely recording the network traffic is insufficient to perform an efficient forensic analysis of the attack. Custom tools need to be developed to access and examine the embedded data of the network protocols. Once the information is extracted from the network data, it cannot be used to perform a behavioral analysis on the attack, therefore limiting the ability to answer what exactly happened on the attacked system. Implementation of a record/ replay mechanism is proposed that allows the forensic examiner to easily extract application data from recorded network streams and allows applications to interact with such data for behavioral analysis purposes. A concrete implementation of such a setup for HTTP and DNS protocols using the HTTP proxy Squid and DNS proxy pdnsd is presented and its effect on digital forensic analysis demonstrated.},

  doi          = {},

  url          = {https://www.osti.gov/biblio/983444},
  journal      = {},
number       = ,

  volume       = ,

  place        = {United States},

  year         = {Thu Jan 03 00:00:00 EST 2008},

  month        = {Thu Jan 03 00:00:00 EST 2008}

}

Copy to clipboard

Conference:

Other availability

Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share:

Export Metadata

Save to My Library

Similar records in OSTI.GOV collections:

Identifying and Analyzing Web Server Attacks

Book Seifert, Christian; Endicott-Popovsky, Barbara; Frincke, Deborah; ...

Abstract: Client honeypots can be used to identify malicious web servers that attack web browsers and push malware to client machines. Merely recording network traffic is insufficient to perform comprehensive forensic analyses of such attacks. Custom tools are required to access and analyze network protocol data. Moreover, specialized methods are required to perform a behavioral analysis of an attack, which helps determine exactly what transpired on the attacked system. This paper proposes a record/replay mechanism that enables forensic investigators to extract application data from recorded network streams and allows applications to interact with this data in order to conduct behavioralmore »« less
Use of Deception to Improve Client Honeypot Detection of Drive-by-Download Attacks

Book Popovsky, Barbara; Narvaez Suarez, Julia; Seifert, Christian; ...

This paper presents the application of deception theory to improve the success of client honeypots at detecting malicious web page attacks from infected servers programmed by online criminals to launch drive-by-download attacks. The design of honeypots faces three main challenges: deception, how to design honeypots that seem real systems; counter-deception, techniques used to identify honeypots and hence defeating their deceiving nature; and counter counter-deception, how to design honeypots that deceive attackers. The authors propose the application of a deception model known as the deception planning loop to identify the current status on honeypot research, development and deployment. The analysis leadsmore »« less
FORENSIC ANALYSIS OF WINDOW’S® VIRTUAL MEMORY INCORPORATING THE SYSTEM’S PAGEFILE COUNTERINTELLIGENCE THROUGH MALICIOUS CODE ANALYSIS

Other Stimson, Jared; Murphy, Edward

FORENSIC ANALYSIS OF WINDOW’S® VIRTUAL MEMORY INCORPORATING THE SYSTEM’S PAGEFILE Computer Forensics is concerned with the use of computer investigation and analysis techniques in order to collect evidence suitable for presentation in court. The examination of volatile memory is a relatively new but important area in computer forensics. More recently criminals are becoming more forensically aware and are now able to compromise computers without accessing the hard disk of the target computer. This means that traditional incident response practice of pulling the plug will destroy the only evidence of the crime. While some techniques are available for acquiring the contentsmore »« less
Using the Domain Name System to Thwart Automated Client-Based Attacks

Technical Report Taylor, Curtis; Shue, Craig

On the Internet, attackers can compromise systems owned by other people and then use these systems to launch attacks automatically. When attacks such as phishing or SQL injections are successful, they can have negative consequences including server downtime and the loss of sensitive information. Current methods to prevent such attacks are limited in that they are application-specific, or fail to block attackers. Phishing attempts can be stopped with email filters, but if the attacker manages to successfully bypass these filters, then the user must determine if the email is legitimate or not. Unfortunately, they often are unable to do so.more »« less
https://doi.org/10.2172/1024283

Full Text Available
ShadowNet: An Active Defense Infrastructure for Insider Cyber Attack Prevention

Conference Cui, Xiaohui; Beaver, Justin; Treadwell, Jim

The ShadowNet infrastructure for insider cyber attack prevention is comprised of a tiered server system that is able to dynamically redirect dangerous/suspicious network traffic away from production servers that provide web, ftp, database and other vital services to cloned virtual machines in a quarantined environment. This is done transparently from the point of view of both the attacker and normal users. Existing connections, such as SSH sessions, are not interrupted. Any malicious activity performed by the attacker on a quarantined server is not reflected on the production server. The attacker is provided services from the quarantined server, which creates themore »« less

Similar Records