Hosting Services with Self-Learning Honeypots
We suppose hosting service providers would like to monitorthe web sites under his service. For monitoring the access andthe behaviors for their web servers, the providers collect andanalyze security logs in general. By analyzing those logs andextract anomalous parts, they can grasp the occurrence of webattacks against their web sites. However, in many cases, it isdifficult to analyze such attacks with full information. First,the hosting service does not have a huge database to store full log or information. Second, there is a contract about aprotection of personal information such that a hosting service provider never collect detail informations around its customers(web site operators).As another approach, it is effective for hosting service providers to construct server side honeypots and observe malicious access to them. A honeypot is a decoy system for monitoring and logging the activities of entities that probe,attack or compromise them. The providers can find malicious access with sufficient logs and can grasp what kind of attacks occur on the Internet. However, honeypots cannot always observe all type of attacks. Because of the diversity of websites, honeypots cannot simulate all kinds of interactions of web sites. As mentioned in , it is hard to construct honeypots with intelligent interactions. Thus, existing honeypots can observe only limited web attacks.
In this paper, we propose a novel approach for keeping upwith security intelligence and strengthening countermeasuresagainst web attacks on a hosting service. This approach isa combination with log analysis and honeypot observing.We present our approach as a system on a hosting service,Wamber. We assume that it is possible to extract suspiciousweb requests from the deficient log. From those suspiciousweb requests, we can regenerate web request and responseinteractions through requesting such access to the real websites on the hosting service. Therefore, the honeypot learns thereal interactions based on the suspicious web requests. Whenthe same suspicious request arrives at the honeypot, it canobserve the traffic with learned interactions to make sure theyare indeed malicious. Thus, the hosting service providers gainmore information about attacks against their hosting services.Such information can be used to write signatures for IDS andIPS to further protect the websites.We also describe a scenario that our approach can gain the detail information about suspicious requests extracted froma hosting service on our university. In our case study, our approach gains beneficial information for hosting providers understanding the requests and preventing from the requestsas an attack with strong confidence.The rest of this paper is organized as follows. In section 2,we describe related works. In section 3, we define the situations around hosting service. In section 4, we set the problems in keep up strengthening security intelligence on a hosting service. In section 5, we present a novel type of web attack observing system with self-propagated honeypot, Wamber. Insection 6, we describe the case study with our university hosting service. In section 7, we discuss the limitations and requirements of Wamber.Web Design Company Kumbakonam
Honeypots are decoy system for monitoring and loggingthe activities of entities that probe, attack or compromise them.Nepenthes, Dionaea and DShield are famous serverside honeypot systems. It behaves as a server with many vul-nerabilities attractive for malwares and attackers. In , Yagiet al. proposed high interaction web honeypots. Their honeypotperforms interactions for multi kinds of requests by absorbingthe path structure difference. Muter et al. proposed a PHP webapplication honeypot in . Their honeypot simulates severalfamous PHP modules vulnerabilities. Glastopf is one of webapplication honeypot. It can emulate web interactions based onthe gathered data from attacks against web applications. In ,Mphango et al. improved Glastopf for adopting the behaviorof dynamic web applications. To observe the real interactionsbetween a web server and attackers, Hirata et al. proposed thelive migration-based honeypots in . In their proposals, anetwork switch controls malicious traffic to a real web serverand leads to a decoy similar to the web server.To deceive attackers who access to honeypots, there areworks focused on sophisticating honeypots responses. Hayatleet al. implemented a Markov Decision Process (MDP) toheneypots interactions in . This shows honeypot operatorsthe optimal strategy when the operators face to unknownattacks. In , Zhao et al. applied agent-based optimizationto honeypot emulating. Their method emulates through finitestate machine models (FSM) with agent-based optimizationand they implemented it on a POP3 email server. Honeyd  emulates multiple operating systems. Honeyd is connectedvirtual honeypots who have different operating systems eachother and simulate responses. John et al. proposed a honeypotsystem that can observe attackers behavior by presentingvulnerable web pages in . It generates those web pageswith given query and crawling on the Internet. They alsoimplemented their proposed system and they succeeded toprofile attackers behavior. Canali et al. deployed a honeypotsystem that can simulate multiple kinds of web applicationsand observed attack steps against web applications in .Wonky et al. present the system that multiple honeypots areconnected through OpenFlow switch in . By multicastingthe malicious traffic to those honeypots, the system can receivethe most suitable response. Zakaira et al. referred to applyingartificial intelligence techniques to honeypot development in. They examined the approaches in case of applying expertsystem and case-based reasoning. Wagener et al. proposed ahoneypot capable of learning from attackers and configure itsinteractions in . Their honeypot is applied a stochasticgame and simultaneous learning and adaptation for the honey-pot. https://arudhrainnovations.com/