Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
Heat-seeking Honeypots: Design and Experience

John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy, and Martin Abadi

Abstract

Many malicious activities on the Web today make use of compromised Web servers, because these servers often have high pageranks and provide free resources. Attackers are therefore constantly searching for vulnerable servers. In this work, we aim to understand how attackers find, compromise, and misuse vulnerable servers. Specifically, we present heatseeking honeypots that actively attract attackers, dynamically generate and deploy honeypot pages, then analyze logs to identify attack patterns.

Over a period of three months, our deployed honeypots, despite their obscure location on a university network, attracted more than 44,000 attacker visits from close to 6,000 distinct IP addresses. By analyzing these visits, we characterize attacker behavior and develop simple techniques to identify attack traffic. Applying these techniques to more than 100 regular Web servers as an example, we identified malicious queries in almost all of their logs.

Details

Publication typeInproceedings
PublisherWWW 2011
> Publications > Heat-seeking Honeypots: Design and Experience