The Design And Implementation Of High-Interaction Honeypots Based Malicious Web Pages Detecting System

Internet has brought prosperity to the world's major changes. However, as more and more Web services, programs and web site development, Web of vulnerability has sprung up. In recent years, there has been an increase of a particular type of attack: client-side attacks. These attacks target clients. As a result, the easier and more convenient way of client-side attack has become a severe threat in today's Internet. High interaction client honeypots are a computer security technology that can detect client-side attack. High interaction client honeypots identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system state changes. If an system state change is detected, since no other activity occurs on the dedicated client machine, the server honeypots interacted with is classified as malicious.This paper firstly introduces the concept of malware, the client-side attack technology and detection, and detailedly analysis the advantages and disadvantages of the current high-interaction honeypots. For example, high-interaction client honeypots are not good enough for detecting malicious web pages carrying rootkit which is used to hide the presence of a malicious object (process, file, registry key, network port). Secondly, when collecting malicious web pages we find that web pages after web crawlers are the real host of malicious. After we add technology of web crawlers in high-interaction, the experimental results indicate that the correct ratio in detecting malicious pages rose obviously.In consideration of the above two points, we add web crawlers and anti-Rootkit in high-interaction client honeypots, design and implement a new malicious web pages detecting system. We do much analysis and research on these two technologies. Firstly, high-interaction honeypots must monitor the state of all files, processes and registries, so the detecting speed is relatively slow. However the web crawlers we design not only raise the correct ratio but also have little impact on detecting speed. That is to say, our web crawler is fit for high-interaction honeypots. Secondly, on the basis of detailedly analysis of current general methods of anti-rootkit, we provide an integrated detecting method. The result shows the new method have great advantages in detecting malicious web pages.