Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web

Web attacks are nowadays one of the major threats on the Internet, and several studies have analyzed them, providing details on how they are performed and how they spread. However, no study seems to have sufficiently analyzed the typical behavior of an attacker after a website has been compromised. This paper presents the design, implementation, and deployment of a network of 500 fully functional honeypot websites, hosting a range of different services, whose aim is to attract attackers and collect information on what they do during and after their attacks. In 100 days of experiments, our system automatically collected, normalized, and clustered over 85,000 files that were created during approximately 6,000 attacks. Labeling the clusters allowed us to draw a general picture of the attack landscape, identifying the behavior behind each action performed both during and after the exploitation of a web application.

[1]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[2]  Daniel J. Quinlan,et al.  Detecting code clones in binary executables , 2009, ISSTA.

[3]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[4]  Vassil Roussev,et al.  Data Fingerprinting with Similarity Digests , 2010, IFIP Int. Conf. Digital Forensics.

[5]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[6]  W. Marsden I and J , 2012 .

[7]  Tyler Moore,et al.  Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing , 2009, Financial Cryptography.

[8]  Jesse D. Kornblum Identifying almost identical files using context triggered piecewise hashing , 2006, Digit. Investig..

[9]  Marc Dacier,et al.  SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models , 2008, 2008 Seventh European Dependable Computing Conference.

[10]  R. Stephenson A and V , 1962, The British journal of ophthalmology.

[11]  Jeanna Neefe Matthews,et al.  A Generic Toolkit for Converting Web Applications Into High-Interaction Honeypots , 2007 .

[12]  Van-Hau Pham,et al.  on the Advantages of Deploying a Large Scale Distributed Honeypot Platform , 2005 .

[13]  Xin Chen,et al.  Shared information and program plagiarism detection , 2004, IEEE Transactions on Information Theory.

[14]  Matthieu Herrb,et al.  Set-up and deployment of a high-interaction honeypot: experiment and lessons learned , 2011, Journal in Computer Virology.

[15]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[16]  Robin Berthier,et al.  Profiling Attacker Behavior Following SSH Compromises , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[17]  Martín Abadi,et al.  deSEO: Combating Search-Result Poisoning , 2011, USENIX Security Symposium.

[18]  Martín Abadi,et al.  Heat-seeking honeypots: design and experience , 2011, WWW.