Abstract—Malicious web pages that launch client-side attacks on web browsers have become an increasing problem in recent years. High-interaction client honeypots are security devices that can detect these malicious web pages on a network. However, high-interaction client honeypots are both resource-intensive and unable to handle the increasing array of vulnerable clients. This paper presents a novel classification method for detecting malicious web pages that involves inspecting the underlying server relationships. Because of the unique structure of malicious front-end web pages and centralized exploit servers, merely counting the number of domain name extensions and DNS servers used to resolve the host names of all web servers involved in rendering a page is sufficient to determine whether a web page is malicious or benign, independent of the vulnerable web browser targeted by these pages. Combining high-interaction client honeypots and this new classification method into a hybrid system leads to performance improvements.

Computers connected to a network are at risk of being attacked remotely. In recent years, there has been an increase of a particular type of attack: client-side attacks. These attacks target clients. As the client accesses a malicious server, the server delivers the attack to the client as part of the server’s response to a client request. Common examples of these attacks are web servers that attack web browsers. As the web browser requests content from a web server, the server returns a malicious page that attacks the browser. If successful, the web server could, for example, install arbitrary programs on the client machine. Client honeypots are a computer security technology that can find these malicious servers on a network. Client honeypots are dedicated devices that interact with potential malicious servers. Traditional client honeypots, so called high interaction client honeypots, classify a server as malicious once unauthorized state changes are detected on the client machine. These state changes, for example the appearance of a new file on the client, indicate that the client has been successfully

This paper introduces the Grid Enabled Internet Instrument concept and discusses instruments that are being developed at Victoria University to measure Internet quality. The first instrument is a Grid version of the network telescope for studying Internet Background Radiation (IBR) and the second is a hybrid client honeypot system using high and low interaction devices for scanning the web for malicious content and servers. A third instrument on VOIP quality has been approached through simulation. The GEII framework is a work in progress and the initial design is introduced in this paper as the basis of a new Grid of Internet sensors that could be deployed to improve Internet measurement and gain a global insight to Internet quality. Keywords-component; IBR, honeypot, measurement, Grid I.

Abstract—Malicious web pages that launch client-side attacks on web browsers have become an increasing problem in recent years. High- interaction client honeypots are security devices that can detect these malicious web pages on a network. However, high-interaction client honeypots are both resource-intensive and known to miss attacks. This paper presents a novel classification method for detecting malicious web pages that involves inspecting the underlying static attributes of the initial HTTP response and HTML code. Because malicious web pages import exploits from remote resources and hide exploit code, static attributes characterizing these actions can be used to identify a majority of malicious web pages. Combining high-interaction client honeypots and this new classification method into a hybrid system leads to significant performance improvements.

Abstract—Modern attacks are being made against client side applications, such as web browsers, which most users use to surf and communicate on the internet. Client honeypots visit and interact with suspect web sites in order to detect and collect information about malware to protect users from malicious websites or to allow security professionals to investigate malicious content. This paper will present the idea of using web-based technology and integrating it with a client honeypot by building a low interaction client honeypot tool called Honeyware. It describes the benefits of Honeyware as well as the challenges of a low interaction client honeypot and provides some ideas for how these challenges could be overcome.