The Art of False Alarms in the Game of Deception: Leveraging Fake Honeypots for Enhanced Security

Apostolis Zarras

48th IEEE International Carnahan Conference on Security Technology (ICCST), Rome, Italy, October 2014


The great popularity of the Internet increases the concern for the safety of its users as many malicious Web pages pop up in daily basis. Client honeypots are tools, which are able to detect malicious Web pages, which aim to infect their visitors. These tools are widely used by researchers and anti-virus companies in their attempt to protect Internet users from being infected. Unfortunately, cyber-criminals are becoming aware of this type of detection and create evasion techniques that allow them to behave in a benign way when they feel to be threatened. This bi-faceted behavior enables them to operate for a longer period, which translates in more profit. Hence, these deceptive Web pages pose a significant challenge to existing client honeypot approaches, making them incapable to detect them when exhibit the aforementioned behavior.

In this paper, we mitigate this problem by designing and developing a framework that benefits from this bi-faceted behavior. Our main goal is to protect users from being infected. More precisely, we leverage the evasion techniques used by cyber-criminals and implement a prototype, called Scarecrow, which triggers false alarms in the cases of deceptive Web pages. Consequently, the users that use Scarecrow for Web surfing can remain protected, even if they visit a malicious Website. We evaluate our implementation against malicious URLs provided by a large anti-virus company and show that when Scarecrow is deployed, malicious Websites with bi-faceted behavior do not launch their attacks against normal users.


tags: honeypots