Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and                    Applications (IJE...
Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and                    Applications (IJE...
Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and                    Applications (IJE...
Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and                    Applications (IJE...
Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and                    Applications (IJE...
Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and                       Applications (...
Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and                             Applicat...
Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and                     Applications (IJ...
Upcoming SlideShare
Loading in …5



Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1135-1142 Design and Implementation of Linux Based Hybrid Client Honeypot Incorporating Multi Layer Detection Atinder Pal Singh*, Birinder Singh** *(Department of Computer Science, Baba Banda Singh Bahadur Engineering College- Punjab Technical University) ** (Department of Computer Science, Baba Banda Singh Bahadur Engineering College - Punjab Technical University)ABSTRACT In current global internet cyber space, the users. The malwares propagating in networkthe number of targeted client side attacks are have become the biggest threat to the increasingincreasing that lead users to adversaries web internet. From past few years, malwares targetingsites and exploit web browser vulnerabilities is the client side applications are increasing inincreasing, therefore there is requirement of evolutionary manner. In response to this increasingstrong mechanisms to fight against these kinds of malware attacks, honeypots has emerged as one ofattacks. In this paper, we present the design and the popular practical defense technique. Theimplementation of a client honeypot which Honeypots are the information system resourcesincorporate the functionality of both low and capable to attract, capture and collect malwarehigh interaction honeyclient solution and attacks. While the fight is ongoing on the Internetincorporate the multi layer detection mechanisms between blackhats and whitehats, attackers haveto fight against client side targeted attacks. As started to transfer the battlefield to the client user; aslow interaction client honeypot are fast in they believe the client applications are more likely toprocessing of websites but unable to detect zero- have security breaches and vulnerabilities. Clientday attacks whereas high interaction client user has become the weakest link in the networkhoneypots are able to detect zero day attacks but security chain, and since the security chain is onlyvery high resource intensive. On the basis of the robust as its weakest link, we need to detect attacksproblems of existing client honeypots, we against client side to protect the whole securityformulate the requirements of this hybrid system [1] [17] [18].honeyclient solution in terms of defending clientside attacks. Our system is tested by visiting of The first implementations of bait system conceptsvarious malicious websites and detection of were introduced in information security in the latemalwares dropped on the system is detected. Also 1980s [2] [19]. The idea has always been to usean approach is also been discussed to deploy the deception against attackers by mimicking valuablehybrid honeyclient solution for detection of and vulnerable resources to lure them into exploitingmalicious websites and collections of malwares those resources. The purpose of such a strategy isembedded into malicious websites. We are twofold; to gather information on the nature of theensuring that most of software tools used in our attack, attacker, tools and techniques used in theimplementation are open source. process, and to protect operational hosts and servers.. The first implementations of honeypotsKeywords - Honeypots, Client Honeypots, focused on imitating server side services and wereNetwork Intrusion Detection System, Network mainly designed to protect servers and productionSecurity. systems, and gather information on attackers and attacks directed at those services. In recent years, aI. INTRODUCTION change in attack behavior has been detected across The size of the internet has significantly the internet. Instead of putting all the efforts to targetincreased in past few years as well as applications and gain access to production servers, attackers arehosted on internet are increasing exponentially. targeting end-user systems.Internet has become the most popular medium ofcommunication and global information reservoir. Online attacks targeting users’ operating systemWith the increasing popularity of public social through browser and browser vulnerabilities arenetworking sites, the whole universe seems to common threats. Attackers use social engineeringcongregate around internet to get his/her share of techniques to lure users into downloading andweb. Though the general impression is the growing installing malicious software or malware withoutcyber security awareness among the masses, but the disclosing their actual intend. Prompting users toadvanced hacker techniques and sophistication install plug-in to watch online videos and mimickingseems to counter the defensive mechanisms easily themselves as free antivirus software are twoand befool examples of common techniques used by attackers to induce users into installing them. Malicious 1135 | P a g e
  2. 2. Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1135-1142website are also deployed which contain code that B. Malicious URL Detection Approachesexploit vulnerabilities of popular web browsers, their Figure 1 depicts the approaches used inextensions and plug-ins. Once such a website is detection of malicious websites such as in-builtvisited by a vulnerable browser, the malicious code browser protection based detection; applying someis rendered and executed by the browser’s engine, heuristic based detection and client honeypot basedresulting in exploitation of a particular vulnerability detection approaches. By applying Google safeassociated with the browser or the operating system browsing we can detect malicious URL as well as onand its applications. The infected client system may the basis of in-built browser plug-ins. We can alsothen fetch and install malware from a malware detect malicious URL by applying static analysis orserver or allow an attacker to gain a full control over some machine learning approaches like pattern-the system. matching or java script features. Client Honeypot based detection of malicious URLs is widely usedClient honeypots have been designed to identify for analysis of malicious URL which uses the webmalicious websites, using signature, state, anomaly based propagation medium to infect the end users.and machine learning based detection techniques.There are two kinds of honeypot, server-sidehoneypot and client-side honeypot. Server-sidehoneypot is the traditional honeypot. This kind of Built in Broswer Heuristic Based Honeyclienthoneypot must have some vulnerable service, and protection Detection Based Detectionattacker can detect them, so they are passive • Plug-ins [6] • Static • Lowhoneypots. The concept of client-side honeypot [3] • Google safe Detection[8] Interaction[10]was brought forward by Lance Spitzner. Client-side browsing [7] • Machine • Highhoneypot aims at vulnerabilities of client Learning Based Interaction[10]applications. It needs a data source, and visits the Detection[9]data source actively, and detects all activities tojudge if it is safe. Client-side honeypot actively"requests" to accept attack. This kind of honeypot Fig. 1. Malicious URL Detection Approachesactively acquires malware spreading through clientapplication software which traditional honeypot Honeypotcan’t get [4]. Honeypots are the types of resources whose values are being attacked or probed by the attacker.The format of the remaining paper is: section 2, Generally honeypots are used for gathering thedefines and explains the technology that has been intelligent information about the attacker or blackemployed and discusses the client honeypots in brief hat community targeting the intrenet cyber space. Inand other detection approaches. Section 3 deliberates terms of network security, it is well accepted thatthe framework design and discusses our detailed honeypots play a biggest role including otherdesign of the implemented system. Section 4 security devices such firewall, IDS etc. To make thediscusses conclusion and future work of the research network full proof against attacks, honeypots playproblem. the major role to protect the network from unknown and unclassified kind of attacks. Honeypots also playII. BACKGROUND AND MOTIVATION an important role in protecting servers and hosts against attacks targeted at resources available on aA Malware Types production network by directing attacks to decoy Malware can be defined as “a set of systems. When placed with other technologies suchinstructions that run on your computer and make as intrusion detection system, intrusion preventionyour system do something that an attacker wants it system, firewalls, honeypots become highlyto do” [3]. Once a malicious web page attacks the effective tools against attacks performed by blackuser’s system, then it is able to download malware hat community.including the following, as described by Provos, et Most of the network security devices such asal. [4] and [5]: firewall, intrusion detection system, are based on o Virus pre-defined signatures embedded into them to detect the attacks and prevent the network from these kind o Worm of attacks but what will happen in case of zero day o Trojans attacks when there are no signatures exists in their database, honeypots plays biggest roles here to o Spyware tighten the networks from these kind of nknown attacks. Honeypots are effective tools to detect o Adware internal attacks and propagation of worms within an internal network which other tools such as firewalls o Root kits fail to achieve Usually Honeypots are very different 1136 | P a g e
  3. 3. Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1135-1142than other network security devices because they arenot directly providing any kind of security to theorganizational network but they give us the useful Users Securityinformation to study the behavior of attackers so thatwe can take the remedial actions further.Honeypots can be classified as per the attack classesand targeted attacks such as server side attacks and Client Client OS Security Anti-virusclient side attacks. Classification of Honeypots can Firewall Applicationsbe as server honeypots and client honeypots. ServerHoneypots which provide us the deep knowledge ofserver side attacks, which are a kind of passivehoneypots. In contrast to server honeypots, clienthoneypots provide us the deep knowledge of client Fig. 2 Home User’s Security Mechanismsside attacks; therefore they are also called as activeHoneypots or Honeyclient. Both of the Honeypot 3.1. Operating system securityTechnology has emerged as a widely research areas Operating system is the platform on whichin the field of cyber security. all other user applications run and resembles the foundation of a building. Microsoft is the dominantClient Honeypot player in operating system market and has a total In recent times, black hat community has share of 94 percent of all operating systems in use.mainly targeting client side applications such While its latest operating system, Windows 7 is theinternet browser, pdf, media player etc. The client most stable and most secure operating system, itshoneypot is new concept [21]and is quite different slow adaptation in home users and corporations hasthan server honeypots. In case of active honeypot, led to wide spread use of older operating systems.client honeypot acts as client and actively visit the According to statistics of the last three month (Nov-website to see whether the attack has happened or Dec-Jan 2010), Windows XP, a popular butnot. Following diagram depicts high interaction and vulnerable operating system has a 50% market sharelow interaction client honeypots. while windows Vista owns 15% followed by Widows 7, 28%. Microsoft provides constant Low Interaction High Interaction updates for these operating systems; it is up to the Client Honeypot Honeyclient user to install these updates. A quick look at the operating system security however, confirms that even with constant update and release of service Real system packs, the number of discovered vulnerabilities have Simulation of with real not decreased dramatically. Based on the report be application applications Secunia, 75 vulnerabilities were discovered in Windows 7 alone in 2010. Windows Vista follows by 89 followed by Windows XP 97 [12]. Can detect zero- Easy to deploy 3.2. Client Firewall day attacks Most recent operating systems come with built in and “enabled by default” firewall package.Fig 2. Client Honeypots Classifications Starting with Windows XP service pack 2 and since, firewall has been enabled by default on all MicrosoftIII. END USER: A SOFT TARGET operating systems. This provides basic protection for There are hosts and servers in production an average home user. Based on a latest study innetwork but end user is simplest and soft target to European Union countries in 2010 [Internet usage inattack for black hat community as they do not like 2010 – Households and Individuals], less than 50network security devices such as firewall, network percent of the users had their firewalled enabled.intrusion detection system and they do not have such Users decide to disable windows firewall because ofkind of luxuries as of host or network based compatibility issues with other programs. Thisintrusion detection system as other security devices. results in significant threat to the security of the hostAlso they are dependent upon others for updating system.their system software. Sometimes end users are notso knowledgeable to tackle the attacks occurred on 3.3. Antivirustheir system. Security of home users mainly revolves Antivirus software is the basic security toolaround the following security mechanisms [11]: installed in end user computer. They mostly rely on signature based detection where executable files are matched against a signature database of known 1137 | P a g e
  4. 4. Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1135-1142viruses. New versions have run-time scanning malicious code on the local system. The infectedfeature that scans the file in real time and avoids host then fetches more malicious content fromexecution, if a threat is detected. Signature based remote locations and targets local hosts. All this isdetection however results in the antivirus engine done without firewall blocking any connections.failing to detect variants of known viruses, therefore Any NAT implementations are bypassed since oncea constant update of antivirus signature database is a host is infected all connections are initiated fromessential to provide basic protection. Although an inside, which is permitted by firewall.antivirus is fairly effective in detection of knownattacks if updated regularly, they are unable to IV. System Framework Designprotect users from remote port attacks or attacks Here we present the detailed system designdirected at user applications from internet. Latest which takes the benefits of both low interactionsurvey shows that, 25 % of users disabled their honeyclient and high interaction honeyclient. As inantivirus software because they believe this software case of high interaction honeyclient, there are nohave negative impact on their PCs’ performance emulated softwares or applications running into[13].While another study by a research group had system, it provides a real environment to attackers tosimilar results showing around 23% had absolutely take full control of the system, therefore we are ableno active security software installed. Rightfully to detect the zero-day malwares targeting the clientassuming that every computer without any active side applications. Drive-by-download kinds ofprotection would be infected with one type of virus malwares are classical examples which drop onor malware, 23% makes a huge impact not only on user’s system without his knowledge and concern.the infected computers but overall security of the As per the honeyclient technology, the end results isinternet as these infected hosts will be used to attack to collect the number of malwares which includesother hosts across the internet, be a part of DDoS classified as well as unclassified class of malwares.attacks or exploited to deliver Spam [14]. Unclassified malwares here we mean the zero day malwares which are not detected by any signature3.4. Applications based mechanisms. Operating system vulnerabilities are most In case of client honeypots, we actively visit thediscussed in security community but vulnerabilities URLs to get the client machine gets infected by thein user applications cover most of the vulnerabilities malwares dropped on the system. Here we arefound in an end user system. A study by Secunia presenting an example of analysis of URL which ispoints to 729 (Windows XP), 722(Windows Vista) declared malicious by our designed system and weand 709 (Windows 7) available vulnerabilities, in observed that many activities are being performedtop 50 applications on a typical user system [14]. All by that URL and all the activities are being loggedthese applications are offered by 14 vendors. Based into our honeyclient solution.on these numbers, more secured operating systemdoes not necessarily provide a more robust platform In this research, we present the virtual box [16]unless applications are developed in a secured based honeyclient solution which incorporate themanner or patched properly [15]. With increasing extraction of malware binaries from raw PCAP datanumber of users online, application vulnerabilities as well as malwares dropped on a client machine byare the easiest and the main target of such attacks. file system monitoring. Therefore we are able toBased on [15], 84% of all attacks were classified to detect exploits performed by the malicious URL on abe “from remote” while local network or local client system. We can achieve the functionality ofsystem each had 7 % of total attacks. These results both low and high interaction the importance of implementing a robustinternet security while browsing the internet, Figure 3 depicts the system design of honeyclientespecially in applications which directly interact solution. As shown in the figure, we are giving allwith web contents. Internet browsers are the main the URLs into virtual machines where we aretools used to browse and retrieve contents from the actively visiting the web links using real browsers.internet. With increasing popularity of dynamic We can browse multiple bulk lists of URLs insteadinternet contents and online services (i.e. online of single web link which increase the efficiency ofbanking), browsers’ roles have been more than just the high interaction honeyclient and we areto view static contents but rather a part of a new extracting the malware binaries by two ways:wave of user interaction and experience with theweb. With popularity of cloud computing, browser’s  File System monitoring at user spacerole will even be more immanent in the usability ofnovel operating systems. Since browsers are the  Forensic Investigation of raw PCAP datamain tools to interact with online contents, they are agateway into the host operating systems and local All honeypots are running in virtualizednetworks. If a browser is exploited, attackers would environment using open source Virtual able to gain access to system resources and install 1138 | P a g e
  5. 5. Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1135-1142 o Web Interface ( Need to be Developed) o User interface for Online URL submission o Report generation and download Here we are claiming that developed honeyclient running in virtualized environment, web interface still need to get developed for report generation and single window interface for automated URL submission instead of manually feeding of web links. URL data source: As depicted in figure, for URL data source, we are taking malicious URL lists from google safe browsing for testing of our system. We have tested the system and we are able to extract the malwares binaries dropped on a user’s system, here on a real virtual machine of Window XP. Virtual Honeypots:Fig. 3 Virtual Honeyclient This module plays biggest roles in detection of malicious URLs and collection of malwares droppedURL lists to the client honeypots are provided by the on a system. Here Window XP based OS is used forserver called active honeypot controller. In proposed actively visitations of URLs in virtualizedsystem, there are basically four functional environment using Virtual Box. As shown in thecomponents: URL data source, Virtual Honeypots, figure, base machine which has Linux OperatingCentral database, Analysis Modules. system feed the list of URLs to client machine which is Window XP virtual machine. Monitoring modules o URL data source such as file system monitoring, network monitoring is enabled on client machine during active visit of o Internet Cyber Space { Google the web links. With the help of file system safe browsing) monitoring at user space, we are able to capture malware binaries dropped on client machine and o Spam Mails with network monitoring, we are able to catch raw PCAP data which is later analyzed forensically to o Typo squatting URLs extract the malware binaries and to detect the exploits. o Virtual Client Honeypots  Client Virtual Machine: Window XP with o Virtual Box based client honeypot real browser plug-ins ( Virtual Machines)  Server Machine: Linux Red Hat Enterprise o Database Linux, Pentium IV, 4GB RAM, 200GB o Mysql database HDD o Behavior based analysis Following generic algorithm is used in URL extraction and feed them into virtual machine for o Dynamic execution monitoring actively visiting of them:  Network Monitoring 1. Select list of URL say N in round robin manner from data source module.  File System Monitoring a. N>=1; o Out of Band analysis b. If N is already visited then select o Extraction of malwares from another list of URLs, say M; PCAP data c. Rename M=N; o Offline analysis of PCAP raw data 1139 | P a g e
  6. 6. Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1135-1142 d. Open clean Virtual Machine, visit V. Working and Experimental Results N list of URLs Here we discuss the working and few experimental results to signify the proper working of e. Stop the machine after complete our developed and implemented honeyclient visit of N URLs solution. To evaluate the system framework, several experimentations have been performed. The URL f. If N is not already visited, submit seed list has been taken from Blacklist Providers the list of URLs into virtual consisting of around 250 URL addresses. Following machine; sections describe in detail the resulting statistics established: g. Repeat steps (b-e) 2. Repeat step 1; The framework presents multiple layers of detection for malicious URLs for detection of malicious websites:  State based monitoring and detection like network monitoring, file system monitoring to detect malwares dropped into system (URLs are being executed in real environment using real browser on Window XP operating system).  Forensic extraction of malwares from raw Fig 5. Honeyclient System Snapshot PCAP data. Figure 5 depicts the working snapshot of the system URL data source with Linux operating system on base machine, Window XP operating system on virtual machine. Virtual machine window is opened when there are list of URLs to be visited. Whenever there are list of web links, virtual machine will be pop up for real URL execution in browsing of URL in round robin fashion. Virtual MachineMalware captured Raw PCAP Dump Investigation of PCAP dataMalware and LogDatabase Fig. 6 Snapshot of Working System Figure 5 depicts the working of our developed Fig. 4 Process Flow of System system, as shown in figure; base machine is having Database Implementation: Linux operating system, send the list of URL to All the collected malwares and other logs client window XP virtual machine. Client virtual such as state logs, pcap data is saved into database. machine is visiting the URL using Internet Explorer. For data design, we have chosen Mysql for our File system monitoring and network monitoring is implementation with which we are quite enabled on client machine. All the logs after comfortable. Malwares metadata stored at database complete visiting of URLs has been sent to base are fetched and analyzed further if required. Further Linux server, from there they are inserted into raw pcap data is analyzed and malware binaries are database for further analysis. extracted from it after making the complete session. 1140 | P a g e
  7. 7. Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1135-1142 All the functionality of the system is well depicted in PROJECT SUMMARY the above snapshot, whenever there are list of URLs, The summarization of various software and a virtual client XP machine will be opened and hardware used in our project is depicted by the URLs lists will be actively browsed by using real following table 2. In this project we are ensuring that browsers. most of the tools are free and open source. For Virtualization technology, we are using VirtualBox After completion of visit process, virtual client [16]. We are running different Virtual machines on machine will be stopped and it will be off single Red hat linux based Operating System. We completely. For next list of browsing, a clean virtual are using minimum memory of 4GB but large machine will be opened. amount of memory is preferred to run Virtual Machines in Virtualized environment. Below figure 6 represent the functionality of Project Summary honeyclient system with file system monitoring. We can see the complete HTTP communications, Feature Product Specs number of unique IPs in communications, HTTP servers as well as DNS requests made during the Host Red Hat HW Vendor: active browsing of the web link. Operating Enterprise HP Server system Linux 5 Proliant ML 350 Processor: 2.33 GHz Processor RAM :4GB RAM Storage: 2x146 GB NIC : 1 GB Etherenet controller Fig. 7 Honeyclient with File system monitoring Guest Microsoft XP Single processor All the logs captured are saved into database which Operating SP2 Virtual Machine is running on base machine at present for testing System purpose. Presently only the prototype system, we RAM 256MB have tested for proper functioning of individual modules. NIC 100Mbps host-only vmnet Malware MD5 Name Virtualization VirtualBox Virtualbox3.0.2 Software for linuxsysevwx.exe D687BCD7CC2A90FF63C9A5CB1BDE 122A Architecture Hybrid High Honeyclient Throughputsysykeh.exe D687BCD7CC2A90FF63C9A5CB1BDE honeyclient 122A Packet TCPDUMP Tcpdump tool Table 1: Captured Malware Samples Capturing The malware samples captured after visiting a one of File System Mwatcher Real Time File malicious URL on our honeyclient solution is being Monitor System Monitor depicted in table 1. This is just one example; we tool have a more number of malwares samples captured which can be used for analysis. Column 1 depicts Table 2: Software/Hardware used in project the executable malware binaries dropped on a client implementation victim machine, column 2 represent the corresponding MD5 value of this. As we are V. CONCLUSION claiming that this is just one example of downloaded During the course of our research work, we malwares samples, we have larger set of data set implement client honeypot which incorporate the which can be shared on demand basis. 1141 | P a g e
  8. 8. Atinder Pal Singh, Birinder Singh / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1135-1142multi level detection mechanisms to detect the [6] Secure Browsing | Malware Protection |malicious websites based on linux operating system Trustwaveand by using various open source tools like, VirtualBox. We introduced the category [7] Google Safe Browsingof Internet malware, the client side attack techniques overall framework of the system in detail. We [8] Detection and Analysis of Drive-by-Downloadmainly gave the design and implementation of client Attacks and Malicious JavaScript Codehoneypots based malware collection. During the vigna_Wepawet.pdfwork done so far, client honeypot based solution is [9] Prophiler: A Fast Filter for the Large-Scalevery useful to collect the internet malwares and to Detection of Malicious Web Pagesdetect the malicious websites. vigna_Prophiler.pdfHybrid or multiple level analysis also has the [10] Xiaoyan Sun, Yang Wang, Jie Ren, Yuefei Zhuadvantage of providing an opportunity to detect and Shengli Liu, “Collecting Internet Malwaremalicious content at different stages which can be Based on Client-side Honeypot”, 9th IEEEused as an inline or offline strategy. International Conference for Young Computer Scientists (ICVCS 2008), pp. 1493 – 1498, 2008.Our developed Virtual Box powered Honeyclient is [11] Secunia. (2010), "Factsheets by Windowsvery useful for collection of internet malwares but it Operating System - 2010". 20 - March - 2011];is having a limited capabilities or we can say that it Availablefrom:is just a prototype. There is a requirement of of crawler as data acquirement, in present n_os/.system, there is no such component in our developed [12] PcPitstop. (2010), "The State of PC Security". 20module. Further there is also a possibility of addition - December 2010]; Availableof various client side applications such as firefox, from: etc because currently we only using Internet e-state-of-pc-security/.Explorer for actively visiting the websites. And [13] Secunia. (2010), "Secunia Yearly Report - 2010". Availablethere is also a possibility of addition of automatically of collected malwares. We can confirm that rt_2010.pdf.we cannot cover all the challenges such human user [14] Secunia. (2010), "Research Reports, Factsheet bysimulation, logic bomb, time triggered websites but Browser - 2010". [Cited 2011 5 - January];we have developed a prototype solution to get better Available from:understanding of client honeypots. wsers/.ACKNOWLEDGEMENTS [15] VirtualBox. (2004). Sun VirtualBox® UserWe would like to sincerely thank Dr. Birinder Singh, Manual.HoD, Department of Computer Science for his Available: and help in writing this paper. rManual.html Last accessed 20 July 2008. [16] Sanjeev Kumar, at al, Hybrid Honeypot Framework for Malware Collection andReferences Analysis, ICIIS-2012, IIT Chennai[1] R. Danford, ―2nd Generation Honeyclients‖, [17] SANS Internet Storm Center,2006 [18] [19] ients_Danford_SANS 06.pdf[2] Cheswick, B. (1990), An Evening with Berferd Journal Papers: in which a cracker is Lured, Endured, and [20] Masood Mansoori and Ray Hunt, International Studied: Citeseer. Journal of Network Security & Its Applications[3] Ramaswamy, C. and R. Sandhu. (1998), Role- (IJNSA), Vol.3, No.5, Sep 2011, AN ISP BASED based access control features in commercial NOTIFICATION AND DETECTION SYSTEM database management systems: Citeseer. TO MAXIMIZE EFFICIENCY OF CLIENT[4] Skoudis, E., and Zeltser, L., "Malware: Fighting HONEYPOTS IN PROTECTION OF END users Malicious Code", Prentice Hall,2003, Page 3, ISBN = 978-0131014053. Thesis:[5] [Provos, N., McNamee, D., Mavrommatis, D. W., K and Modadugu, N., the Ghost In The [21] Yaser Alosefer, Analysing Web-based Malware Browser Analysis of Web-based Malware. 2007. Behaviour through Client Honeypots Cardiff [Online]. Available University School of Computer Science & at: Informatics, Feb-2012 ull_papers/provos/provos.pdf [Accessed 11 Feb 2009] 1142 | P a g e