PythonHoneyMonkey: Detecting malicious web URLs on client side honeypot systems

With increase in the awareness of security programming, the number of vulnerabilities for software on a machine have subsequently decreased. Exploiting these few vulnerabilities if present, require attackers to use their skills and efforts to exploit various services. Firewalls, access control lists (ACLs), intrusion detection and prevention system deployed in an organization are able to block and mitigate direct and known attacks which are used by attackers as they are related to inbound traffic. Outbound traffic are allowed in organizations since users are allowed at least to download mails, visit external web servers. A vulnerable application requesting traffic from an externally hosted server is exploited and user accessing the traffic transfers their controls to attackers listening remotely. To detect this kind of behavior, this paper focuses on deploying high interaction honeypot system coupled with intrusion detection system on different operating system flavors which work as clients. Clients collect URLs by specifically crafted web links crawler. These URLs are then visited by application needed to visit these URLs. Finally, if these URLs are malicious and exploit the application software, an alert is triggered by signature based intrusion detection system deployed on the machine. Based on these alerts, URLs are stored in a black list of malicious URLs. We introduce design and implementation of this system in this paper.