Enhanced attack collection scheme on high-interaction web honeypots

Vulnerabilities in web applications expose computer networks to security threats. In fact, a large number of websites are used by attackers as hopping sites for attacking other websites and user terminals. These incidents prevent service providers from constructing secure networking environments. To protect websites from attacks based on vulnerabilities of web applications, security vendors and service providers collect attack information using web honeypots, which masquerade as vulnerable systems. To gain full access and to launch further network attacks by executing malware, such as a downloader, vendors and providers use high-interaction web honeypots, which are composed of real vulnerable systems and surveillance functions. However, conventional high-interactive web honeypots can collect only limited information and malware from attacks, whose path to the destination URL does not match the path structure of the web honeypot, due to the fact that these attacks are failures. To solve this problem, we propose scheme in which the destination URLs of these attacks are corrected by determining the correct path from the path structure of the web honeypot. Our Internet investigation reveals that 97 percent of attacks are failures. However, we confirmed that about 50 percent of these attacks will succeed with our proposed scheme. With our proposed scheme, we can use much more information to protect websites than with conventional high-interaction web honeypots because we can collect complete information and malware from these attacks.