Scalable and Performance-Efficient Client Honeypot on High Interaction System

We investigated client honeypots for detecting and circumstantially analyzing drive-by download attacks. A client honeypot requires both improved inspection performance and in-depth analysis for inspecting and discovering malicious websites. However, OS overhead in recent client honeypot operation cannot be ignored for improving honeypot multiplication performance. We propose a client honeypot client system that uses our proposed multi-OS and multi-process honeypot multiplication approaches and implemented this system to evaluate its performance. Our process sandbox mechanism, a security measure for our multi-process approach, creates a virtually isolated environment for each web browser. In a field trial, we confirmed that the use of our multi-process approach was three or more times faster than that of a single process and [our multi-OS approach lineally improved system performance according to the number of honeypot instances. Thus, our proposed multiplication approaches improve performance efficiency and enables in-depth analysis on high interaction systems.