Challenges in developing Capture-HPC exclusion lists. / Puttaroo, Mohammad; Komisarczuk, Peter; Cordeiro De Amorim, Renato .

2014. 334-338.

Research output: Contribution to conferencePaperpeer-review

Published

Standard

Challenges in developing Capture-HPC exclusion lists. / Puttaroo, Mohammad; Komisarczuk, Peter; Cordeiro De Amorim, Renato .

2014. 334-338.

Research output: Contribution to conferencePaperpeer-review

Harvard

APA

Vancouver

Author

Puttaroo, Mohammad ; Komisarczuk, Peter ; Cordeiro De Amorim, Renato . / Challenges in developing Capture-HPC exclusion lists. 5 p.

BibTeX

@conference{0a15c63e9c6746e5ae21342caeebb744,
title = "Challenges in developing Capture-HPC exclusion lists",
abstract = "In this paper we discuss the challenges faced whilst developing exclusion lists for the high-interaction client honeypot, Capture-HPC. Exclusion lists are Capture client system behaviours which are used in the decision making process when determining if a particular behaviour is malicious or benign. As exclusion lists are the main decision making method used by Capture-HPC to classify a given webpage as benign or malicious, we identify a number of issues with current research which are often overlooked. Exclusion lists by nature require constant updating as they are developed to meet the specific requirements of a particular operating system, web browser and application system environment. Any changes to these would mean the possibility of a given client to display different benign behaviour which consequently means new exclusions required. As a result of their specific version requirements, exclusion lists are not transferable from clients. We propose a set of recommendations to aid in the creation of exclusion lists. We also present and discuss some common drive-by-download attacks which we have captured using our Windows 7 compatible exclusion lists.",
author = "Mohammad Puttaroo and Peter Komisarczuk and {Cordeiro De Amorim}, Renato",
year = "2014",
doi = "http://dx.doi.org/10.1145/2659651.2659717",
language = "English",
pages = "334--338",

}

RIS

TY - CONF

T1 - Challenges in developing Capture-HPC exclusion lists

AU - Puttaroo, Mohammad

AU - Komisarczuk, Peter

AU - Cordeiro De Amorim, Renato

PY - 2014

Y1 - 2014

N2 - In this paper we discuss the challenges faced whilst developing exclusion lists for the high-interaction client honeypot, Capture-HPC. Exclusion lists are Capture client system behaviours which are used in the decision making process when determining if a particular behaviour is malicious or benign. As exclusion lists are the main decision making method used by Capture-HPC to classify a given webpage as benign or malicious, we identify a number of issues with current research which are often overlooked. Exclusion lists by nature require constant updating as they are developed to meet the specific requirements of a particular operating system, web browser and application system environment. Any changes to these would mean the possibility of a given client to display different benign behaviour which consequently means new exclusions required. As a result of their specific version requirements, exclusion lists are not transferable from clients. We propose a set of recommendations to aid in the creation of exclusion lists. We also present and discuss some common drive-by-download attacks which we have captured using our Windows 7 compatible exclusion lists.

AB - In this paper we discuss the challenges faced whilst developing exclusion lists for the high-interaction client honeypot, Capture-HPC. Exclusion lists are Capture client system behaviours which are used in the decision making process when determining if a particular behaviour is malicious or benign. As exclusion lists are the main decision making method used by Capture-HPC to classify a given webpage as benign or malicious, we identify a number of issues with current research which are often overlooked. Exclusion lists by nature require constant updating as they are developed to meet the specific requirements of a particular operating system, web browser and application system environment. Any changes to these would mean the possibility of a given client to display different benign behaviour which consequently means new exclusions required. As a result of their specific version requirements, exclusion lists are not transferable from clients. We propose a set of recommendations to aid in the creation of exclusion lists. We also present and discuss some common drive-by-download attacks which we have captured using our Windows 7 compatible exclusion lists.

UR - http://dl.acm.org/citation.cfm?id=2659717

U2 - http://dx.doi.org/10.1145/2659651.2659717

DO - http://dx.doi.org/10.1145/2659651.2659717

M3 - Paper

SP - 334

EP - 338

ER -