Honeyclient Operational Results
Our second-generation prototype went fully operational in 2006. While developing the honeyclient framework was a necessary step, going live with the second-generation prototype was a learning experience in itself. The first hurdle we had to resolve was the false positives generated with this new prototype.
Transparent Activity from Windows XP
For example, if we visited a foreign language website, IE would pop up a window asking if we wanted to install the language pack for the particular language the website was written in. During that process, we noticed that the same six Windows XP registry keys would be modified as follows:
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\IntelliForms (added) |
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\International (changed) |
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\International\CpMRU (added) |
HKEY_USERS\S.+\Software\Microsoft\Internet
Explorer\IntelliForms (added) |
HKEY_USERS\S.+\Software\Microsoft\Internet
Explorer\International (changed) |
HKEY_USERS\S.+\Software\Microsoft\Internet
Explorer\International\CpMRU (added) |
Since we were able to replicate the same results while visiting a bunch of known benign foreign language websites, we knew this action alone was not an indication of malicious behavior. At that point, we decided to add these known benign actions to our whitelist. Another interesting case results consistently when we visit SSL-based URLs. The following files are repeatedly modified ...
Get Beautiful Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
