SCHOOL OF ENGINEERING AND COMPUTER SCIENCE

Security Trust and Cooperation

Current Research Projects

Client Honeypots

Overview

Across the web, hundreds of thousands of malicious web sites participate in drive-by downloads, pushing malware onto a user's computer without their explicit knowledge. This problem causes many of the issues that users experience every day, perhaps displaying pop-up adverts, slowing down internet connections or even crashing computers. Being able to find and mark these suspicious web sites will help to keep web surfers safe online.

For the last four years we have been developing client honeypots that scan the web to try and be compromised by malicious sites. Once any anomalous behaviour occurs, the web site is marked as suspicious. This process occurs automatically, much faster than any human manually classifying sites could manage.

We would also like to acknowledge the continuing support of InternetNZ for this work, support from the Google Summer of Code and the help from our colleagues in the HoneyNet Project.

Publications

  • C Seifert, B Endicott-Popovsky, D Frincke, P Komisarczuk, R Muschevici, I Welch, 'Indentifying malicious web servers using client honeypots', in Advances in Digital Forensics, edited by Indrajit Ray, Sujeet Shenoi (Springer, 2008), Vol IV, pp. 127-137, ISBN 978-0-387-30012-2.
  • Christian Seifert, Ian Welch, Peter Komisarczuk, 'Indentification of Malicious Web Pages with Static Heuristics', In the proceedings of the Australasian Telecommunication Network and Applications Conference (ATNAC) 2008, IEEE, Adelaide, Australia, December 2008.
  • David Stirling, Ian Welch, Peter Komisarczuk, Designing Workflows for Grid Enabled Internet Instruments. In the Proceedings of the 8th IEEE CCGrid 2008 Conference, Lyon, France, May 2008.
  • Christian Seifert, Ian Welch, Peter Komisarczuk, Chiraag Aval, Barbara Endicott-Popovsky, 'Identification of Malicious Web Pages Through Analysis of Underlying DNS and Web Server Relationships', In 4th IEEE LCN Workshop on Network Security (WNS 2008) at the 33rd Annual IEEE Conference on Local Computer Networks (LCN 2008) (Canada, IEEE, 2008), pp.935- 941.
  • Christian Seifert, Peter Komisarczuk, and Ian Welch, Application of divide-and-conquer algorithm paradigm to improve the detection speed of high interaction client honeypots. In the proceedings of the 23rd Annual ACM Symposium on Applied Computing, Ceara, Brazil, March 2008.
  • Seifert, C., Endicott-Popovsky, B., Frincke, D., Komisarczuk, P., Muschevici, R. and Welch, I., Justifying the Need for Forensically Ready Protocols: A Case Study of Identifying Malicious Web Servers Using Client Honeypots. In the proceedings of the 4th Annual IFIP WG 11.9 International Conference on Digital Forensics, Kyoto, japan, January 2008.
  • Dean Pemberton, Peter Komisarczuk, Ian Welch, Internet Background Radiation Arrival Density and Network Telescope Sampling Strategies, In the proceedings of the Australasian Telecommunication Network and Application Conference (ATNAC) 2007, Christchurch, New Zealand, December 2007.
  • Peter Komisarczuk, Christian Seifert, Dean Pemberton, Ian Welch, Grid Enabled Internet Instruments. In the proceedings of IEEE Globecom 2007, Washington DC, USA, November 2007.
  • Christian Seifert, Ramon Steenson, Ian Welch, Peter Komisarczuk, Capture - A Tool for Behavioural Analysis of Applications and Documents. In proceedings of the Digital Forensic Research Workshop, 2007, Pittsburgh, PA, August 13-15th 2007.
  • Christian Seifert, Ian Welch, Peter Komisarczuk, HoneyC - The Low-Interaction Client Honeypot. In Proceedings of the 2007 NZCSRCS, Waikato University, Hamilton, New Zealand, April 2007.
  • Christian Seifert, Ian Welch, Peter Komisarczuk, Effectiveness of security by admonition: a case study of security warnings in a web browser setting. (In)secure Magazine, (1.9). pp9-16. Available from http://www.insecuremagazine.com/downloadmag.php?issue=9; accessed on 1 December 2006.

Opensource Software

The following software is available for use under the terms of the attached opensource licences:

  • Capture-HPC - high-interaction client honeypot framework
  • HoneyC - low interaction client honeypot framework
  • Capture-BAT - behavioral analysis tool for applications on the Win32 operating system family
  • FFDetect - FFDetect Java Library
  • HoneyClientManager - Honeyclient manager web application

Language level Security

Overview

My thesis (Ian Welch) focused on how to more easily separate and manage security code within an application. This made use of the concept of reflection where a programming language's semantics can be modified on a per-program basis. Later work explored how to do this in a manageable way and extended the approach to aspect-oriented programming.

Much of this work is done in conjunction with the ELVIS research group and, in particular, David Pearce.

Publications

  • R. Ramachandran, D. J. Pearce and I. Welch. AspectJ for Multilevel Security. In Proceedings of the Workshop on Aspects, Components, and Patterns for Infrastructure Software (ACP4IS), 2006.
  • I. Welch and Fan Lu. Policy-driven Reflective Enforcement of Security Policies. Programming for Separation of Concerns Track. In proceedings of the ACM SIGAPP Symposium on Applied Computing (2006), 2006.
  • E. Tramontana and I. Welch. Reflections on Programming with Grid Toolkits. Workshop on Reflection, AOP and Meta-Data for Software Evolution. RAM-SE (2004), pp. 3-8.
  • I. Welch and R.J. Stroud. Re-engineering security as a crosscutting concern - experience with a third party application. The Computer Journal, 46(5):578-589, September 2003.

Previous Research Projects

Intrusion Tolerance

Overview

As part of the Malicious and Fault Tolerant Internet Applications project, Ian Welch developed a transaction service that could cope with a malicious attack.

Publications

  • P. Ver’ssimo, N. F. Neves, C. Cachin, J. Poritz, D. Powell, Y. Deswarte, R. Stroud, I. Welch Intrusion-tolerant middleware: the road to automatic security. Security & Privacy Magazine, IEEE, 4(4), 2006.
  • R. Stroud, I. Welch, J. Warne, P. Ryan. A Qualitative Analysis of the Intrusion-Tolerance Capabilities of the MAFTIA Architecture. In proceedings of the 2004 International Conference on Dependable Systems and Networks (DSN'04), 2004.
Print version | Backlinks