Wamber: Defending Web Sites on Hosting Services with Self-Learning Honeypots

Abstract

Web sites have been great diversity because of their purposes and structures today and many web sites are working on hosting services. A hosting service is one of the network services for outsourcing construction and maintenance of the servers. Thus, the web site operators are free from hardware setting and server maintenance. On the other hand, web sites have been exposed to cyber attacks. To counter those web site attacks, hosting service providers should monitor their web sites. However, in many cases, it is difficult for the service providers to analyze such attacks with full information because of contracts about a protection of personal information. As another approach, it is effective to construct server side honeypots and observe malicious access to them. Unfortunately, honeypots could not always observe all type of attacks because of the diversity of web sites. In this paper, we propose a novel approach for keeping up security intelligence and strengthening countermeasures against web attacks on a hosting service. Our approach helps the service providers to protect their customers web sites by combining the analysis of IDS logs and web access logs provided from these sites and dedicated honeypots for observing web attacks. The honeypots keep learning interactions from the actual hosted sites, and attract attackers by mimicking the sites to gain the intelligence on malicious web attacks. We also describe the case study in a hosting service on our university, in which suspicious requests are confirmed to be malicious by our approach.