URL Evaluator: Semi-automatic evaluation of suspicious URLs from honeypots

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F63839172%3A_____%2F24%3A10133688" target="_blank" >RIV/63839172:_____/24:10133688 - isvavai.cz</a>

Výsledek na webu

<a href="https://dl.ifip.org/db/conf/cnsm/cnsm2024/1571071957.pdf" target="_blank" >https://dl.ifip.org/db/conf/cnsm/cnsm2024/1571071957.pdf</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.23919/CNSM62983.2024.10814604" target="_blank" >10.23919/CNSM62983.2024.10814604</a>

Jazyk výsledku

angličtina

Název v původním jazyce

URL Evaluator: Semi-automatic evaluation of suspicious URLs from honeypots

Popis výsledku v původním jazyce

Botnets often rely on malicious URLs to distribute malware payloads over HTTP. Identifying these URLs is critical for network defense, as it enables the detection or blocking of access from within the network, thereby preventing potential malware infections. A promising approach for uncovering URLs used for malware distribution involves analyzing data from SSH honeypots. However, not every URL observed in a honeypot log is necessarily malicious. In this paper, we present the &quot;URL Evaluator&quot; system, which automates the extraction and analysis of suspicious URLs from SSH honeypot data. It employs a semi-automated evaluation process, which leverages multiple data sources and methods and escalates to human operators only when necessary. Confirmed malicious URLs are then used in a network monitoring system to detect any accesses to such URLs from within the defended network. Any such access is automatically reported to the responsible administrator or security team. Additionaly, the system contributes newly found malicious URLs to a large community blacklist. The paper describes the system architecture, key components, and its operational results.

Název v anglickém jazyce

URL Evaluator: Semi-automatic evaluation of suspicious URLs from honeypots

Popis výsledku anglicky

Botnets often rely on malicious URLs to distribute malware payloads over HTTP. Identifying these URLs is critical for network defense, as it enables the detection or blocking of access from within the network, thereby preventing potential malware infections. A promising approach for uncovering URLs used for malware distribution involves analyzing data from SSH honeypots. However, not every URL observed in a honeypot log is necessarily malicious. In this paper, we present the &quot;URL Evaluator&quot; system, which automates the extraction and analysis of suspicious URLs from SSH honeypot data. It employs a semi-automated evaluation process, which leverages multiple data sources and methods and escalates to human operators only when necessary. Confirmed malicious URLs are then used in a network monitoring system to detect any accesses to such URLs from within the defended network. Any such access is automatically reported to the responsible administrator or security team. Additionaly, the system contributes newly found malicious URLs to a large community blacklist. The paper describes the system architecture, key components, and its operational results.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

<a href="/cs/project/LM2023054" target="_blank" >LM2023054: e-Infrastruktura CZ</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2024

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

20th International Conference on Network and Service Management

ISBN

978-3-903176-66-9

ISSN

2165-963X

e-ISSN

—

Počet stran výsledku

4

Strana od-do

—

Název nakladatele

IFIP

Místo vydání

Prague, Czech Republic

Místo konání akce

Prague, Czech Republic

Datum konání akce

28. 10. 2024

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

001414325200072