Christian Seifert Publications

Peer-reviewed Publications

24. Stokes, J., Andersen, R., Seifert, C., Chellapilla, K. WebCop: Locating Neighborhoods of Malware on the Web. in the 3rd Usenix Workshop on Large-Scale Exploits and Emergent Threats, San Jose, 2010.
In this paper, we propose WebCop to identify malicious web pages and neighborhoods of malware on the internet. Using a bottom-up approach, telemetry data from commercial Anti-Malware (AM) clients running on millions of computers first identify malware distribution sites hosting malicious executables on the web. Next, traversing hyperlinks in a web graph constructed from a commercial search engine crawler in the reverse direction quickly discovers malware landing pages linking to the malware distribution sites. In addition, the malicious distribution sites and web graph are used to identify neighborhoods of malware, locate additional executables distributed on the internet which may be unknown malware and identify false positives in AM signatures. We compare the malicious URLs generated by the proposed method with those found by a commercial, drive-by download approach and show that lists are independent; both methods can be used to identify malware on the internet and help protect end users.

23. Stirling, D., Welch, I., Komisarczuk, P., Seifert, C., Automating Malware Scanning Using Workflows. in the 9th IEEE/ACM International Symposium on Cluster Computing and the Grid, 2009.Rage Game Project
Identifying websites hosting malicious code is a priority for helping protect consumers using the web and for the collection of malicious code for analysis by malware researchers. We have been running an InternetNZ sponsored study where homepages of almost all New Zealand Web servers are scanned on a regular basis by a set of client honeypots. This paper reflects upon our experience of running moderate scale scans over a period of several months manually and identifies some requirements for automation of such a system using workflow and related middleware.

22. Endicott-Popovsky, B., Narvaez, J., Seifert, C., Frincke, D., O'Neil, L. R., Aval, C., Use of Deception to Improve Client Honeypot Detection of Drive-by-Download Attacks. in Proceedings of the Human Computer Interface (HCI) Conference, San Diego, 2009.
This paper presents the application of deception theory to improve the success of client honeypots at detecting malicious web page attacks from infected servers programmed by online criminals to launch drive-by-download attacks. The design of honeypots faces three main challenges: deception, how to design honeypots that seem real systems; counter-deception, techniques used to identify honeypots and hence defeating their deceiving nature; and counter counter-deception, how to design honeypots that deceive attackers. The authors propose the application of a deception model known as the deception planning loop to identify the current status on honeypot research, development and deployment. The analysis leads to a proposal to formulate a landscape of the honeypot research and planning of steps ahead.

21. Seifert, C., Komisarczuk, P., Welch, I., Measurement Study on Malicious Web Servers in the .nz Domain. in ACISP, Brisbane, 2009.PDF
Client-side attacks have become an increasing problem on the Internet today. Malicious web pages launch so-called drive-by-download attacks that are capable to gain complete control of a user's machine by merely having that user visit a malicious web page. Criminals that are behind the majority of these malicious web pages are highly sensitive to location, language and economic trends to increase their return on investment. In this paper, a comprehensive measurement study of malicious web servers on the .nz domain is presented. The risk of drive-by-download attacks has been compared with other domains showing no elevated risk for the .nz domain. However, a comprehensive assessment of the .nz domain showed the existence of malicious web pages across a variety of types of web pages. Blacklisting services showed limited success to protect against such malicious web pages. This is primarily attributed to the highly dynamic nature of malicious web pages. Over a period of eight months, the .nz domain was monitored and continuous shifting of malicious behavior of web pages has been observed. The rates observed show that on average 50% of malicious URLs identified change monthly. The rates pose a challenge to blacklisting services as well as a risk to end users with rapid dissemination of zero-day attacks. Frequent scans of the web are required to obtain a good up-to-date view of the threat landscape.

20. Seifert, C., Komisarczuk, P., Welch, I., True Positive Cost Curve: A Cost-Based Evaluation Method for High-Interaction Client Honeypots. in SECURWARE, Athens, 2009. PDF
Client honeypots are security devices designed to find servers that attack clients. High-interaction client honeypots (HICHPs) classify potentially malicious web pages by driving a dedicated vulnerable web browser to retrieve and classify these pages. Considering the size of the Internet, the ability to identify many malicious web pages is a crucial task. HICHPs, however, present challenges: They are slow and tend to miss attacks. For researchers to address these shortcomings, they need methods for evaluating HICHPs. This paper (1) presents an evaluation method called the True Positive Cost Curve (TPCC), which makes it possible to evaluate and compare HICHPs in an operating environment, but also allows an operator to tune HICHPs within a specific operating environment; (2) presents improvements on the way HICHPs visit web pages and evaluates them with the TPCC method; and (3) discusses the impact of time bombs on the performance of HICHPs in an operating environment and the ability to tune an HICHP for optimal performance with the help of the TPCC.

19. Seifert, C., Komisarczuk, P., Welch, I., Identification of Malicious Web Pages with Static Heuristics. in the Austalasian Telecommunication Networks and Applications Conference, Adelaide, 2008. PDF
Malicious web pages that launch client-side attacks on web browsers have become an increasing problem in recent years. High- interaction client honeypots are security devices that can detect these malicious web pages on a network. However, high-interaction client honeypots are both resource-intensive and known to miss attacks. This paper presents a novel classification method for detecting malicious web pages that involves inspecting the underlying static attributes of the initial HTTP response and HTML code. Because malicious web pages import exploits from remote resources and hide exploit code, static attributes characterizing these actions can be used to identify a majority of malicious web pages. Combining high-interaction client honeypots and this new classification method into a hybrid system leads to significant performance improvements.

18. Seifert, C., Komisarczuk, P., Welch, I., Aval, C. U., and Endicott-Popovsky, B. Identification of Malicious Web Pages Through Analysis of Underlying DNS and Web Server Relationships. in 4th IEEE LCN Workshop on Network Security (WNS 2008), Montreal, 2008. PDF
Malicious web pages that launch client-side attacks on web browsers have become an increasing problem in recent years. High-interaction client honeypots are security devices that can detect these malicious web pages on a network. However, high-interaction client honeypots are both resource-intensive and unable to handle the increasing array of vulnerable clients. This paper presents a novel classification method for detecting malicious web pages that involves inspecting the underlying server relationships. Because of the unique structure of malicious front-end web pages and centralized exploit servers, merely counting the number of domain name extensions and DNS servers used to resolve the host names of all web servers involved in rendering a page is sufficient to determine whether a web page is malicious or benign, independent of the vulnerable web browser targeted by these pages. Combining high-interaction client honeypots and this new classification method into a hybrid system leads to performance improvements.

14. Seifert, C., Endicott-Popovsky, B., Frincke, D., Komisarczuk, P., Muschevici, R. and Welch, I., Justifying the Need for Forensically Ready Protocols: A Case Study of Identifying Malicious Web Servers Using Client Honeypots. in 4th Annual IFIP WG 11.9 International Conference on Digital Forensics, Kyoto, 2008. PDF
Client honeypot technology can find malicious web servers that attack web browsers and push malware, so called drive-by-downloads, to the client machine. Merely recording the network traffic is insufficient to perform an efficient forensic analysis of the attack. Custom tools need to be developed to access and examine the embedded data of the network protocols. Once the information is extracted from the network data, it cannot be used to perform a behavioral analysis on the attack, therefore limiting the ability to answer what exactly happened on the attacked system. Implementation of a record/ replay mechanism is proposed that allows the forensic examiner to easily extract application data from recorded network streams and allows applications to interact with such data for behavioral analysis purposes. A concrete implementation of such a setup for HTTP and DNS protocols using the HTTP proxy Squid and DNS proxy pdnsd is presented and its effect on digital forensic analysis demonstrated.

13. Seifert, C. Know Your Enemy: Behind The Scenes Of Malicious Web Servers, The Honeynet Project, 2007, available at http://www.honeynet.org/papers/wek/KYE-Behind_the_Scenes_of_Malicious_Web_Servers.pdf, accessed on 7 November 2007.
In this paper, we increase our understanding of malicious web servers through analysis of several web exploitation kits that have appeared in 2006/07: WebAttacker, MPack, and IcePack. Our discoveries will necessitate adjustments on how we think about malicious web servers and will have direct implications on client honeypot technology and future studies.

12. Seifert, C., Komisarczuk, P. and Welch, I. Application of divide-and-conquer algorithm paradigm to improve the detection speed of high interaction client honeypots. 23rd Annual ACM Symposium on Applied Computing, Ceara, Brazil, 2008. pdf
We present the design and analysis of a new algorithm for high interaction client honeypots for finding malicious servers on a network. The algorithm uses the divide-and-conquer paradigm and results in a considerable performance gain over the existing sequential algorithm. The performance gain not only allows the client honeypot to inspect more servers with a given set of identical resources, but it also allows researchers to increase the classification delay to investigate false negatives incurred by the use of artificial time delays in current solutions.

11. Komisarczuk, P., Seifert, C., Pemberton, D., Welch, I. Grid Enabled Internet Instruments, Proceedings of the 2007 IEEE Global Communications Conference, Washington DC, USA, November 2007,
This paper introduces the Grid Enabled Internet Instrument concept and discusses instruments that are being developed at Victoria University to measure Internet quality. The first instrument is a Grid version of the network telescope for studying Internet Background Radiation (IBR) and the second is a hybrid client honeypot system using high and low interaction devices for scanning the web for malicious content and servers. A third instrument on VOIP quality has been approached through simulation. The GEII framework is a work in progress and the initial design is introduced in this paper as the basis of a new Grid of Internet sensors that could be deployed to improve Internet measurement and gain a global insight to Internet quality.

10. Seifert, C., Steenson, R., Holz, T., Yuan, B., Davis, M.A., Know Your Enemy: Malicious Web Servers, The Honeynet Project, 2007, available at http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.pdf, accessed on 14 August 2007.
In this paper, we take an in-depth look at malicious web servers that attack web browsers, and we evaluate several defensive strategies that can be employed to counter this threat of client-side attacks

9. Seifert, C., Steenson, R., Welch, I., Komisarczuk, P., Endicott-Popovsky, B. Capture - A Behavioral Analysis Tool for Applications and Documents, Proceedings of the 7th Digital Forensics Research Workshop Conference, Pittsburgh, August 2007. pdf
In this paper, we present Capture, a tool for behavioral analysis of applications for the Win32 operating system family. Capture is able to monitor the state of a system during the execution of applications and processing of documents, which provides the analyst with insights on how the software operates even if no source code is available. Capture differs from existing behavioral analysis tools in its ability to monitor state changes on a low kernel level and its ability to be easily used across operating system various versions and configurations. Capture provides a powerful mechanism to exclude event noise that naturally occurs on an idle system or when using a specific application. This mechanism is fine-grained and allows an analyst to take into account the process that cause the various state changes. As a result, this mechanism even allows Capture to analyze the behavior of documents that execute within the context of an application. We demonstrate Capture's capabilities by analyzing a malicious Microsoft Word document.

6. Seifert, C., Welch, I. and Komisarczuk, P. HoneyC - The Low-Interaction Client Honeypot, Proceedings of the 2007 NZCSRCS, Waikato University, Hamilton, New Zealand, April 2007. PDF
Client honeypots crawl the Internet and interact with servers to find and identify servers that exploit client side vulnerabilities. Traditionally, these servers are identified by the client honeypot monitoring state hanges that result from a server interaction. These, so called high interaction, client honeypots are slow and expensive to implement and use because they require an entire operating system to be hosted. We have developed a component-based low interaction client honeypots that emulates only the essential features of our target clients and applying signature matching to allow fast static analysis of interactions. Performance measurements of a prototype implementation targeting clients using the HTTP 1.0 protocol indicate that low interaction client honeypots are faster and cheaper to implement than high interaction client honeypots. The difference in false negatives suggests that these technologies may be complementary rather than competitive in nature.

2. Endicott-Popovsky, Seifert, C. Adopting eXtreme Programming on a Graduate Student Project. Proceedings of the 2005 IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY., June 2005. PDF
This paper discusses a pedagogical process that addresses the problem of how to facilitate learning of a relatively new development methodology that has a limited base of practitioners to draw from and perhaps no faculty with direct experience. This problem is not new to computer science faculty. Change in the field is constant and practitioners must be learning, continually.

1. Endicott-Popovsky, B. Dittrich, D., Phillips, A., Frincke, D., Chavez, J. Gibbons, W. J., Nguyen, D., Seifert, C, Shephard, A., Abate, C. and S. Loveland. The Manuka Project. Proceedings of the 2004 IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY., June 2004. PDF
During 2003-2004, the University of Washington (UW) and Seattle University (SU) collaborated to build a system for cataloging compromised system images under the auspices of the Pacific Northwest Honeynet (PNW-honeynet) which is a Honeynet Project Research Alliance member group. The idea grew from the Honeynet Project's 'Forensic Challenge,' a project designed to raise awareness, teach and inform those tasked with responding to threats of malicious network intrusion. Since teaching from evidence of actual incidents is far more powerful than the traditional approach of using contrived workbook exercises, the Manuka project called for the creation of a database that would store compromised system images for use in Incident Response and Computer Forensic courses. This is a case study of that development process, identifying the unique challenges overcome in completing Manuka by June, 2004. As an open source product that will be made available to the research and teaching community, it is hoped that through this paper interest will be stimulated to provide these researchers further ideas for use and enhancement.

Technical Reports

16. Navarez, J., Seifert, C., Endicott-Popovsky, B., Welch, I. and Komisarczuk, P. Drive-By-Downloads, Victoria University of Wellington, Wellington, 2008, Available from http://www.mcs.vuw.ac.nz/~cseifert/publications/CS-TR-08-01.pdf; accessed on 08 April 2008. PDF
Client-side attacks are an emerging threat on the Internet today. Drive-by-downloads usually occur in which malware is pushed and executed on the client system without consent or notice of the user. An empirical evaluation of the malware with antivirus products is the focus of our research. Client honeypots, security devices that use virtualization to detect malicious web servers that launch these attacks on client system, are used to collect malware and evaluate it with various antivirus products. We show that applications that aim to defraud the victim are the primary malware type identified and show that antivirus products are only able to detect on average approximately 70% of any malware pushed in a drive-by-download attack.

8. Seifert, C. Improving Detection Accuracy and Speed with Hybrid Client Honeypots, PhD Proposal, Victoria University of Wellington, Wellington, New Zealand, Available from http://www.mcs.vuw.ac.nz/~cseifert/publications/publications/Cseifert_phd_proposal-Hybrid_Client_Honeypots.pdf, accessed on 22 February 2007. PDF
Computers connected to a network are at risk of being attacked remotely. In recent years, there has been an increase of a particular type of attack: client-side attacks. These attacks target clients. As the client accesses a malicious server, the server delivers the attack to the client as part of the server's response to a client request. Client honeypots are a computer security technology that can find these malicious servers on a network. Our research is targeted at increasing performance and detection accuracy of client honeypots with the introduction of a hybrid client honeypot system that combines various detection methods.

5. Seifert, C., Welch, I. and Komisarczuk, P. Taxonomy of Honeypots, Victoria University of Wellington, Wellington, 2006, Available from http://www.mcs.vuw.ac.nz/comp/Publications/index-byyear-06.html; accessed on 14 July 2006. PDF
In this paper, we present a taxonomy of honeypots. This taxonomy adheres to the characteristics defined by Lindqvist et al and Krsul. We describe how to assign honeypots to classes via step-by-step instructions. We include six classes as part of the taxonomy’s classification scheme: interaction level, data capture, containment, distribution appearance, communication interface, and role in a multi-tier architecture. We applied the classification scheme to classify seven distinctly different honeypots: Google Hack Honeypot, Honeyclient, Honeyd, Honeynet,Honeytrap, KFSensor, and a network telescope. The classification successfully separated these honeypots into different classes. The overall classification provided insight into current honeypot technology. Functional gaps exist around containment of malicious activity and utilization of non-network hardware interfaces. The classification also assisted us in predicting honeypot technology of tomorrow. In particular, it pointed towards a possible future honeypot technology low interaction client honeypots.

3. Seifert, C., Welch, I. and Komisarczuk, P. Assessment of Packet Filter Technology, Victoria University of Wellington, Wellington, 2006, Available from http://www.mcs.vuw.ac.nz/comp/Publications/index-byyear-06.html; accessed on 14 July 2006. PDF
Packet filters are widely adopted security technologies that provide strong security defenses to a network. However, despite their strength they also pose a danger with a false sense of security. In this paper, we assess packet filter technology to provide an increased understanding of their limitations. We describe shortcomings around design, administration, and performance of packet filters and how these shortcomings decrease the effectiveness of packet filters. While operators of packet filters might be able to address these shortcomings by practicing defense in depth and breadth, we also present research opportunities to continue to improve packet filter technology.

Misc

17. Seifert, C. Types of Web-Based Client-Side Attacks. Help Net Security. 2008, Available from http://www.net-security.org/article.php?id=1176; accessed on 23 September 2008.

15. Riden, J., Seifert, C. A Guide to Different Kinds of Honeypots. Infocus, SecurityFocus, Cupertino, 2008, Available from http://www.securityfocus.com/infocus/1897; accessed on 14 February 2008.

7. Seifert, C., Welch, I. and Komisarczuk, P. Effectiveness of security by admonition: a case study of security warnings in a web browser setting. (In)secure Magazine (1.9). 9-16. Available from http://www.insecuremagazine.com/downloadmag.php?issue=9; accessed on 1 December 2006. PDF
Security warnings seem to be a predominant way to bridge the gap of providing rich, but potentially insecure, functionality and providing security. In this study, we investigate the effectiveness of so-called security by admonition. We present users with a web-based survey that requests the installation of a potentially insecure ActiveX component. We show that the security warning deters users from fulfilling the insecure installation request, but is ineffective in preventing it.

4. Seifert, C. Analyzing malicious SSH login attempts. Martin, K. ed. Infocus, SecurityFocus, Cupertino, 2006, Available from http://www.securityfocus.com/infocus/1876; accessed on 13 September 2006. PDF