Towards An Automatic Generation Of Low-Interaction Web Application Honeypots

Low-interaction honeypots (LIHPs) are a well-established tool to monitor malicious activities by emulating the appearance and behavior of a real system. However, existing honeypots share a common problem: Anyone aware of their existence can easily finger-print and subsequently avoid them.In this paper, we present CHAMELEON, our work towards an automatic generation of LIHPs for web applications. CHAMELEON creates honeypot versions of existing systems through automatic network interaction with the real application and builds response templates from the observed response traffic. By comparing similar responses, variable parts are identified and imitated with these templates. On run-time, the best matching template is chosen to respond to an incoming network request. This approach allows a large-scale deployment of Honeypots in a highly scalable fashion: No manual effort is needed in honeypot generation and a single instance of CHAMELEON can emulate a large number of heterogeneous systems simultaneously. Thus, a LIHP infrastructure for a company's full application landscape can be created, deployed and operated automatically with little effort and minimal technical resource requirements in a timely fashion.We document our prototypical implementation for HTTP(S) and our practical experiments with the generated honeypots in the wild. The results are promising: The generated honeypots are indistinguishable for popular fingerprinting tools and the received traffic shows no difference to traffic directed at real systems.