Challenges in developing Capture-HPC exclusion lists

Mohammad Puttaroo, Peter Komisarczuk, Renato Cordeiro De Amorim

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    3 Citations (Scopus)


    In this paper we discuss the challenges faced whilst developing exclusion lists for the high-interaction client honeypot, Capture-HPC. Exclusion lists are Capture client system behaviours which are used in the decision making process when determining if a particular behaviour is malicious or benign. As exclusion lists are the main decision making method used by Capture-HPC to classify a given webpage as benign or malicious, we identify a number of issues with current research which are often overlooked. Exclusion lists by nature require constant updating as they are developed to meet the specific requirements of a particular operating system, web browser and application system environment. Any changes to these would mean the possibility of a given client to display different benign behaviour which consequently means new exclusions required. As a result of their specific version requirements, exclusion lists are not transferable from clients. We propose a set of recommendations to aid in the creation of exclusion lists. We also present and discuss some common drive-by-download attacks which we have captured using our Windows 7 compatible exclusion lists.
    Original languageEnglish
    Title of host publicationProcs of the 7th Int Conf on Security of Information and Networks
    PublisherACM Press
    ISBN (Print)978-1-4503-3033-6
    Publication statusPublished - 9 Sept 2014
    Event7th International Conference on Security of Information and Networks - Glasgow, United Kingdom
    Duration: 9 Sept 201411 Sept 2014


    Conference7th International Conference on Security of Information and Networks
    Country/TerritoryUnited Kingdom


    Dive into the research topics of 'Challenges in developing Capture-HPC exclusion lists'. Together they form a unique fingerprint.

    Cite this