**4. Architecture**

The client honeypot architecture is separated into three components, namely, queuer, the client, and analysis engine. A queuer is a process of creating a list of servers for the client to visit. A client who can able to create request to servers is recognized by the queuer. An analysis engine is a process of identifying an attack processing in client honeypot. Along with all the above components, client honeypot

**17**

*A Detection of Malware Embedded into Web Pages Using Client Honeypot*

is furnished with some kind of approach to avoid successful attacks from exploring beyond the client honeypot [4, 5]. Analog to traditional server and client honeypots are classified by their high- or low-interaction level that denotes the client honeypot make utilize of functional interaction the server. This is a newly hybrid approach

that uses both high- and low-interaction detection techniques (**Figure 2**).

High-interaction client honeypot is a real application installed on the real systems. Real browsers and plug-ins are being browsed by the websites. Attacks are detected by checking the state of the process after a server interaction. Capture differentiates from existing client honeypots in different ways. It is designed to be fast and to be scalable. Event-based model allow to know the detection of state changes.

A main capture server can able to manage several clients across the network.

Honeyclient is a web browser. It is an open-source honeypot and a mix of perl, c++. It detects attacks on Windows client by registry entries, monitoring files, and processed events. It included the capture-HPC. It also contains a crawler, so that it can be sowed with a list of URLs from start and continues to exchange web pages in search of clientside malware. HoneyMonkey is also a web browser. It is not an open source. It detects attacks on Windows client by registry entries, monitoring files, and processed events. It is a layered approach to communicate with servers to identify zero-day exploits. If the attack is still identified, one can complete the attack as no patch has been publicly released and it is dangerous [6–8]. SHELIA is a combination of the process of email received and email reader. It opens different client applications depending on the type of URL or the received attachment. It observes the executable instructions that are processing in data area of memory that indicates a buffer. UW Spycrawler is integrated; with the web browser like Mozilla, it cannot be downloaded. It detects attacks on Windows client by registry entries, monitoring files, browser crashes, and processed events. Event-based mechanism is used to detect by spcrawlers [9, 10]. It increases the

*DOI: http://dx.doi.org/10.5772/intechopen.89646*

**5. Client honeypot solutions**

**Figure 2.**

*Client honeypot design.*

**5.1 High-interaction client honeypots**

*A Detection of Malware Embedded into Web Pages Using Client Honeypot DOI: http://dx.doi.org/10.5772/intechopen.89646*

#### **Figure 2.** *Client honeypot design.*

*Computer Security Threats*

**2. Proposed work**

[1–3] (**Figure 1**).

**3. Client honeypots**

*Client honeypot classifications.*

honeyware.

**Figure 1.**

**4. Architecture**

attack. They have some kind of exposed attack which is vulnerable to the sender

The security resources are production value; no resources should communicate between each other. Honeypot is compromised for outbound connections on the web pages. Honeypot collects all information about the intruder or intermediate where the community is targeting to attack. And they list the type of resources attack on the network security. Honeypots play the big role on the attacker side scripting based on web pages in client-side attack. Client honeypots are also called as active honeypots or honey client. It visits the web page as requested by the attacker and visits the web page to check whether the attack has happened or not

A honeypot is one of the security technologies that helps an organization to catch viruses, malware, or attackers, and it acts as an alarm system that discovers the attempts to attack a network. Honeypot technology is defined as a "security resource whose value lies in being investigated, attacked, or compromised" [1]. The types of honeypot are active and passive. A technology that passively waits for attacks to detect them are called passive honeypot. Active honeypot also called as client honeypot that interacts with a target web page to find its possible effect on the

The client honeypot architecture is separated into three components, namely, queuer, the client, and analysis engine. A queuer is a process of creating a list of servers for the client to visit. A client who can able to create request to servers is recognized by the queuer. An analysis engine is a process of identifying an attack processing in client honeypot. Along with all the above components, client honeypot

and receiver. They can be detected, if they are passive.

**16**

is furnished with some kind of approach to avoid successful attacks from exploring beyond the client honeypot [4, 5]. Analog to traditional server and client honeypots are classified by their high- or low-interaction level that denotes the client honeypot make utilize of functional interaction the server. This is a newly hybrid approach that uses both high- and low-interaction detection techniques (**Figure 2**).
