*5.2.6.2 Dynamic analysis*

*Computer Security Threats*

for rollbacks of compromised virtual machines.

It is a source of initial set of seed URLs.

Spam mails are extracted from URLs and are enlisted.

**5.2 Low-interaction honeyclient**

*5.2.1 Queue/seed generation*

*5.2.2 Web search seeding*

*5.2.3 Spam trap seeding*

*5.2.4 Blacklist seeding*

*5.2.5 Web crawling*

eters predefined:

which are common keywords.

workers and seed for crawler [12, 13].

*5.2.6 Content/malware analysis*

downloaded binary [14, 15].

*5.2.6.1 Static analysis*

time period of the virtual machine. It is a process to overcome time bombs. WEF is an automatic implementation of drive by download that detects in virtualized environment. WEF is used as an active HoneyNet with overall simulated architecture beneath

Low-interaction honeyclient is different from high-interaction honeyclient in that they do not use the entire real system. But it uses lightweight or simulated clients to communicate with the server. Responses received from servers are scanned directly to consider whether an attack has been taking place or not. It is a platformindependent open-source framework written in Ruby [11]. It concentrates on driving a web browser emulator which interacts with the server. Mischievous server is identified by statically investigative the web server's response for mischievous string through the usage of snort signatures. Honeyclient uses many existing freely available open-source software systems. It consists of the following components:

The three web search engine application interface are Google, Yahoo, and MSN

It is a tool designed to automatically download blacklist from major blacklist

Heritrix crawler is simulated into the monkey spider prototype with two param-

• Maximum link hops which counts the connections to be included in crawl

The contents that are downloaded from the URL are scanned by ClamAV antivirus and it alerts using pattern matching. The terminology is provided for the

• Maximum transitive hops which count the URLs extracted from seeded URLs

**18**

Malware analysis tool like CWSandbox is performed [16].

It is implemented to copycat the behavior of a user-driven network client application and abused by an attacker's content. It is a virtual honeyclient which means that it is not a real application but it is an emulated client. It performs dynamic analysis of JavaScript and visual basic scripts to delete the complication from malicious pages. To analyze the malicious content, complication or encrypted JS is decrypted and reanalyzed. SPYBYE allows a web master to identify whether a website is eroded by a set of heuristics and scanning of data against the clamAV. It is a tool that communicates with a URL that is integrated with a web browser through its user agent field and downloading the response of the target website. The response is exploited using the scan engine [17, 18].
