Capture is a high interaction client honeypot. A client honeypot is a security technology that allows to search and identify malicious servers on a network. Capture identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system state changes. If an system state change is detected, since no other activity occurs on the dedicated client machine, the server Capture interacted with is classified as malicious.
High level overview of Capture
- Capture Server/Capture Client architecture allows to control numerous Capture clients on the localhost as well as remote hosts.
- Ability to monitor the file system and processes of a system.
- Capability of automatically controlling Internet Explorer to visit a website. Once a malicious web site has been identified, Capture is able to reset the virtual machine to a clean state to allow for interaction with additional servers using that virtual machine.
- Centralized logs keeps track of which links have not been visited and which have, server classifications and state changes incurred by visiting malicious servers.
This work is licensed under a Creative Commons License