The Internet is now more than a commodity and has transitioned to be a invaluable service for organizations, companies, and general everyday users. With the enormous and continuous growth, attackers are consistent in creating new methods to prey on vulnerable users. It is now a matter of high importance to secure and protect user data, since many attacks are popularly deployed on malicious Websites. Many commercial enterprise solutions are costly and a sophisticated infrastructure is needed to deploy them. Additionally, these solutions often rely on the vendors to constantly provide signatures or blacklists to make sure the system is up-to-date.

Therefore, the detection of infection by malware is often really complex. Client honeypots have become a popular choice by researchers that aim to detect and analyze drive-by-download attacks. These systems crawl websites and detect if malware or malicious code is present in these websites. The tools are readily available and are relatively easily to deploy and maintain. An approach that allows users to manage their defense systems has proved inefficient as years have passed by due to performance issues and the complexity of maintaining these solutions individually.

In this thesis, we propose a solution to keep networks behind a proxy server secure. Client honeypots can feed the proxy server with newly found malicious websites, the proxy server will access a database of blocked URLs and domains effectively filtering the web access users have. Clients will connect to the proxy server that is coupled with an Internet Content Adaptation Protocol (ICAP). The ICAP system will serve an HTML page when clients visit potentially malicious websites.

[1] Niels Provos. Safe browsing - protecting web users for 5 years and counting. http://googleonlinesecurity.blogspot.tw/2012/06/ safe-browsing-protecting-web-users-for.html.
[2] Hongli Zhang Mahmoud T. Qassrawi. Using honeyclients to detect malicious websites, 2010.
[3] Yaser Alosefer and Omer Rana. Honeyware - a web-based low interaction client honeypot. In Software Testing, Verification, and Validation Workshops (ICSTW), 2010 Third International Conference on, 2010.
[4] The Regents of the University of California. Wepawet. https://wepawet.cs. ucsb.edu/index.php.
[5] Alfredo Andres Omella. Methods for virtual machine detection. Technical report, S21sec, June 2006.
[6] Christos Tsantilas AlexRousskov. Feature: Squid-in-the-middle ssl bump. http://wiki.squid-cache.org/Features/SslBump.
[7] Shuo Chen Ziqing Mao Yi-Min Wang Ming Zhang Shuo Chen. Pretty-bad- proxy: An overlooked adversary in browsers’ https deployments, 2009.
[8] Michael Beham Marius Vlad Hans P. Reiser. Intrusion detection and honeypots in nested virtualization environments, 2013.
[9] Prophiler: A Fast Filter for the Large-Scale Detection of Malicious Web Pages, 2011.
[10] Luca Invernizzi Stefano Benvenuti Marco Cova Paolo Milani Comparetti Christopher Kruegel Giovanni Vigna. Evilseed: A guided approach to find- ing malicious web pages. In IEEE Symposium on Security and Privacy, 2012.
[11] Danny Yadron. Symantec develops new attack on cy- berhacking, May 2014. http://online.wsj.com/news/ articles/SB10001424052702303417104579542140235850578?mg= reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle% 2FSB10001424052702303417104579542140235850578.html.
[12] squid-cache.org squid-cache.org squid-cache.org squi cache.org. Squid config- uration directive sslbump. http://www.squid-cache.org/Doc/config/ssl_ bump/.
[13] Andrey Makhnutin. Https working for malicious users. http://www. securelist.com/en/blog/8134/HTTPS_working_for_malicious_users.
[14] Paul Rabinovich. Secure cross-domain cookies for http, 2013.
[15] How unique is your web browser? PETS’10 Proceedings of the 10th interna- tional conference on Privacy enhancing technologies, 2010.
[16] Detecting Malicious Web Links and Identifying Their Attack Types. We- bApps’11 Proceedings of the 2nd USENIX conference on Web application de- velopment, 2011.
[17] Xuxian Jiang-Roussi Roussev Chad Verbowski Shuo Chen Yi-Min Wang, Doug Beck and Sam King. Automated web patrol with strider honeymon- keys: Finding web sites that exploit browser vulnerabilities. Technical report, Microsoft Research, 2005.
[18] Jose Nazario. Phoneyc: A virtual client honeypot, 2009.
[19] Ryan C. Barnett. Open proxy honeypots, 2004.
[20] Luo Qiong Naughton Jeffrey F. Xue Wenwei. Form-based proxy caching for database-backed web sites, 2006.
[21] Escape from Monkey Island: Evading High-Interaction Honeyclients. Proceed- ing DIMVA’11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment, 2011.
[22] Hongli Zhang Mahmoud T. Qassrawi. Client honeypots: Approaches and chal- lenges. New Trends in Information Science and Service Science (NISS), 2010 4th International Conference on, May 2010.
[23] A. Chapman K.L.E. Law, B. Nandy. A scalable and distributed www proxy system. In Multimedia Computing and Systems ’97. Proceedings., IEEE Inter- national Conference on, 1997.
[24] Tatsuya Mori Daiki Chiba, Kazuhiro Tobe and Shigeki Goto. Detecting mali- cious websites by learning ip address features, 2012.
[25] Peter Komisarczuk Chiraag Uday Aval Christian Seifert, Ian Welch and Bar- bara Endicott-Popovsky. Identification of malicious web pages through analysis of underlying dns and web server relationships, 2008.
[26] Michael Pearce and Ray Hunt. Development and evaluation of a secure web gateway using existing icap open source tools. In Australian Information Secu- rity Management Conference, 2010.
[27] Christopher Kruegel Gianluca Stringhini and Giovanni Vigna. Shady paths: Leveraging surfing crowds to detect malicious web pages. November 2013.
[28] Christian Ludl Engin Kirda Peter Wurzinger, Christian Platzer and Christopher Kruegel. Swap: Mitigating xss attacks using a reverse proxy, 2009.