Design and Implementation of Web Service Honeypot Abdallah Ghourabi Tarek Abbes Adel Bouhoula abdallah.ghourabi@supcom.rnu.tn tarek.abbes@isecs.rnu.tn adel.bouhoula@supcom.rnu.tn Department of Computer Science and Networks Higher School of Communication of Tunis SUP’COM, University of Carthage, Tunisia Abstract: Web services are increasingly becoming an integral part of next-generation web applications. A Web service is defined as a software system designed to support interoperable machine-to-machine interaction over a network based on a set of XML standards. This new architecture and set of protocols brings new vulnerabilities that can be exploited by attackers. To prevent and detect such attacks, several security techniques are available like authentication and encryption mechanisms, firewalls and intrusion detection systems (IDS). Nevertheless these security methods encounter some problems, especially when dealing with new attacks. Relying on additional security principles seems to be important to well protect Web services. In this paper, we propose using honeypots to detect and study attacks against Web services. Honeypots are used to learn new techniques, tools and motivations of hackers to better protect the production systems against attacks. Our solution (WS Honeypot) is to deploy a honeypot as a web service application. This honeypot captures all request messages and analyses them by using machine learning techniques in order to detect and study attacks. 1. INTRODUCTION In the last few years, the field of Web Services has evolved rapidly by providing attractive features (such as ease of use, platform independence and interoperability) which can be used by business and IT organizations. According to the World Wide Web Consortium (W3C) [13], a Web service is a software system designed to support interoperable machine- to-machine interaction over a network. It has an interface described in a machine-processable format (specifically WSDL). Other systems interact with the Web service in a manner prescribed by its description using SOAP-messages, typically conveyed using HTTP with an XML serialization in conjunction with other Web-related standards. However, along with these enhanced information exchange capabilities, come significant security considerations and challenges. The diversity of standards and protocols included with Web services brings several threats and vulnerabilities which can be exploited to attack the system. Attacks on web services are very numerous, such as DoS attack, SQL and XML injection, parameters tampering and still others [4]. To prevent and detect such attacks, several security techniques are available like authentication and encryption mechanisms, firewalls and intrusion detection systems (IDS). Nevertheless these security methods encounter some problems, especially when dealing with new attacks. To resolve this problem, a complementary approach is needed. The idea is to use honeypots. A honeypot [8] is a computer system voluntarily vulnerable to one or more known threats, deployed on a network for the purpose of logging and studying attacks on the honeypot. These systems may be made purposely insecure in order to lure attackers to study their techniques, tools, and motivations. We propose in this paper a solution which takes advantages of honeypots in order to detect and study attacks against Web services. Our solution (WS Honeypot) is to deploy a honeypot playing the role of Web service application. The honeypot supervises received SOAP- messages and logs all activities in order to analyze them by using machine learning techniques (Support Vector Machine “SVM”, regression analysis, association rules). The purpose of this automated analysis is to facilitate the analysis task and to extract the abnormal activities that will be studied by the human expert. The remaining parts of the paper are organized as follows: Section 2 reviews related works. Section 3 presents our solution, WS Honeypot and its architecture. Section 4 describes the data analysis in the WS Honeypot. Section 5 reports the results of our experiments. Finally, we conclude the paper in Section 6. 2. RELATED WORKS Beyond traditional honeypots which are designed for detecting network attacks, there are recent works, which have proposed the deployment of honeypots for web-based attacks. In the context of Web services honeypot, the proposed solutions are very limited. Hugo González [5] presented “WSpot”, an approach for the design of a Web Service Honeypot. In this approach, the author proposes software that emulates a SOAP based Web service. The objective of this software is to log and register all the activities on it. The architecture of this honeypot is very simple and does not allow collecting interesting information about the attacks. For example, when the attacker sends a request to the Web service honeypot, the response will be an error message like “You are not logged or not permitted to use this service”. This limits the interest to this Web service and reduces the value of collected information about attacks. In [9], Thakar et al. proposed a semi automated approach to analyze the attacks and generate signatures for web services. To perform data collection, the authors deployed some honeypots and traffic monitoring tools to log suspect activities. The chosen honeypot was Honeyd, low-interaction open source software that creates security logs to report all attempted and