DETECTING AUTOMATED SITE SCANS

摘要

Automated site scans are often seen as precursors to a cyber attack, from URI enumeration and version mapping to timing scans used to identify the most valuable DDoS targets. Disclosed are methods and apparatuses for detecting automated site scans and identifying the source of cyber attacks. Honeypot links are provided on a web page via a server. If multiple honeypot links are selected by a visitor of the web page, the server may identify the visitor as an automated system and generate a session ID. The server induces an artificial delay prior to displaying the data associated with the selected honeypot link. After a subsequent attack, the server is able to identify the attacker by association with the stored session ID of an automated site scan.

主权项

1. A computer-implemented method, comprising:
providing, from a server, a plurality of honeypot links; detecting, at the server, that at least two of the plurality of honeypot links have been selected by a computer; generating, at the server, a session ID associated with the computer and the selected honeypot links; storing, at the server, the session ID; displaying, from the server, data in response to each selected honeypot link, wherein the data is displayed after an artificial delay; determining, at the server, that the computer is an origin of an attack, wherein the determining is performed by comparing the selected honeypot links associated with the session ID with the links targeted in the attack to determine the similarities.