TY - GEN
T1 - Defense of the Clones
T2 - 2025 APWG Symposium on Electronic Crime Research, eCrime 2025
AU - Tsouvalas, Billy
AU - Nikiforakis, Nick
N1 - Publisher Copyright:
©2025 IEEE.
PY - 2025
Y1 - 2025
N2 - In this paper, we introduce PARALLAX, an automatic, application-agnostic, and resource-efficient web application honeypot generation and deployment framework. PARALLAX can generate honeypot clones of any live LAMP stack, without interfering with the availability of the web application, and deploys the clones alongside the original web application. In the PARALLAX-based network deployment, all attackers are seamlessly and covertly redirected to the honeypot clone, while benign visitors may continue their interaction with the original web application, same as before. Alongside PARALLAX, we introduce three independent sensitive data detection schemes, which we employ to isolate and replace the sensitive data of the original web application on the honeypot clone. As we allow attackers full interaction with all parts of the honeypot clone, we replace the sensitive data on the honeypot with realistic, context-aware, synthetic data using an LLM to ensure that none of the sensitive data of the original web application are compromised by attackers. To evaluate PARALLAX, we deploy it in the wild for five open-source web applications, and we examine the honeypot generation and deployment performance, as well as the interaction of attackers with the honeypot clones. Lastly, to evaluate the deceptive capability of the synthetically generated data, we conduct a large-scale user study and evaluate how well humans are able to differentiate between real and synthetic sensitive data.
AB - In this paper, we introduce PARALLAX, an automatic, application-agnostic, and resource-efficient web application honeypot generation and deployment framework. PARALLAX can generate honeypot clones of any live LAMP stack, without interfering with the availability of the web application, and deploys the clones alongside the original web application. In the PARALLAX-based network deployment, all attackers are seamlessly and covertly redirected to the honeypot clone, while benign visitors may continue their interaction with the original web application, same as before. Alongside PARALLAX, we introduce three independent sensitive data detection schemes, which we employ to isolate and replace the sensitive data of the original web application on the honeypot clone. As we allow attackers full interaction with all parts of the honeypot clone, we replace the sensitive data on the honeypot with realistic, context-aware, synthetic data using an LLM to ensure that none of the sensitive data of the original web application are compromised by attackers. To evaluate PARALLAX, we deploy it in the wild for five open-source web applications, and we examine the honeypot generation and deployment performance, as well as the interaction of attackers with the honeypot clones. Lastly, to evaluate the deceptive capability of the synthetically generated data, we conduct a large-scale user study and evaluate how well humans are able to differentiate between real and synthetic sensitive data.
UR - https://www.scopus.com/pages/publications/105032973757
U2 - 10.1109/eCrime66972.2025.11327719
DO - 10.1109/eCrime66972.2025.11327719
M3 - Conference contribution
AN - SCOPUS:105032973757
T3 - eCrime Researchers Summit, eCrime
BT - 2025 APWG Symposium on Electronic Crime Research, eCrime 2025
PB - IEEE Computer Society
Y2 - 4 November 2025 through 7 November 2025
ER -