Abstract
Honeypot is a decoy system to trap attackers, and data capture tool is one of the components of the honeypot architecture. Being used to collect the intruder’s activities inside the honeypot, this key component must be able to function as stealthily as possible, so the intruder does not know that he is under watch. Unfortunately Sebek, a de-facto tool for this purpose in the modern honeypot technology, is rather easy to detect, even with unprivileged right access. This paper proposes to use Xen Virtual Machine to deploy honeypot, and takes the advantage introduced by Xen to fix some of the outstanding problems of Sebek. We present a design and implementation of a Xen-based system named Xebek as a solution. While Xebek provides similar features as Sebek does, our system is more “invisible” and harder to defeat. The experimental results also demonstrate that Xebek is more flexible, while the reliability and efficiency are significantly improved over its counterpart.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Balas, E., Viecco, C.: Towards a Third Generation Data Capture Architecture for Honeynets. In: The 6th IEEE Information Assurance Workshop (2005)
The Honeynet Project: Know your enemy: Sebek (2003), http://www.honeynet.org/papers/sebek.pdf
Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Pratt, I., Warfield, A., Barham, P., Neugebauer, R.: Xen and the art of virtualization. In: Proceedings of the ACM Symposium on Operating Systems Principles (2003)
Dornseif, M., Holz, T., Klein, C.: NoSEBrEaK - Attacking honeynets. In: The 5th Annual IEEE Information Assurance Workshop (2004)
stealth: adore-ng rootkit (2004), http://stealth.7530.org/rootkits/
madsys: Advanced incident response tool (2005), http://sourceforge.net/projects/airt-linux/
Corey, J.: Local honeypot identification (2003), http://www.phrack.org/unofficial/p62/p62-0x07.txt
TCPdump project: tcpdump/libpcap tool (2005), http://www.tcpdump.org
Corey, J.: Advanced honeypot identification and exploitation (2004), http://www.phrack.org/unofficial/p63/p63-0x09.txt
Xen project: Xen interface manual (2005), http://www.cl.cam.ac.uk/Research/SRG/netos/xen/readmes/interface/interface.html
The Honeynet Project: Know Your Enemy: Honeywall CDROM Roo (2005), http://www.honeynet.org/papers/cdrom/roo/
Holz, T.: Detecting honeypots and other suspicious environments. In: Proceedings of the 6th IEEE Information Assurance Workshop (2005)
sd: Linux on-the-fly kernel patching (2002), http://www.phrack.org/show.php?p=58&a=7
The Honeynet Project: Know your enemy: Honeynets (2005), http://www.honeynet.org/papers/honeynet/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Quynh, N.A., Takefuji, Y. (2006). Towards an Invisible Honeypot Monitoring System. In: Batten, L.M., Safavi-Naini, R. (eds) Information Security and Privacy. ACISP 2006. Lecture Notes in Computer Science, vol 4058. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11780656_10
Download citation
DOI: https://doi.org/10.1007/11780656_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-35458-1
Online ISBN: 978-3-540-35459-8
eBook Packages: Computer ScienceComputer Science (R0)