Emulating a High Interaction Honeypot to Monitor Intrusion Activity

Gopalakrishna, Anil; Pais, Alwyn Rosham

doi:10.1007/978-3-642-40576-1_8

Emulating a High Interaction Honeypot to Monitor Intrusion Activity

Anil Gopalakrishna⁵ &
Alwyn Rosham Pais⁵

Conference paper

1285 Accesses
1 Citations

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 377))

Abstract

Intrusion activity monitoring is a complex task to achieve. An intruder should not be alerted about being monitored. A stealthy approach is needed, that does not alert the intruder about the presence of monitoring. Virtual Machine based High Interaction Honeypots help achieve stealthy monitoring. Most of the related research work use the concept of Virtual Machine Introspection that relies on System Call Interception. However most of these methods hook the sysenter instruction for interception of system calls. This can be defeated by an intruder since this is not the only way of making a system call. We have designed and implemented a High-Interaction Virtual Machine based honeypot using the open source tool Qebek. Qebek is more effective as it hooks the actual system call implementation itself. We have tested its capturability by running different types of malware. The Results obtained show that the system is able to capture information about processes running on the honeypot, console data and network activities, which reveal the maliciousness of the activities.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Song, C., Hay, B., Zhuge, J.: Know Your Tools: Qebek - Conceal the Monitoring, The honeynet project in Proceedings of 6th IEEE Information Assurance Workshop
Google Scholar
Quynh, N.A., Takefuji, Y.: A Novel Stealthy Data Capture Tool for Honeynet System. In: Proceedings of the 4th WSEAS Int. Conf. on Information Security, Communications and Computers, Tenerife, Spain, December 16-18, pp. 207–212 (2005)
Google Scholar
Andrade Carbone, M.P., de Geus, P.: A Mechanism for Automatic Digital Evidence Collection on High-Interaction Honeypots. In: Proceedings of the 2004 IEEE Workshop on Information Assurance and Security United States Military Academy, West Point, NY, June 10-11 (2004)
Google Scholar
Jiang, X., Wang, X.: “Out-of-the-box” monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007)
Chapter Google Scholar
Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection and Monitoring Through VMM-Based “Out of the Box” Semantic View Reconstruction. ACM Transactions on Information and System Security V(N) (June 2008)
Google Scholar
Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proc. Network and Distributed Systems Security Symposium
Google Scholar
Lengyel, T.K., Neumann, J., Maresca, S.: Virtual machine introspection in a hybrid honeypot architecture. In: CSET 2012 - 5th Workshop on Cyber Security Experimentation and Test (2012)
Google Scholar
Zhang, X., Li, Q., Qing, S., Zhang, H.: Vnida: Building an IDS Architecture Using VMM-based Non-intrusive Approach. In: Proceedings of SPIT-IEEE Colloquium and International Conference, Mumbai, India
Google Scholar
Vishnani, K., Pais, A.R., Mohandas, R.: Detecting & Defeating Split Personality Malware. In: SECURWARE 2011: The Fifth International Conference on Emerging Security Information, Systems and Technologies (2011)
Google Scholar
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient Detection of Split Personalities in Malware. In: NDSS 2010, 17th Annual Network and Distributed System Security Symposium, San Diego, USA, February 28-March 3 (2010)
Google Scholar
Open Malware Repository, http://www.offensivecomputing.net
Process Library, http://www.processlibrary.com
Linux & Unix Whois command, http://www.computerhope.com/unix/uwhois.htm

Download references

Author information

Authors and Affiliations

Depatment of Computer Science and Engineering, NITK, Surathkal, 575025, India
Anil Gopalakrishna & Alwyn Rosham Pais

Authors

Anil Gopalakrishna
View author publications
You can also search for this author in PubMed Google Scholar
Alwyn Rosham Pais
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Indian Institute of Information Technology and Management, Technopark Campus, 695581, Trivandrum, Kerala, India
Sabu M. Thampi
Department of Applied Computer Science, The University of Winnipeg, 515 Portage Avenue, R3B 2E9, Winnipeg, MB, Canada
Pradeep K. Atrey
Electrical and Computer Science Engineering Building, National Sun Yat-sen University, Kaohsiung, Taiwan R.O.C.
Chun-I Fan
Facultad de Informatica, Campus de Espinardo, s/n, 30.100, Murcia, Spain
Gregorio Martinez Perez

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Gopalakrishna, A., Pais, A.R. (2013). Emulating a High Interaction Honeypot to Monitor Intrusion Activity. In: Thampi, S.M., Atrey, P.K., Fan, CI., Perez, G.M. (eds) Security in Computing and Communications. SSCC 2013. Communications in Computer and Information Science, vol 377. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40576-1_8

Download citation

DOI: https://doi.org/10.1007/978-3-642-40576-1_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40575-4
Online ISBN: 978-3-642-40576-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics