Skip to main content
Springer Nature Link
Log in

Emulating a High Interaction Honeypot to Monitor Intrusion Activity

  • Conference paper
Security in Computing and Communications (SSCC 2013)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 377))

Included in the following conference series:

  • 1314 Accesses

Abstract

Intrusion activity monitoring is a complex task to achieve. An intruder should not be alerted about being monitored. A stealthy approach is needed, that does not alert the intruder about the presence of monitoring. Virtual Machine based High Interaction Honeypots help achieve stealthy monitoring. Most of the related research work use the concept of Virtual Machine Introspection that relies on System Call Interception. However most of these methods hook the sysenter instruction for interception of system calls. This can be defeated by an intruder since this is not the only way of making a system call. We have designed and implemented a High-Interaction Virtual Machine based honeypot using the open source tool Qebek. Qebek is more effective as it hooks the actual system call implementation itself. We have tested its capturability by running different types of malware. The Results obtained show that the system is able to capture information about processes running on the honeypot, console data and network activities, which reveal the maliciousness of the activities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Song, C., Hay, B., Zhuge, J.: Know Your Tools: Qebek - Conceal the Monitoring, The honeynet project in Proceedings of 6th IEEE Information Assurance Workshop

    Google Scholar 

  2. Quynh, N.A., Takefuji, Y.: A Novel Stealthy Data Capture Tool for Honeynet System. In: Proceedings of the 4th WSEAS Int. Conf. on Information Security, Communications and Computers, Tenerife, Spain, December 16-18, pp. 207–212 (2005)

    Google Scholar 

  3. Andrade Carbone, M.P., de Geus, P.: A Mechanism for Automatic Digital Evidence Collection on High-Interaction Honeypots. In: Proceedings of the 2004 IEEE Workshop on Information Assurance and Security United States Military Academy, West Point, NY, June 10-11 (2004)

    Google Scholar 

  4. Jiang, X., Wang, X.: “Out-of-the-box” monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  5. Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection and Monitoring Through VMM-Based “Out of the Box” Semantic View Reconstruction. ACM Transactions on Information and System Security V(N) (June 2008)

    Google Scholar 

  6. Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proc. Network and Distributed Systems Security Symposium

    Google Scholar 

  7. Lengyel, T.K., Neumann, J., Maresca, S.: Virtual machine introspection in a hybrid honeypot architecture. In: CSET 2012 - 5th Workshop on Cyber Security Experimentation and Test (2012)

    Google Scholar 

  8. Zhang, X., Li, Q., Qing, S., Zhang, H.: Vnida: Building an IDS Architecture Using VMM-based Non-intrusive Approach. In: Proceedings of SPIT-IEEE Colloquium and International Conference, Mumbai, India

    Google Scholar 

  9. Vishnani, K., Pais, A.R., Mohandas, R.: Detecting & Defeating Split Personality Malware. In: SECURWARE 2011: The Fifth International Conference on Emerging Security Information, Systems and Technologies (2011)

    Google Scholar 

  10. Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient Detection of Split Personalities in Malware. In: NDSS 2010, 17th Annual Network and Distributed System Security Symposium, San Diego, USA, February 28-March 3 (2010)

    Google Scholar 

  11. Open Malware Repository, http://www.offensivecomputing.net

  12. Process Library, http://www.processlibrary.com

  13. Linux & Unix Whois command, http://www.computerhope.com/unix/uwhois.htm

Download references

Author information

Authors and Affiliations

  1. Depatment of Computer Science and Engineering, NITK, Surathkal, 575025, India

    Anil Gopalakrishna & Alwyn Rosham Pais

Authors
  1. Anil Gopalakrishna
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alwyn Rosham Pais
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Indian Institute of Information Technology and Management, Technopark Campus, 695581, Trivandrum, Kerala, India

    Sabu M. Thampi

  2. Department of Applied Computer Science, The University of Winnipeg, 515 Portage Avenue, R3B 2E9, Winnipeg, MB, Canada

    Pradeep K. Atrey

  3. Electrical and Computer Science Engineering Building, National Sun Yat-sen University, Kaohsiung, Taiwan R.O.C.

    Chun-I Fan

  4. Facultad de Informatica, Campus de Espinardo, s/n, 30.100, Murcia, Spain

    Gregorio Martinez Perez

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Gopalakrishna, A., Pais, A.R. (2013). Emulating a High Interaction Honeypot to Monitor Intrusion Activity. In: Thampi, S.M., Atrey, P.K., Fan, CI., Perez, G.M. (eds) Security in Computing and Communications. SSCC 2013. Communications in Computer and Information Science, vol 377. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40576-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-40576-1_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-40575-4

  • Online ISBN: 978-3-642-40576-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics