Towards
an Invisible Honeypot Monitoring System
Nguyen Anh Quynh,
Research Abstract
Honeypot is a decoy system to trap
attackers, and data capture tool is one of the components of the honeypot
architecture. Being used to collect the intruder's activities inside the
honeypot, this key component must be able to function as stealthily as
possible, so the intruder does not know that he is under watch. Unfortunately
Sebek, a de-facto tool for this purpose in the modern honeypot technology, is
rather easy to detect, even with unprivileged right access. We propose to use
Xen Virtual Machine to deploy honeypot, and takes the
advantage introduced by Xen to fix some of the outstanding problems of Sebek.
We designed and implemented a Xen-based system named Xebek
as a solution. While Xebek provides similar features
as Sebek does, our system is more ``invisible'' and harder to defeat. The
experimental results also demonstrate that Xebek is
more flexible, while the reliability and efficiency are significantly improved
over its counterpart.
Research Result
As a result of the research, Xebek system is implemented, and we are going to release it under the open source license very soon. We presented a paper about Xebek in an international security conference, and published the paper in Lecture Notes in Computer Science [1]. Besides, we also presented the solution in several international industrial conferences [2], [3]. Finally, our research is reported in a Japanese magazine [4].
References
[4] Report on HackInTheBox 2006 Security Conference,.Hacker Japan Magazine. January 2007. (Report about my research)
[3] Nguyen Anh Quynh. Towards an Invisible Honeypot Monitoring System. Hack.lu Security Conference. October 2006.
[2] Nguyen Anh Quynh. Towards an Invisible Honeypot Monitoring System. HITB2006 Security Conference. September 2006.
[1] Nguyen Anh Quynh, Yoshiyasu Takefuji. Towards an Invisible Honeypot Monitoring Tool. The 11th Australian Conference on Information Security and Privacy (ACISP06). Lecture Notes in Computer Science. (LNCS 4058). July 2006.