Honeypots: Tracking Hackers
Xen and the art of repeated research
ATEC '04 Proceedings of the annual conference on USENIX Annual Technical Conference
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
| Hi-index | 0.00 |
Honeypot is a common solution to investigate attacker's activities, but the data capture tool, one of the key components of high-interaction honeypot architecture, faces a major difficulty: it is very hard to hide its presence. For example Sebek, the de-factor data capture tool, suffers from this problem: the intruder can easily uncover it even without privileged access right. This paper presents a design and implementation of a light-weight ?camera? software in Xen virtual machine environment: the camera can be put into the virtual machine honeypot to gather necessary data about intruder's action. The camera tool is named XenKamera, which aims to collect TTY data from consoles of observed honeypot, then replays the collected data in on-line or off-line manner as the administrator wishes. Simply put, Xen Kamera allows us to watch the intruder as if we were looking over his shoulder while he is typing. In order to prevent the intruder from discovering XenKamera, a special architecture is proposed, so the data recording process becomes stealth, hard to detect and circumvent. To protect the gathered data, the TTY logging is secretly transferred to a separate virtual machine and safely kept there. Experiments demonstrate that XenKamera is effective and reliable. Besides to serve for honeypot purpose, XenKamera is designed to be so light-weight that it is practical and can also be used in the production systems to record the working sessions, and the administrator can rely on the logging data to investigate and trouble-shoot administration.