Towards an Invisible Honeypot Monitoring System

  • Nguyen Anh Quynh
  • Yoshiyasu Takefuji
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4058)


Honeypot is a decoy system to trap attackers, and data capture tool is one of the components of the honeypot architecture. Being used to collect the intruder’s activities inside the honeypot, this key component must be able to function as stealthily as possible, so the intruder does not know that he is under watch. Unfortunately Sebek, a de-facto tool for this purpose in the modern honeypot technology, is rather easy to detect, even with unprivileged right access. This paper proposes to use Xen Virtual Machine to deploy honeypot, and takes the advantage introduced by Xen to fix some of the outstanding problems of Sebek. We present a design and implementation of a Xen-based system named Xebek as a solution. While Xebek provides similar features as Sebek does, our system is more “invisible” and harder to defeat. The experimental results also demonstrate that Xebek is more flexible, while the reliability and efficiency are significantly improved over its counterpart.


Virtual Machine Shared Memory Kernel Module Physical Machine Outstanding Problem 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Balas, E., Viecco, C.: Towards a Third Generation Data Capture Architecture for Honeynets. In: The 6th IEEE Information Assurance Workshop (2005)Google Scholar
  2. 2.
    The Honeynet Project: Know your enemy: Sebek (2003),
  3. 3.
    Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Pratt, I., Warfield, A., Barham, P., Neugebauer, R.: Xen and the art of virtualization. In: Proceedings of the ACM Symposium on Operating Systems Principles (2003)Google Scholar
  4. 4.
    Dornseif, M., Holz, T., Klein, C.: NoSEBrEaK - Attacking honeynets. In: The 5th Annual IEEE Information Assurance Workshop (2004)Google Scholar
  5. 5.
    stealth: adore-ng rootkit (2004),
  6. 6.
    madsys: Advanced incident response tool (2005),
  7. 7.
    Corey, J.: Local honeypot identification (2003),
  8. 8.
    TCPdump project: tcpdump/libpcap tool (2005),
  9. 9.
    Corey, J.: Advanced honeypot identification and exploitation (2004),
  10. 10.
  11. 11.
    The Honeynet Project: Know Your Enemy: Honeywall CDROM Roo (2005),
  12. 12.
    Holz, T.: Detecting honeypots and other suspicious environments. In: Proceedings of the 6th IEEE Information Assurance Workshop (2005)Google Scholar
  13. 13.
    sd: Linux on-the-fly kernel patching (2002),
  14. 14.
    The Honeynet Project: Know your enemy: Honeynets (2005),

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Nguyen Anh Quynh
    • 1
  • Yoshiyasu Takefuji
    • 1
  1. 1.Graduate School of Media and GovernanceKeio UniversityKanagawaJapan

Personalised recommendations