A practical and light-weight data capture tool for Xen virtual machine

Nguyen Anh Quynh, Yoshiyasu Takefuji

Research output: Contribution to journalArticle

Abstract

Honeypot is a common solution to investigate attacker's activities, but the data capture tool, one of the key components of high-interaction honeypot architecture, faces a major difficulty: it is very hard to hide its presence. For example Sebek, the de-factor data capture tool, suffers from this problem: the intruder can easily uncover it even without privileged access right. This paper presents a design and implementation of a light-weight "camera" software in Xen virtual machine environment: the camera can be put into the virtual machine honeypot to gather necessary data about intruder's action. The camera tool is named XenKamera, which aims to collect TTY data from consoles of observed honeypot, then replays the collected data in on-line or off-line manner as the administrator wishes. Simply put, XenKamera allows us to watch the intruder as if we were looking over his shoulder while he is typing. In order to prevent the intruder from discovering XenKamera, a special architecture is proposed, so the data recording process becomes stealth, hard to detect and circumvent. To protect the gathered data, the TTY logging is secretly transferred to a separate virtual machine and safely kept there. Experiments demonstrate that XenKamera is effective and reliable. Besides to serve for honeypot purpose, XenKamera is designed to be so light-weight that it is practical and can also be used in the production systems to record the working sessions, and the administrator can rely on the logging data to investigate and trouble-shoot administration.

Original languageEnglish
Pages (from-to)1053-1060
Number of pages8
JournalWSEAS Transactions on Computers
Volume5
Issue number5
Publication statusPublished - 2006 May

Fingerprint

Data acquisition
Cameras
Data recording
Virtual machine
Experiments

Keywords

  • Computer administration
  • Data capture tool
  • Honeypot
  • Keylogger
  • Linux
  • Stealth communication
  • TTY logging
  • Xen virtual machine

ASJC Scopus subject areas

  • Computer Science (miscellaneous)

Cite this

A practical and light-weight data capture tool for Xen virtual machine. / Quynh, Nguyen Anh; Takefuji, Yoshiyasu.

In: WSEAS Transactions on Computers, Vol. 5, No. 5, 05.2006, p. 1053-1060.

Research output: Contribution to journalArticle

@article{6fb82458e27e466989930edb98d6a485,
title = "A practical and light-weight data capture tool for Xen virtual machine",
abstract = "Honeypot is a common solution to investigate attacker's activities, but the data capture tool, one of the key components of high-interaction honeypot architecture, faces a major difficulty: it is very hard to hide its presence. For example Sebek, the de-factor data capture tool, suffers from this problem: the intruder can easily uncover it even without privileged access right. This paper presents a design and implementation of a light-weight {"}camera{"} software in Xen virtual machine environment: the camera can be put into the virtual machine honeypot to gather necessary data about intruder's action. The camera tool is named XenKamera, which aims to collect TTY data from consoles of observed honeypot, then replays the collected data in on-line or off-line manner as the administrator wishes. Simply put, XenKamera allows us to watch the intruder as if we were looking over his shoulder while he is typing. In order to prevent the intruder from discovering XenKamera, a special architecture is proposed, so the data recording process becomes stealth, hard to detect and circumvent. To protect the gathered data, the TTY logging is secretly transferred to a separate virtual machine and safely kept there. Experiments demonstrate that XenKamera is effective and reliable. Besides to serve for honeypot purpose, XenKamera is designed to be so light-weight that it is practical and can also be used in the production systems to record the working sessions, and the administrator can rely on the logging data to investigate and trouble-shoot administration.",
keywords = "Computer administration, Data capture tool, Honeypot, Keylogger, Linux, Stealth communication, TTY logging, Xen virtual machine",
author = "Quynh, {Nguyen Anh} and Yoshiyasu Takefuji",
year = "2006",
month = "5",
language = "English",
volume = "5",
pages = "1053--1060",
journal = "WSEAS Transactions on Computers",
issn = "1109-2750",
publisher = "World Scientific and Engineering Academy and Society",
number = "5",

}

TY - JOUR

T1 - A practical and light-weight data capture tool for Xen virtual machine

AU - Quynh, Nguyen Anh

AU - Takefuji, Yoshiyasu

PY - 2006/5

Y1 - 2006/5

N2 - Honeypot is a common solution to investigate attacker's activities, but the data capture tool, one of the key components of high-interaction honeypot architecture, faces a major difficulty: it is very hard to hide its presence. For example Sebek, the de-factor data capture tool, suffers from this problem: the intruder can easily uncover it even without privileged access right. This paper presents a design and implementation of a light-weight "camera" software in Xen virtual machine environment: the camera can be put into the virtual machine honeypot to gather necessary data about intruder's action. The camera tool is named XenKamera, which aims to collect TTY data from consoles of observed honeypot, then replays the collected data in on-line or off-line manner as the administrator wishes. Simply put, XenKamera allows us to watch the intruder as if we were looking over his shoulder while he is typing. In order to prevent the intruder from discovering XenKamera, a special architecture is proposed, so the data recording process becomes stealth, hard to detect and circumvent. To protect the gathered data, the TTY logging is secretly transferred to a separate virtual machine and safely kept there. Experiments demonstrate that XenKamera is effective and reliable. Besides to serve for honeypot purpose, XenKamera is designed to be so light-weight that it is practical and can also be used in the production systems to record the working sessions, and the administrator can rely on the logging data to investigate and trouble-shoot administration.

AB - Honeypot is a common solution to investigate attacker's activities, but the data capture tool, one of the key components of high-interaction honeypot architecture, faces a major difficulty: it is very hard to hide its presence. For example Sebek, the de-factor data capture tool, suffers from this problem: the intruder can easily uncover it even without privileged access right. This paper presents a design and implementation of a light-weight "camera" software in Xen virtual machine environment: the camera can be put into the virtual machine honeypot to gather necessary data about intruder's action. The camera tool is named XenKamera, which aims to collect TTY data from consoles of observed honeypot, then replays the collected data in on-line or off-line manner as the administrator wishes. Simply put, XenKamera allows us to watch the intruder as if we were looking over his shoulder while he is typing. In order to prevent the intruder from discovering XenKamera, a special architecture is proposed, so the data recording process becomes stealth, hard to detect and circumvent. To protect the gathered data, the TTY logging is secretly transferred to a separate virtual machine and safely kept there. Experiments demonstrate that XenKamera is effective and reliable. Besides to serve for honeypot purpose, XenKamera is designed to be so light-weight that it is practical and can also be used in the production systems to record the working sessions, and the administrator can rely on the logging data to investigate and trouble-shoot administration.

KW - Computer administration

KW - Data capture tool

KW - Honeypot

KW - Keylogger

KW - Linux

KW - Stealth communication

KW - TTY logging

KW - Xen virtual machine

UR - http://www.scopus.com/inward/record.url?scp=33744546029&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33744546029&partnerID=8YFLogxK

M3 - Article

VL - 5

SP - 1053

EP - 1060

JO - WSEAS Transactions on Computers

JF - WSEAS Transactions on Computers

SN - 1109-2750

IS - 5

ER -