Using rootkits hiding techniques to conceal honeypot functionality. (May 2023)
- Record Type:
- Journal Article
- Title:
- Using rootkits hiding techniques to conceal honeypot functionality. (May 2023)
- Main Title:
- Using rootkits hiding techniques to conceal honeypot functionality
- Authors:
- Mohammadzad, Maryam
Karimpour, Jaber - Abstract:
- Abstract: Honeypot is one of the existing technologies in the area of computer network security. The goal of Honeypot is to create a tempting target for the attacker. The system that is considered as a Honeypot in the network includes the services and functions of a real system that the attacker sees as a normal system and enters for exploitation. In this way, Honeypot can monitor the behaviors, patterns, and tools used in various attacks. Certainly, if the intelligent attacker realizes the existence of this trap in the target network, he can design ways to bypass it. In this case, Honeypot practically loses its effectiveness. Therefore, the issue of hiding Honeypot is one of the primary challenges in this field. In this paper, a solution to this problem is presented. In the present paper, Honeypot is concealed using the concealment techniques used in Rootkits. We use application examples and theoretical analysis results to show that the proposed Honeypots concealment approach is strong against existing kernel-based Honeypots detection methods. Sebek, VMScope, and Qebek are three Honeypots that we choose for comparison purposes. The proposed Honeypot has been compared with them in virtualization, memory usage, and kernel modification. The experimental results show that the proposed hidden Honeypot in addition to low kernel modification has no track in the memory. Also, the proposed Honeypot does not use virtualization. It can successfully be concealed in the kernel of theAbstract: Honeypot is one of the existing technologies in the area of computer network security. The goal of Honeypot is to create a tempting target for the attacker. The system that is considered as a Honeypot in the network includes the services and functions of a real system that the attacker sees as a normal system and enters for exploitation. In this way, Honeypot can monitor the behaviors, patterns, and tools used in various attacks. Certainly, if the intelligent attacker realizes the existence of this trap in the target network, he can design ways to bypass it. In this case, Honeypot practically loses its effectiveness. Therefore, the issue of hiding Honeypot is one of the primary challenges in this field. In this paper, a solution to this problem is presented. In the present paper, Honeypot is concealed using the concealment techniques used in Rootkits. We use application examples and theoretical analysis results to show that the proposed Honeypots concealment approach is strong against existing kernel-based Honeypots detection methods. Sebek, VMScope, and Qebek are three Honeypots that we choose for comparison purposes. The proposed Honeypot has been compared with them in virtualization, memory usage, and kernel modification. The experimental results show that the proposed hidden Honeypot in addition to low kernel modification has no track in the memory. Also, the proposed Honeypot does not use virtualization. It can successfully be concealed in the kernel of the target system without any effect on the target system. We also implemented the proposed algorithm on the example network and test all Sebek's detection methods on it. The experimental results show that the proposed kernel-based approach can bypass these detection methods. … (more)
- Is Part Of:
- Journal of network and computer applications. Volume 214(2023)
- Journal:
- Journal of network and computer applications
- Issue:
- Volume 214(2023)
- Issue Display:
- Volume 214, Issue 2023 (2023)
- Year:
- 2023
- Volume:
- 214
- Issue:
- 2023
- Issue Sort Value:
- 2023-0214-2023-0000
- Page Start:
- Page End:
- Publication Date:
- 2023-05
- Subjects:
- Computer network -- Cyber-attacks -- Honeypot -- Intrusion detection system -- Rootkit -- Security
Microcomputers -- Periodicals
Computer networks -- Periodicals
Application software -- Periodicals
Micro-ordinateurs -- Périodiques
Réseaux d'ordinateurs -- Périodiques
Logiciels d'application -- Périodiques
Application software
Computer networks
Microcomputers
Periodicals
004.05
004 - Journal URLs:
- http://www.sciencedirect.com/science/journal/10848045 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.jnca.2023.103606 ↗
- Languages:
- English
- ISSNs:
- 1084-8045
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 5021.410600
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 26900.xml