Apate - A Linux Kernel Module for High Interaction Honeypots
This addresses the need for effective and secure honeypots to detect intrusions and gather attack information, though it is incremental as it builds on existing honeypot concepts with a new tool.
The paper tackles the problem of building and hardening high interaction honeypots in IT security by presenting Apate, a Linux Kernel Module that logs, blocks, and manipulates system calls based on configurable conditions, enabling easier and more secure honeypot deployment.
Honeypots are used in IT Security to detect and gather information about ongoing intrusions, e.g., by documenting the approach of an attacker. Honeypots do so by presenting an interactive system that seems just like a valid application to an attacker. One of the main design goals of honeypots is to stay unnoticed by attackers as long as possible. The longer the intruder interacts with the honeypot, the more valuable information about the attack can be collected. Of course, another main goal of honeypots is to not open new vulnerabilities that attackers can exploit. Thus, it is necessary to harden the honeypot and the surrounding environment. This paper presents Apate, a Linux Kernel Module (LKM) that is able to log, block and manipulate system calls based on preconfigurable conditions like Process ID (PID), User Id (UID), and many more. Apate can be used to build and harden High Interaction Honeypots. Apate can be configured using an integrated high level language. Thus, Apate is an important and easy to use building block for upcoming High Interaction Honeypots.