Server Honeypot Based Detection For Keylogger Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract- Malware attacks are very often in Cyber World. They are very difficult to detect and defend. A keylogger spyware contains both scripts keylogger and spyware in a single program. In this paper we have proposed a detection technique for keylogger spyware attack capable of stealing the credentials and confidential information from the infected user's system. The detection is performed by the help of two Honeypots i.e. Client Honeypot and Server Honeypot. Client Honeypot is deployed at client side monitors the malicious activities occurring in the infected system and reports them to the Server Honeypot. The reported entries are stored in the database maintained at Server Honeypot. This information is used by the administrator to detect the keylogger spyware in a user's system during an inspection process. The proposed technique is capable of detecting such kind of attacks using a combination of malwares.

Index Terms- Malware; Keylogger; Spyware; Keylogger Spyware Attack; Client-Server Honeypot Based Detection; Keylogger Spyware Algorithm; Client Honeypot Algorithm; Server Honeypot Algorithm; Keylogger Spyware Inspection Algorithm.


Malware steals information from a computer or can cause damage. Type includes keylogger, spyware, adware, rootkit etc. In short we can say that it is a program that is intentionally developed to cause harm or exploit people computers especially which are connected to Internet [21]. The thing which makes them more hazardous is that they reinstall themselves again even after they have been removed and are difficult to be cleaned as they hide themselves deep within Windows [22]. It has become very crucial to provide efficient security solutions for these attacks. A keylogger spyware is a different kind of malware attack which uses two malwares program in a combined script. In this paper we have proposed a Client and Server Honeypot based detection technique for the keylogger spyware attacks. We have created two honeypots i.e. Client Honeypot and Server Honeypot. The Client Honeypot deployed at the client side is capable of monitoring the malicious activities occurring in the infected client system and reports them to Server Honeypot. At Server Honeypot a database is maintained in which the information sent by Client Honeypot is recorded. The malicious activities (i.e. email sending after every one minute) can be easily detected in an inspection process. Moreover information sent can be further used to prevent this attack. The overall paper is organized as: in Section II we discussed related work. Section III contains the related terminology. Section IV defines problem definition followed by methodology of this work in section V. Section VI contains various proposed algorithms for keylogger spyware detection. The work done is concluded in section VII followed by future work in section VIII.


In paper [1] authors have proposed a framework for detection and prevention of keylogger spyware attack. It is capable to defend against such kind of attacks using a combination of malwares. The paper [2] focused on the honeynet technology and for network security technology it provides new powerful means, the optimization of system to improve the honeypot for target, integrity from system detection rate and safety. Experiments show that the improved honeypot system achieves higher detection rates and higher safety. In this paper [3] the authors present an agent-based honeynet framework for protecting servers in a campus network. In this framework, agents remove malicious processes and executable files on servers infected by zero-day attacks as soon as the honeynet detects them. The proposed framework provides a novel defense mechanism that protects servers from new types of internet worms effectively, without the use of signatures. In paper [4] an intrusion detection module based on honeypot technology is presented. This detection technique makes use of IP Trace back technique. The use of mobile agents provides it with the capability of distributed detection and response.This module by making the se of honeypot technology traces the intrusion source farthest. In [5] authors both honeypot client and server technologies are used in combined way of malware collection and analysis. The main objective of this paper was the analysis of collected malwares from honeypots. Classification of Honeypots is done as server honeypots and client honeypots. Server Honeypots provide us the knowledge of server side attacks are passive honeypots. Client honeypots provide us the deep knowledge of client side attacks; therefore they are also called as active Honeypots or Honeyclient. In the proposed integrated framework for malware collections and analysis, there are 5 components: URL data source, Honeypot controller, Central Database, Analysis Server and Management Server. In [6] an Intelligent Intrusion Detection System which is using AI approach for unknown malware attacks is proposed. The techniques that are being used include neural networks and fuzzy logic. A hybrid system is introduced that combines anomaly, misuse and host based detection. An attack classification method for computer network security is also proposed. The attacks are classified depending on vulnerability i.e. attack propagation skills and attack intentions. The classification results are arranged as per attack propagation skills and attack intentions. In [7] authors aim to discover some frequent new sequential attack patterns of malware. This paper proposes data mining algorithm, the PrejixSpan method. The PrejixSpan algorithm is used to analyze the malware footprints. This method is used to detect the frequent sequential attack pattern with high accuracy. The PrejixSpan method is an algorithm for efficient mining of sequential pattern in a huge dataset without the requirement to construct candidate generation and the memory consumption is much smaller. The result of analysis shows that the attacks are performed by multiple sequential attack patterns within a short amount of time. In paper [8] an improved intrusion detection system is designed based on the analysis of traditional IDS, which combined the advantages of data capture techniques by honeypot and two layer Detection. The system can detect intruders not only outside but also abusers within the system. The system provides a complete, controllable, reliable proactive protection for computers and network. For the shortcoming of traditional intrusion detection system (IDS) in complex and unknown attack detection, distributed intrusion detection system based on honeypot was proposed in paper [9]. In [10] authors explain a new generation of malware attack for VoIP infrastructures and services. If strong security measures are not deployed then these malwares produces a real threat to the deployed VoIP architectures. The proposed bot architecture stack of different protocols provides the bot with an application interface to use these protocols. The SIP stack is responsible for sending and receiving, manufacturing and parsing SIP messages. The RTP stack is responsible for coding and decoding, compressing and expanding, encapsulation and demultiplexing of media flows. The introduced "VoIP bots" support a wide set of attacks ranging from spam over internet telephony spit (SPIT) to distributed denial of service attack (DDoS). They are tested against several VoIP platforms. In [11] authors discuss some problems (i.e. Gap between spamtraps and phoneytokens, Online verification of phoneytokens etc.) of existing anti phishing solutions based on honeypots. Spamtraps are used only as a tool to detect phishing emails (i.e. URLs of phishing sites included in the phishing emails) and submissions of phoneytokens are triggered after a phishing site is confirmed (often by a human inspector). A framework is proposed which can transform the real e-banking system into a honeypot having honeytokens to deal with the above mentioned problems. A phishing detector is used which can automatically detect suspicious phishing attempts. In paper [12] authors proposed a worm detection and defense system named bot-honeynet which combines the best features of honeynet, anomaly detection and botnet. The combination of honeynet and anomaly detection system offers a tradeoff between false positive and false negative rates. Bot-honeynet is designed to not only detect worm attacks but also defend against malicious worms. The authors conclude from simulation that P2P based benign worm is provided with high efficiency on defending against malicious worms and is better than traditional benign worm even if the release time is later. Thus, it saves more time for security researchers to prepare benign worms. In paper [13] on the basis of the research on honeypot technology, in view of the many problems in current traditional security resource applications, the honeypot technology is used in network security defense and a Honeypot-based distributed intrusion prevention model is presented. The experimental results show that the program can successfully remedy the deficiencies of existing monitoring system and improve the performance of the safety defense systems. The experimental results show that the program can successfully remedy the deficiencies of existing monitoring system and improve the performance of the safety defense systems. In paper [14] the authors proposed a new architecture, which is composed of distributed cooperative agents to reduce the false alarm ratio of the intrusion detection systems (IDS) in a twofold contribution. A theoretical analysis of agents' behavior is given and its extensions are explained. In paper [15] an analysis framework is developed to gain insights into honeynet data. The forensics procedure basically is used here to find the network traces which are having the same kind of pattern within the attack dataset. A clustering tool is designed in this paper that can be applied to characterize different kinds of attacks. The authors analyze the time series of the attacks one of the important aspects illustrating the application of their proposed method. In [16] it is discussed whether spyware running on a machine can be confused by entering data. One of the key findings of this paper is that they concluded that one of the main and common problem of password security can be improved by biometric based authentication and graphical authentication. An alternative user authentication based on Images that is resistant to keylogger spywares is presented. In paper [17] the authors presented a signature analysis and extraction system for web services. A similar existing tool was able to help administrator in generating precise signatures of various attacks on HTTP, SMTP and FTP etc. In this work, an important issue of intrusion attack analysis and precise signature extraction for web services has been addressed. The developed system is able to alert the system administrator about the attack patterns on the web services. It allows the administrator to determine the number of attacks made on different services using different transport protocols. The presented system is helpful in analyzing the attack and shall be useful in extracting good quality signatures from the data logs of honeypot. In paper [18] the authors discussed their experience in analyzing benefits of honeynets for intrusion detection. The purpose for their work is to examine how to integrate multiple intrusion detection sensors and honeynets in the order to minimize the number of incorrect-alarms. The authors presented a framework for designing honeynets based project for network security analysis and an example of the framework. In [19] authors propose a hybrid and adaptable honeypot-based approach that improves the currently deployed IDSs for protecting networks from intruders. The main idea of this paper is to deploy low-interaction honeypots that act as emulators of services and operating systems and have them direct malicious traffic to high-interaction honeypots, where hackers engage with real services. Used setup permits for recording and analyzing the intruder's activities. On the basis of obtained results administrative can take actions toward protecting the network. In paper [20] the authors developed J-Honeypot, a Java based network deception tool with web-based monitoring and rule-based intrusion detection capability. They have interfaced it with SQL database, developed a rich set of logging functionalities, and provided a convenient GUI for users to visualize the results.


Malwares are the biggest threats on Internet. They can hijack the browser, redirect search attempts, serves up pop-up ads and track the websites that are being visited. Malware programs make the computer slow and unstable which is unbearable to the user along with causing other wrecks. Malware can infect computers in many a ways. Some malware programs like pop-up ads are used for earning revenue from the ads. Majority of malware needs to get installed by the user. It is very difficult to get rid of malware because they have the tendency to multiply once they get installed.

Some related terminologies are discussed as follows:

A. Malwares

Malwares are classified into various categories include: adware, spyware, hijackers, toolbars and dialers.

1) Spyware: Spyware programs spy confidential information and send this to specified system. Some Spywares are having the task of sending the URL information or the information that is being typed by the user in Internet explorer or even the names of the files being downloaded. Some of them are even capable of searching the hard drive and reporting back the programs installed. Contents of e-mail address book can be stolen which will be further sold to spammers. Any other useful information about a user such as name, browser history, login names and passwords, credit card numbers, phone number and address can be easily stolen [1][22].

2) Keylogger: Keylogger or keystroke logger is a software or hardware device used to monitor the keys typed on the keyboard. Its presence can't be detected as it runs in the background and its information is not present in the list of programs running in the task manager or control panel. It can be used to obtain very secret information like username and passwords in case you logged on to your online bank account [1] [22][23].

The malware attack becomes very deadly if they are used in a combination. In this work we have designed an attacking scenario for keylogger spyware, a combination of keylogger and spyware program. The keylogger script stores every keystroke into a file and generates a log file then the spy script email this log file to the designer's specified address.

B. Honeypot

Honeypot is an Internet attached server acts as a decoy. It lures the potential hackers and studies their activities like how they are able to break into a system. Honeypots are such designed that they completely resemble the system that an intruder would like to break into but also limits the intruder from having complete access to the whole network giving the intruder no idea that they are being tricked and monitored. Collection of honeypots forms a network this network is defined as honeynet.

1) Use of Honeypot: A network that is intentionally left with common vulnerabilities so that it can allure a hacker to hack that entire network or some attached computers. The main reasons for the use of honeypots are as:

The research which requires this to be done for seeing the types of technology/methods/procedures being used by hackers currently.

The second reason is concerned with system administrator of a network or computer to observe how his network is being targeted so that the administrator knows what security measures are needed to protect his network or computer which enables the system administrator to find out the potential hackers to their more important computers.

By studying the activities of hackers, designers can create more secure systems.

2) Working of Honeypot: The Honeypots are mostly installed inside firewalls so that they can be controlled, though it is possible to install them outside firewalls also. The firewall in Honeypot works totally opposite to the normal one: It allows the traffic in from the Internet but restricts what the system sends back out.

Fig. 1. Implementation Scenario of Honeypots in Network


Hackers use malware to breech the security of a system and when they get success it causes lots of trouble to security experts. Malware can be of many type i.e. keylogger, spyware, rootkit etc. We can use them in a combination i.e. keylogger spyware as a common program. In this paper we have proposed a technique for detection of keylogger spyware attacks. The proposed technique uses a Client Honeypot and a Server Honeypot. Client Honeypot is deployed at the client side where it detects the malicious activity being performed by the Keylogger spyware if present. This information is reported to the Honeypot server where a database is maintained having all the entries of the malicious activities taking place at the client side. It contains Timestamp, IP address of the client and the Process ID of the email sending process. The Honeypot based technique is capable to detect such kind of attacks.


The methodology of proposed work is divided as into two sections keylogger spyware attack, Client-Server Honeypot Based Detection:

A. Keylogger Spyware Attack

We have designed an attacking scenario for keylogger spyware attack on user's system as shown in figure 2. There are 2 users, accessing various services via Internet i.e. online banking, email etc. A malicious server hosting keylogger spyware enters into the system like application software as it appears to the user as some useful application which he is in need of leading him to download it. Once the downloaded program is installed, it starts capturing every keystroke. A log is generated corresponding to each keystroke (i.e. spylog file).

The included spy script within the malicious software installed email this log file to the specified email address of the hacker.

Fig. 2. Keylogger Spyware Attack

The red colored arrows in figure 2 show the entry of keylogger spyware program into user's system.

Fig. 3. Transfer (emailing) of confidential information from user's system

Figure 3 shows automatic email process performed by the spyware script. It is shown by blue colored arrows in figure 3. As the end users are not aware of the functioning of this malicious program within their system, they continue using their online banking account, email account etc. through their systems which leads to the theft of their credentials (i.e. through spylog shown in figure 5).This process of sending the keystroke information in the form of spylog to email address of the hacker occurs periodically i.e. after every 1 minute. The credentials and the confidential information lost can be misused.

Fig. 4. Email send by Mohammad Wazid to [email protected]

Mohammad Wazid a system user sends an email to [email protected] at 3:14 pm, as shown in figure 4.

Fig. 5. Snapshot of spylog file received at [email protected]

The keylogger spyware generated a log file (spylog) as shown in figure 5 corresponding to each keystroke. The information contains in generated log file has the important credentials of the user i.e. for Mohammad Wazid the username is wazidkec2005 and password is [email protected]

Fig. 6. Snapshot of spylog file received at [email protected]

Figure 6 shows the message typed by the user Mohammad wazid which was sent to [email protected] The typed message was


We have a meeting at 4.00 PM



Thus the entire message is leaked.

Fig. 7. Spyware logs file received at hacker's email account

Figure 7 shows the snapshot of email received at hackers specified address i.e. [email protected] The spylogs shown in figure 5 and 6 are received at this email id at 3:14 and 3:15 PM respectively.

B. Client-Server Honeypot Based Detection

The proposed technique uses a Client Honeypot and a Server Honeypot. Client Honeypot is deployed at the client side where it detects the malicious activity being performed by the keylogger spyware if present. This information is reported to the Honeypot server where a database is maintained having all the entries of the malicious activities taking place at the client side.

We have deployed the Client Honeypot in the system of the user. This Client Honeypot monitors the malicious activities of the keylogger spyware and reports these to the Server Honeypot. It contains three fields i.e. Timestamp, IP address of the client system and the Process ID of the email sending process.

Fig. 8. Deployment of Honeypot client

Figure 8 shows keylogger spyware monitoring process performed by deployed Client Honeypot. The black arrows show the entry of keylogger spyware into the user's system having Client Honeypot program.

Fig. 9. Communication between Client Honeypot and Server Honeypot

Figure 9 shows that the communication between Client Honeypot and Server Honeypot. The information sent by the Client Honeypot is entered in the database maintained at the Server Honeypot. This database will be further used in the inspection process of malicious programs.

Fig. 10. Entries in the maintained database at Server Honeypot

Figure 10 shows the snapshot of database containing information send by the honeypot client to the honeypot server. This database is having three columns Timestamp, IP address and Process ID of the email sending process.


For the proposed technique we have designed following algorithms:

A. Keylogger Spyware Algorithm [1]

Keylogger_Algorithm ( ){ /*Algorithm for keystroke capturing*/

While (true)


OPEN ( )

GET ( )

Append the time in the log file.


Enter the activity into log file as soon as the valid status of particular key pressed or mouse click is observed.





Spyware_Algorithm ( ){ /* Algorithm for emailing*/

While (true){

Keylogger_Algorithm ( )



Select that log file.


KILL ( )

Keylogger_Algorithm ( )



B. Client Honeypot Algorithm

Honeypot_Client_ Algorithm ( )

// TCP processes are those processes that are using the TCP protocol at transport layer in the layered architecture of the network

// APPL_SMTP processes are those processes that are using SMTP protocol at Application Layer

// BUFFER is a Buffer having PIDs that can be implemented by using BufferedReader Class of JAVA at Client Honeypot

// sleep (2): go into sleep mode for 2 seconds

1. Get the PID's of all the TCP processes by using the COMMAND netstat -o -p.

2. Store the PID's of the APPL_SMTP processes in a BUFFER.

3. if the result of Step-2 is NULL then


GOTO step-1


GOTO step-4

4. Using TCP Socket establish the connection with honeypot server

5. Send the BUFFER content with the time stamp and client's IP address to honeypot server.

6. Close the connection and GOTO step-1.

C. Server Honeypot Algorithm

Honeypot_Server_Algorithm ( )

// BUFFER is a Buffer having PIDs that can be implemented by using BufferedReader Class of JAVA at Client Honeypot

1. Open TCP connection with Client Honeypot.

2. Get the BUFFER content at client with time stamp and IP address.

3. Maintain the LOG information at honeypot server and insert BUFFER|| time stamp || IP address in this LOG.

4. Close the connection with Client Honeypot.

5. Goto step-1.

D. Keylogger Spyware Inspection Algorithm

Keylogger_ Spyware_ Inspection_ Algorithm ( )

// detected_IP_address is IP address of client's system stored in database maintained at Server Honeypot

// detected_PID is the process ID of email sending process stored in database maintained at Server Honeypot

// time_stamp is a time when email was sent from user's system

if detected_IP_address & detected_PID is same after every nT time_stamp value then

keylogger spyware is present in the user's system


System is safe


The discussed attacking scenario is very threatening as it is making a combination of two malwares i. e. keylogger and spyware. It can steal the credentials or any confidential information typed can be leaked. So the detection and prevention of this attack becomes very crucial. In this paper we have designed the technique making use of two kinds of honeypots i.e. Client and Server Honeypots. Client Honeypot is deployed at the client's end monitors the malicious activity going on and reports them to the Server Honeypot. The database maintained at Server can be inspected by the administrator to carry out the further process of prevention.


The detection of the keylogger spyware attack is completed in this paper. The future work includes the prevention of the keylogger spyware attack with the use of the information being sent by the Client Honeypot to the Server Honeypot.