Virtual machine introspection in a hybrid honeypot architecture

Authors:
Tamas K. Lengyel;Justin Neumann;Steve Maresca;Bryan D. Payne;Aggelos Kiayias
Affiliations:
University of Connecticut;University of Connecticut;University of Connecticut;Nebula, Inc.;University of Connecticut
Venue:
CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
Year:
2012

Citing 17
Cited 0

When Virtual Is Better Than Real

HOTOS '01 Proceedings of the Eighth Workshop on Hot Topics in Operating Systems
Scalability, fidelity, and containment in the potemkin virtual honeyfarm

Proceedings of the twentieth ACM symposium on Operating systems principles
Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation

Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Intrusion detection using sequences of system calls

Journal of Computer Security
Lares: An Architecture for Secure Active Monitoring Using Virtualization

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
VNIDA: Building an IDS Architecture Using VMM-Based Non-Intrusive Approach

WKDD '08 Proceedings of the First International Workshop on Knowledge Discovery and Data Mining
Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Ether: malware analysis via hardware virtualization extensions

Proceedings of the 15th ACM conference on Computer and communications security
Pointless tainting?: evaluating the practicality of pointer tainting

Proceedings of the 4th ACM European conference on Computer systems
Robust signatures for kernel data structures

Proceedings of the 16th ACM conference on Computer and communications security
Cloud security is not (just) virtualization security: a short paper

Proceedings of the 2009 ACM workshop on Cloud computing security
Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction

ACM Transactions on Information and System Security (TISSEC)
Advanced honeypot architecture for network threats quantification

Advanced honeypot architecture for network threats quantification
DKSM: Subverting Virtual Machine Introspection for Fun and Profit

SRDS '10 Proceedings of the 2010 29th IEEE Symposium on Reliable Distributed Systems
nEther: in-guest detection of out-of-the-guest malware analyzers

Proceedings of the Fourth European Workshop on System Security
Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection

SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
GQ: practical containment for measuring modern malware systems

Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

With the recent advent of effective and practical virtual machine introspection tools, we revisit the use of hybrid honeypots as a means to implement automated malware collection and analysis. We introduce VMI-Honeymon, a high-interaction honeypot monitor which uses virtual machine memory introspection on Xen. VMI-Honeymon remains transparent to the monitored virtual machine and bypasses reliance on the untrusted guest kernel by utilizing memory scans for state reconstruction. VMI-Honeymon builds on open-source introspection and forensics tools that provide a rich set of information about intrusion and infection processes while enabling the automatic capture of the associated malware binaries. Our experiments show that using VMI-Honeymon in a hybrid setup expands the range of malware captures and is effective in capturing both known and unclassified malware samples.