Virtual Machine Introspection in a Hybrid Honeypot Architecture
نویسندگان
چکیده
With the recent advent of effective and practical virtual machine introspection tools, we revisit the use of hybrid honeypots as a means to implement automated malware collection and analysis. We introduce VMIHoneymon, a high-interaction honeypot monitor which uses virtual machine memory introspection on Xen. VMI-Honeymon remains transparent to the monitored virtual machine and bypasses reliance on the untrusted guest kernel by utilizing memory scans for state reconstruction. VMI-Honeymon builds on open-source introspection and forensics tools that provide a rich set of information about intrusion and infection processes while enabling the automatic capture of the associated malware binaries. Our experiments show that using VMIHoneymon in a hybrid setup expands the range of malware captures and is effective in capturing both known and unclassified malware samples.
منابع مشابه
Polymorphic Worms Collection in Cloud Computing
In the past few years, computer worms are seen as one of significant challenges of cloud computing. Worms are rapidly changing and getting more sophisticated to evade detection. One major issue to defend against computer worms is collecting worms’ payloads to generate their signature and study their behavior. To collect worms’ payloads, we identified challenges for detecting and collecting worm...
متن کاملVirtual Machine Introspection with Xen on ARM
In the recent years, virtual machine introspection (VMI) has become a valuable technique for developing security applications for virtualized environments. With the increasing popularity of the ARM architecture, and the recent addition of hardware virtualization extensions, there is a growing need for porting existing VMI tools. Porting these applications requires proper hypervisor support, whi...
متن کاملHoneypot architectures for IPv6 networks
The decrease of available IPv4 addresses and the requirement for new features demands Internet service providers to deploy IPv6 networks. It is not a question of if, but when new network attacks will appear, which target the comparatively new network protocol. Virtual honeypots provide an important tool for the observation of assaults in computer networks. In contrast to intrusion detection sys...
متن کاملCollapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention
The honeypot has emerged as an effective tool to provide insights into new attacks and exploitation trends. However, a single honeypot or multiple independently operated honeypots only provide limited local views of network attacks. Coordinated deployment of honeypots in different network domains not only provides broader views, but also create opportunities of early network anomaly detection, ...
متن کاملEXTERIOR: Using Dual-VM Based External Shell for Guest-OS Introspection, Configuration, and Recovery
This paper presents EXTERIOR, a dual-VM architecture based external shell that can be used for trusted, timely out-of-VM management of guest-OS such as introspection, configuration, and recovery. Inspired by recent advances in virtual machine introspection (VMI), EXTERIOR leverages an isolated, secure virtual machine (SVM) to introspect the kernel state of a guest virtual machine (GVM). However...
متن کامل