Virtual Machine Introspection in a Hybrid Honeypot Architecture

نویسندگان

  • Tamas K. Lengyel
  • Justin Neumann
  • Steve Maresca
  • Bryan D. Payne
  • Aggelos Kiayias
چکیده

With the recent advent of effective and practical virtual machine introspection tools, we revisit the use of hybrid honeypots as a means to implement automated malware collection and analysis. We introduce VMIHoneymon, a high-interaction honeypot monitor which uses virtual machine memory introspection on Xen. VMI-Honeymon remains transparent to the monitored virtual machine and bypasses reliance on the untrusted guest kernel by utilizing memory scans for state reconstruction. VMI-Honeymon builds on open-source introspection and forensics tools that provide a rich set of information about intrusion and infection processes while enabling the automatic capture of the associated malware binaries. Our experiments show that using VMIHoneymon in a hybrid setup expands the range of malware captures and is effective in capturing both known and unclassified malware samples.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Polymorphic Worms Collection in Cloud Computing

In the past few years, computer worms are seen as one of significant challenges of cloud computing. Worms are rapidly changing and getting more sophisticated to evade detection. One major issue to defend against computer worms is collecting worms’ payloads to generate their signature and study their behavior. To collect worms’ payloads, we identified challenges for detecting and collecting worm...

متن کامل

Virtual Machine Introspection with Xen on ARM

In the recent years, virtual machine introspection (VMI) has become a valuable technique for developing security applications for virtualized environments. With the increasing popularity of the ARM architecture, and the recent addition of hardware virtualization extensions, there is a growing need for porting existing VMI tools. Porting these applications requires proper hypervisor support, whi...

متن کامل

Honeypot architectures for IPv6 networks

The decrease of available IPv4 addresses and the requirement for new features demands Internet service providers to deploy IPv6 networks. It is not a question of if, but when new network attacks will appear, which target the comparatively new network protocol. Virtual honeypots provide an important tool for the observation of assaults in computer networks. In contrast to intrusion detection sys...

متن کامل

Collapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention

The honeypot has emerged as an effective tool to provide insights into new attacks and exploitation trends. However, a single honeypot or multiple independently operated honeypots only provide limited local views of network attacks. Coordinated deployment of honeypots in different network domains not only provides broader views, but also create opportunities of early network anomaly detection, ...

متن کامل

EXTERIOR: Using Dual-VM Based External Shell for Guest-OS Introspection, Configuration, and Recovery

This paper presents EXTERIOR, a dual-VM architecture based external shell that can be used for trusted, timely out-of-VM management of guest-OS such as introspection, configuration, and recovery. Inspired by recent advances in virtual machine introspection (VMI), EXTERIOR leverages an isolated, secure virtual machine (SVM) to introspect the kernel state of a guest virtual machine (GVM). However...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2012