Time-Traveling Forensic Analysis of VM-Based High-Interaction Honeypots
نویسندگان
چکیده
Honeypots have proven to be an effective tool to capture computer intrusions (or malware infections) and analyze their exploitation techniques. However, forensic analysis of compromised honeypots is largely an ad-hoc and manual process. In this paper, we propose Timescope, a system that applies and extends recent advances in deterministic record and replay to high-interaction honeypots for extensible, fine-grained forensic analysis. In particular, we propose and implement a number of systematic analysis modules in Timescope, including contamination graph generator, transient evidence recoverer, shellcode extractor and break-in reconstructor, to facilitate honeypot forensics. These analysis modules can “travel back in time” to investigate various aspects of computer intrusions or malware infections during different execution time windows. We have developed Timescope based on the open-source QEMU virtual machine monitor and the evaluation with a number of real malware infections shows the practicality and effectiveness of Timescope.
منابع مشابه
"Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots
Honeypot has been an invaluable tool for the detection and analysis of network-based attacks by either human intruders or automated malware in the wild. The insights obtained by deploying honeypots, especially high-interaction ones, largely rely on the monitoring capability on the honeypots. In practice, based on the location of sensors, honeypots can be monitored either internally or externall...
متن کاملCloud Computing Log Evidence Forensic Examination Analysis
Forensic analysis in the context of physical evidence is a relatively mature field. The computerization of society has led to the emergence of digital forensics and now the popularity of cloud computing has sparked interest into cloud forensics. Our goal in this paper is to enable cloud forensics, by using the theory of abstraction layers to describe the purpose and goals of virtual machine (VM...
متن کاملShear-Flexural Interaction in Analysis of Reduced Web Section Beams using VM Link Element
Reduced web section beams in shear-yielding moment-resistant steel frames are used for energy dissipating of earthquakes. The finite element analysis indicates that failure mode of these beams are governed by the combination of shear force and flexural moment. Therefore the analysis of frames with reduced web section beams needs consideration of shear-flexural interaction in those sections. In ...
متن کاملCollapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention
The honeypot has emerged as an effective tool to provide insights into new attacks and exploitation trends. However, a single honeypot or multiple independently operated honeypots only provide limited local views of network attacks. Coordinated deployment of honeypots in different network domains not only provides broader views, but also create opportunities of early network anomaly detection, ...
متن کاملWeb Application Risk Awareness with High Interaction Honeypots
With the evolution of the Web 2.0, many companies are deploying their business on the Internet using web applications. These applications have security requirements, so there is inherent risk involved. Risk awareness provides information about how to act to mitigate this same risk. This paper presents an experiment with a collection of high interaction web honeypots running multiple application...
متن کامل