Skip to main content
SpringerLink
Log in
Book cover

International Conference on Network and System Security

NSS 2013: Network and System Security pp 164–177Cite as

Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7873))

Abstract

We present a scalable honeynet system built on Xen using virtual machine introspection and cloning techniques to efficiently and effectively detect intrusions and extract associated malware binaries. By melding forensics tools with live memory introspection, the system is resistant to prior in-guest detection techniques of the monitoring environment and to subversion attacks that may try to hide aspects of an intrusion. By utilizing both copy-on-write disks and memory to create multiple identical high-interaction honeypot clones, the system relaxes the linear scaling of hardware requirements typically associated with scaling such setups. By employing a novel routing approach our system eliminates the need for post-cloning network reconfiguration, allowing the clone honeypots to share IP and MAC addresses while providing concurrent and quarantined access to the network. We deployed our system and tested it with live network traffic, demonstrating its effectiveness and scalability.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: Dksm: Subverting virtual machine introspection for fun and profit. In: Proceedings of the 2010 29th IEEE Symposium on Reliable Distributed Systems, SRDS 2010, pp. 82–91. IEEE Computer Society, Washington, DC (2010), http://dx.doi.org/10.1109/SRDS.2010.39

  2. Biedermann, S., Mink, M., Katzenbeisser, S.: Fast dynamic extracted honeypots in cloud computing. In: Proceedings of the 2012 ACM Workshop on Cloud Computing Security Workshop, CCSW 2012, pp. 13–18. ACM, New York (2012), http://doi.acm.org/10.1145/2381913.2381916

    Chapter  Google Scholar 

  3. Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, HOTOS 2001, pp. 133–138. IEEE Computer Society, Washington, DC (2001), http://dl.acm.org/citation.cfm?id=874075.876409

    Chapter  Google Scholar 

  4. Dinaburg, A., Royal, P., Sharif, M.I., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM Conference on Computer and Communications Security, pp. 51–62. ACM (2008), http://doi.acm.org/10.1145/1455770.1455779

  5. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J.T., Lee, W.: Virtuoso: Narrowing the semantic gap in virtual machine introspection. In: IEEE Symposium on Security and Privacy, pp. 297–312. IEEE Computer Society (2011), http://doi.ieeecomputersociety.org/10.1109/SP.2011.11

  6. Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.: Robust signatures for kernel data structures. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 566–577. ACM, New York (2009), http://doi.acm.org/10.1145/1653662.1653730

    Chapter  Google Scholar 

  7. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS. The Internet Society (2003), http://www.isoc.org/isoc/conferences/ndss/03/proceedings/papers/13.pdf

  8. Hofmeyr, S.A., Somayaji, A., Forrest, S.: Intrusion detection using sequences of system calls. Journal of Computer Security 6, 151–180 (1998), http://dl.acm.org/citation.cfm?id=1298084

    Google Scholar 

  9. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection and monitoring through VMM-based ”out-of-the-box” semantic view reconstruction. ACM Trans. Inf. Syst. Secur. 13(2) (2010), http://doi.acm.org/10.1145/1698750.1698752

  10. Lagar-Cavilla, H.A.: Xen-devel: Cloning a vm and copy-on-write deduplicating memory using cow page sharing in xen 4+ (February 2, 2012), http://lists.xen.org/archives/html/xen-devel/2012-02/msg00259.html

  11. Lagar-Cavilla, H.A., Whitney, J.A., Scannell, A.M., Patchin, P., Rumble, S.M., de Lara, E., Brudno, M., Satyanarayanan, M.: Snowflock: rapid virtual machine cloning for cloud computing. In: Proceedings of the 4th ACM European Conference on Computer Systems, EuroSys 2009, pp. 1–12. ACM, New York (2009), http://doi.acm.org/10.1145/1519065.1519067

    Google Scholar 

  12. Lengyel, T.K., Neumann, J., Maresca, S., Payne, B.D., Kiayias, A.: Virtual machine introspection in a hybrid honeypot architecture. In: Proceedings of the 5th USENIX Conference on Cyber Security Experimentation and Test, CSET 2012, p. 5. USENIX Association, Berkeley (2012), http://dl.acm.org/citation.cfm?id=2372336.2372343

    Google Scholar 

  13. Payne, B.D., Lee, W.: Secure and flexible monitoring of virtual machines. In: ACSAC, pp. 385–397. IEEE Computer Society (2007), http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4413005

  14. Pék, G., Bencsáth, B., Buttyán, L.: nether: in-guest detection of out-of-the-guest malware analyzers. In: Proceedings of the Fourth European Workshop on System Security, EUROSEC 2011, pp. 3:1–3:6. ACM, New York (2011), http://doi.acm.org/10.1145/1972551.1972554

  15. Srivastava, A., Giffin, J.T.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008), http://dx.doi.org/10.1007/978-3-540-87403-4_3

    Chapter  Google Scholar 

  16. Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A.C., Voelker, G.M., Savage, S.: Scalability, fidelity, and containment in the potemkin virtual honeyfarm. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, SOSP 2005, pp. 148–162. ACM, New York (2005), http://doi.acm.org/10.1145/1095810.1095825

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science & Engineering Department, University of Connecticut, Storrs, CT, 06269, USA

    Tamas K. Lengyel, Justin Neumann, Steve Maresca & Aggelos Kiayias

Authors
  1. Tamas K. Lengyel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Justin Neumann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Steve Maresca
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Aggelos Kiayias
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Science Department, ETSI Informatica, University of Malaga, Campus de Teatinos, 29071, Malaga, Spain

    Javier Lopez

  2. School of Mathematics and Computer Science, Fujian Normal University, No. 32 Shangsan Road, 350007, Fuzhou, China

    Xinyi Huang

  3. Institute for Cyber Security,, University of Texas at San Antonio, One UTSA Circle, 78249, San Antonio, TX, USA

    Ravi Sandhu

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lengyel, T.K., Neumann, J., Maresca, S., Kiayias, A. (2013). Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning. In: Lopez, J., Huang, X., Sandhu, R. (eds) Network and System Security. NSS 2013. Lecture Notes in Computer Science, vol 7873. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38631-2_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-38631-2_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-38630-5

  • Online ISBN: 978-3-642-38631-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation