Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning

Tamas K. Lengyel, Justin Neumann, Steve Maresca, Aggelos Kiayias

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

We present a scalable honeynet system built on Xen using virtual machine introspection and cloning techniques to efficiently and effectively detect intrusions and extract associated malware binaries. By melding forensics tools with live memory introspection, the system is resistant to prior in-guest detection techniques of the monitoring environment and to subversion attacks that may try to hide aspects of an intrusion. By utilizing both copy-on-write disks and memory to create multiple identical high-interaction honeypot clones, the system relaxes the linear scaling of hardware requirements typically associated with scaling such setups. By employing a novel routing approach our system eliminates the need for post-cloning network reconfiguration, allowing the clone honeypots to share IP and MAC addresses while providing concurrent and quarantined access to the network. We deployed our system and tested it with live network traffic, demonstrating its effectiveness and scalability.
Original languageEnglish
Title of host publicationNetwork and System Security - 7th International Conference
Subtitle of host publicationNSS 2013, Madrid, Spain, June 3-4, 2013. Proceedings
PublisherSpringer
Pages164-177
Number of pages14
ISBN (Electronic)978-3-642-38631-2
ISBN (Print)978-3-642-38630-5
DOIs
Publication statusPublished - 2013

Publication series

NameLecture Notes in Computer Science (LNCS)
PublisherSpringer Berlin heidelberg
Volume7873
ISSN (Print)0302-9743

Fingerprint

Dive into the research topics of 'Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning'. Together they form a unique fingerprint.

Cite this