Virtual Machine Introspection in a Hybrid Honeypot Architecture

Tamas K. Lengyel, Justin Neumann, Steve Maresca, Bryan D. Payne, Aggelos Kiayias

Research output: Chapter in Book/Report/Conference proceedingConference contribution


With the recent advent of effective and practical virtual machine introspection tools, we revisit the use of hybrid honeypots as a means to implement automated malware collection and analysis. We introduce VMI-Honeymon, a high-interaction honeypot monitor which uses virtual machine memory introspection on Xen. VMI-Honeymon remains transparent to the monitored virtual machine and bypasses reliance on the untrusted guest kernel by utilizing memory scans for state reconstruction. VMI-Honeymon builds on open-source introspection and forensics tools that provide a rich set of information about intrusion and infection processes while enabling the automatic capture of the associated malware binaries. Our experiments show that using VMI-Honeymon in a hybrid setup expands the range of mal-ware captures and is effective in capturing both known and unclassified malware samples.

Log in or Register to post comments
Original languageEnglish
Title of host publication5th Workshop on Cyber Security Experimentation and Test, CSET '12, Bellevue, WA, USA, August 6, 2012
Number of pages8
Publication statusPublished - 2012


Dive into the research topics of 'Virtual Machine Introspection in a Hybrid Honeypot Architecture'. Together they form a unique fingerprint.

Cite this