Virtual Machine Introspection in a Hybrid Honeypot Architecture

Tamas K. Lengyel; Justin Neumann; Steve Maresca; Bryan D. Payne; Aggelos Kiayias

Virtual Machine Introspection in a Hybrid Honeypot Architecture

Tamas K. Lengyel, Justin Neumann, Steve Maresca, Bryan D. Payne, Aggelos Kiayias

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

With the recent advent of effective and practical virtual machine introspection tools, we revisit the use of hybrid honeypots as a means to implement automated malware collection and analysis. We introduce VMI-Honeymon, a high-interaction honeypot monitor which uses virtual machine memory introspection on Xen. VMI-Honeymon remains transparent to the monitored virtual machine and bypasses reliance on the untrusted guest kernel by utilizing memory scans for state reconstruction. VMI-Honeymon builds on open-source introspection and forensics tools that provide a rich set of information about intrusion and infection processes while enabling the automatic capture of the associated malware binaries. Our experiments show that using VMI-Honeymon in a hybrid setup expands the range of mal-ware captures and is effective in capturing both known and unclassified malware samples.

Log in or Register to post comments

Original language	English
Title of host publication	5th Workshop on Cyber Security Experimentation and Test, CSET '12, Bellevue, WA, USA, August 6, 2012
Number of pages	8
Publication status	Published - 2012

Access to Document

cset12-final14Final published version, 203 KB

https://www.usenix.org/conference/cset12/workshop-program/presentation/lengyel

Cite this

@inproceedings{d617253f92694ebf8cc0c67c5958074f,

title = "Virtual Machine Introspection in a Hybrid Honeypot Architecture",

abstract = "With the recent advent of effective and practical virtual machine introspection tools, we revisit the use of hybrid honeypots as a means to implement automated malware collection and analysis. We introduce VMI-Honeymon, a high-interaction honeypot monitor which uses virtual machine memory introspection on Xen. VMI-Honeymon remains transparent to the monitored virtual machine and bypasses reliance on the untrusted guest kernel by utilizing memory scans for state reconstruction. VMI-Honeymon builds on open-source introspection and forensics tools that provide a rich set of information about intrusion and infection processes while enabling the automatic capture of the associated malware binaries. Our experiments show that using VMI-Honeymon in a hybrid setup expands the range of mal-ware captures and is effective in capturing both known and unclassified malware samples.Log in or Register to post comments",

author = "Lengyel, {Tamas K.} and Justin Neumann and Steve Maresca and Payne, {Bryan D.} and Aggelos Kiayias",

year = "2012",

language = "English",

booktitle = "5th Workshop on Cyber Security Experimentation and Test, CSET '12, Bellevue, WA, USA, August 6, 2012",

}

TY - GEN

T1 - Virtual Machine Introspection in a Hybrid Honeypot Architecture

AU - Lengyel, Tamas K.

AU - Neumann, Justin

AU - Maresca, Steve

AU - Payne, Bryan D.

AU - Kiayias, Aggelos

PY - 2012

Y1 - 2012

N2 - With the recent advent of effective and practical virtual machine introspection tools, we revisit the use of hybrid honeypots as a means to implement automated malware collection and analysis. We introduce VMI-Honeymon, a high-interaction honeypot monitor which uses virtual machine memory introspection on Xen. VMI-Honeymon remains transparent to the monitored virtual machine and bypasses reliance on the untrusted guest kernel by utilizing memory scans for state reconstruction. VMI-Honeymon builds on open-source introspection and forensics tools that provide a rich set of information about intrusion and infection processes while enabling the automatic capture of the associated malware binaries. Our experiments show that using VMI-Honeymon in a hybrid setup expands the range of mal-ware captures and is effective in capturing both known and unclassified malware samples.Log in or Register to post comments

AB - With the recent advent of effective and practical virtual machine introspection tools, we revisit the use of hybrid honeypots as a means to implement automated malware collection and analysis. We introduce VMI-Honeymon, a high-interaction honeypot monitor which uses virtual machine memory introspection on Xen. VMI-Honeymon remains transparent to the monitored virtual machine and bypasses reliance on the untrusted guest kernel by utilizing memory scans for state reconstruction. VMI-Honeymon builds on open-source introspection and forensics tools that provide a rich set of information about intrusion and infection processes while enabling the automatic capture of the associated malware binaries. Our experiments show that using VMI-Honeymon in a hybrid setup expands the range of mal-ware captures and is effective in capturing both known and unclassified malware samples.Log in or Register to post comments

M3 - Conference contribution

BT - 5th Workshop on Cyber Security Experimentation and Test, CSET '12, Bellevue, WA, USA, August 6, 2012

ER -

Virtual Machine Introspection in a Hybrid Honeypot Architecture

Abstract

Access to Document

Fingerprint

Cite this