Detecting indicators of deception in emulated monitoring systems

  • Kon Papazis
  • Naveen ChilamkurtiEmail author
Special Issue Paper


There has been a proliferation of cyber attacks in the form of malware manifestations, Botnet attacks and intruder access to unauthorized systems due to a larger attack surface available to threat actors. Security researchers leverage computer systems to monitor and analyze security threats in order to secure their data. Some of the security tools employed by security analysts are Honeypots, virtual machines, sandboxes and debuggers referred to as emulated monitoring systems (EMS). However, threat actors are working hard at reducing the efficacy of EMS by exploiting the inherent limitations of these security tools. They have employed various detection techniques to reveal EMS artifacts referred to as indicators of deception. In this paper, we investigate the level of EMS evasive measures and provide a taxonomy on the indictors of deception in EMS to gain an insight into the broad range of detection vectors available to threat actors. This would enhance EMS as a formidable weapon in the continuing struggle against threat actors, resulting in an improved detection of advanced malware samples and higher detection of intrusions.


Debugger EMS Indicators of deception Honeypot Sandbox and virtual machine 



The research work reported here was made possible by the Defence Science Institute Grant G22015SChilamkurtiLaT023, an initiative of the State Government of Victoria.


  1. 1.
    Gandotra E (2014) Malware analysis and classification: a survey. J Inf Secur 5:56–64Google Scholar
  2. 2.
    Spitzner L (2002) Honeypots: tracking hackers. Addison-Wesley Longman Publishing Co. Inc., BostonGoogle Scholar
  3. 3.
    Omella AA (2006) Methods for virtual machine detection. Accessed May 2017
  4. 4.
    Marpaung JA, Sain M, Lee H-J (2012) Survey on malware evasion techniques: State of the art and challenges. In: 2012 14th international conference on advanced communication technology (ICACT). IEEEGoogle Scholar
  5. 5.
    Kolbitsch C, Kirda E, Kruegel C (2011) The power of procrastination: detection and mitigation of execution-stalling malicious code. In Proceedings of the 18th ACM conference on computer and communications security. ACMGoogle Scholar
  6. 6.
    Minerva-labs (2018) minerva labs research report: 2017 year in review. Accessed 25 Nov 2018
  7. 7.
    Uitto J, et al. (2017) A survey on anti-honeypot and anti-introspection methods. In: World conference on information systems and technologies. SpringerGoogle Scholar
  8. 8.
    Keragala D (2016) Detecting malware and sandbox evasion techniques. SANS Institute InfoSec reading room. Accessed Dec 2018
  9. 9.
    Cohen F (1998) The deception toolkit. Accessed May 2017
  10. 10.
    Symantec (2008) A guide to different kinds of honeypots. Accessed May 2017
  11. 11.
    Akkaya D,. Thalgott F (2010). Honeypots in network security. Accessed May 2017
  12. 12.
    Gorzelak K, et al. (2011) Proactive detection of network security incidents. In: Belasovs A (ed) ENISA report. Accessed June 2017
  13. 13.
    Riden J (2008) Server honeypots vs client honeypots. Accessed June 2017
  14. 14.
    Campbell S, Jeronimo M (2006) An introduction to virtualization. Published in “Applied Virtualization”, Intel, pp 1–15Google Scholar
  15. 15.
    Goldberg RP (1972) Architectural principles for virtual computer systems. Ph.D thesis, Harvard UniversityGoogle Scholar
  16. 16.
    Marshall D (2007) Understanding full virtualization, paravirtualization, and hardware assist. VMWare White Paper. Accessed June 2017
  17. 17.
    Barham P, et al. (2003) Xen and the art of virtualization. In: ACM SIGOPS operating systems review. ACMGoogle Scholar
  18. 18.
    Rodríguez-Haro F et al (2012) A summary of virtualization techniques. Proc Technol 3:267–272CrossRefGoogle Scholar
  19. 19.
    Morabito R, Kjällman J, Komu M (2015) Hypervisors vs. lightweight virtualization: a performance comparison. In 2015 IEEE international conference on cloud engineering (IC2E). IEEEGoogle Scholar
  20. 20.
    Sikorski M, Honig A (2012) Practical malware analysis: the hands-on guide to dissecting malicious software. No starch press, San FranciscoGoogle Scholar
  21. 21.
    Sysman D, Evron G, Sher I (2015) Breaking honeypots for fun and profit. Talk at Blackhat, vol 8Google Scholar
  22. 22.
    Valli C (2003) Honeyd-A OS fingerprinting artifice. In: Proceedings of Australian computer, network and information forensics conferenceGoogle Scholar
  23. 23.
    Fu X, et al. (2006) On recognizing virtual honeypots and countermeasures. In: 2nd IEEE international symposium on dependable, autonomic and secure computing. IEEEGoogle Scholar
  24. 24.
    Fu X et al (2005) Camouflaging virtual honeypots. Texas A&M University, College StationGoogle Scholar
  25. 25.
    Mukkamala S, et al. (2007) Detection of virtual environments and low interaction honeypots. In: Information assurance and security workshop, 2007. IAW’07. IEEE SMC. IEEEGoogle Scholar
  26. 26.
    Defibaugh-Chavez P, et al. (2006) Network based detection of virtual environments and low interaction honeypots. In Proceedings of the 2006 IEEE SMC, workshop on information assuranceGoogle Scholar
  27. 27.
    Krawetz N (2004) Anti-honeypot technology. IEEE Secur Priv 2(1):76–79CrossRefGoogle Scholar
  28. 28.
    Zou CC, Cunningham R (2006) Honeypot-aware advanced botnet construction and maintenance. In: International conference on dependable systems and networks, 2006. DSN 2006. IEEEGoogle Scholar
  29. 29.
    Wang P et al (2010) Honeypot detection in advanced botnet attacks. Int J Inf Comput Secur 4(1):30–51Google Scholar
  30. 30.
    Dornseif M, Holz T, Klein CN (2004) Nosebreak-attacking honeynets. In Information assurance workshop, 2004. Proceedings from the fifth annual IEEE SMC. IEEEGoogle Scholar
  31. 31.
    Holz T, Raynal F (2005) Detecting honeypots and other suspicious environments. In Information assurance workshop, 2005. IAW’05. Proceedings from the sixth annual IEEE SMC. IEEEGoogle Scholar
  32. 32.
    Kapravelos A, et al. (2011) Escape from monkey island: evading high-interaction honeyclients. Detection of intrusions and malware, and vulnerability assessment, pp 124–143Google Scholar
  33. 33.
    Innes S, Valli C (2006) Honeypots: how do you know when you are inside one? In: Australian digital forensics conferenceGoogle Scholar
  34. 34.
    Oberheide J, Karir M (2006) Honeyd detection via packet fragmentation. Ann Arbor 1001:48104Google Scholar
  35. 35.
    Popek GJ, Goldberg RP (1974) Formal requirements for virtualizable third generation architectures. Commun ACM 17(7):412–421MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Jämthagen C, Hell M, Smeets B (2011) A technique for remote detection of certain virtual machine monitors. In International conference on trusted systems. SpringerGoogle Scholar
  37. 37.
    Wang G, et al. (2015) Hypervisor Introspection: a technique for evading passive virtual machine monitoring. In WOOTGoogle Scholar
  38. 38.
    Ho G, et al. (2014) Tick tock: building browser red pills from timing side channels. In Proceedings of the USENIX workshop on offensive technologiesGoogle Scholar
  39. 39.
    Liston T, Skoudis E (2006) On the cutting edge: Thwarting virtual machine detection. Accessed July 2017
  40. 40.
    Miramirkhani N, et al. (2017) Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In IEEE symposium on security and privacyGoogle Scholar
  41. 41.
    Bahram S, et al. (2010) Dksm: subverting virtual machine introspection for fun and profit. In: 2010 29th IEEE symposium on reliable distributed systems. IEEEGoogle Scholar
  42. 42.
    Brengel M, Backes M, Rossow C (2016) Detecting hardware-assisted virtualization. In: Detection of intrusions and malware, and vulnerability assessment. Springer, pp 207–227Google Scholar
  43. 43.
    Quist D, Smith V, Computing O (2006) Detecting the presence of virtual machines using the local data table. Offensive Computing 2006. Accessed July 2017
  44. 44.
    Franklin J et al (2008) Remote detection of virtual machine monitors with fuzzy benchmarking. ACM SIGOPS Oper Syst Rev 42(3):83–92CrossRefGoogle Scholar
  45. 45.
    Paleari R, et al (2009). A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In: USENIX workshop on offensive technologies (WOOT)Google Scholar
  46. 46.
    Raffetseder T, Kruegel C, Kirda E (2007) Detecting system emulators. In: International conference on information security. SpringerGoogle Scholar
  47. 47.
    Kedrowitsch A, et al. (2017) A first look: using linux containers for deceptive honeypots. In: Proceedings of the 2017 workshop on automated decision making for active cyber defense. ACMGoogle Scholar
  48. 48.
    Yokoyama A, et al. (2016) SandPrint: fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In International symposium on research in attacks, intrusions, and defenses. SpringerGoogle Scholar
  49. 49.
    Ferrand O (2015) How to detect the cuckoo sandbox and to strengthen it? J Comput Virol Hack Tech 11(1):51–58CrossRefGoogle Scholar
  50. 50.
    Alexander Chailytko SS (2016) Defeating sandbox evasion: how to increase the successful emulation rate in your virtual environment. Accessed Sep 2018
  51. 51.
    Issa A (2012) Anti-virtual machines and emulations. J Comput Virol 8(4):141–149CrossRefGoogle Scholar
  52. 52.
    Chen X, et al. (2008) Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE international conference on dependable systems and networks with fTCS and DCC, 2008. DSN 2008. IEEEGoogle Scholar
  53. 53.
    Dahbul R, Lim C, Purnama J (2017) Enhancing honeypot deception capability through network service fingerprinting. In: Journal of physics: conference series. IOP PublishingGoogle Scholar
  54. 54.
    Garfinkel T, Rosenblum M (2003) A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of network and distributed systems security symposiumGoogle Scholar
  55. 55.
    Garfinkel T, et al. (2007) Compatibility is not transparency: VMM detection myths and realities. In: Proceedings of the 11th workshop on hot topics in operating systems (HotOS-XI)Google Scholar
  56. 56.
    Ferrie P (2017) Attacks on more virtual machine emulators. Symantec technology exchange 2007. Accessed Dec 2017

Copyright information

© Springer-Verlag London Ltd., part of Springer Nature 2019

Authors and Affiliations

  1. 1.La Trobe UniversityVictoriaAustralia

Personalised recommendations