Abstract
Modern virtual machines, debuggers, and sandboxing solutions lend themselves towards more and more inconspicuous ways to run honeypots, and to observe and analyze malware and other malicious activity. This analysis yields valuable data for threat-assessment, malware identification and prevention. However, the use of such introspection methods has caused malware authors to create malicious programs with the ability to detect and evade such environments. This paper presents an overview on existing research of anti-honeypot and anti-introspection methods. We also propose our own taxonomy of detection vectors used by malware.
The authors gratefully acknowledge Tekes – the Finnish Funding Agency for Innovation, DIMECC Oy and Cyber Trust research program for their support.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: 2010 29th IEEE Symposium on Reliable Distributed Systems, pp. 82–91. IEEE (2010)
Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE International Conference on Dependable Systems and Networks with FTCS and DCC, DSN 2008, pp. 177–186. IEEE (2008)
Costarella, C., Chung, S., Endicott-Popovsky, B., Dittrich, D.: Hardening honeynets against honeypot-aware botnet attacks. University of Washington, US (2013)
Credo, T.: Hyper-V how to: detect if you are inside a VM (2009). https://blogs.technet.microsoft.com/tonyso/2009/08/20/hyper-v-how-to-detect-if-you-are-inside-a-vm/
Cui, W., Paxson, V., Weaver, N., Katz, R.H.: Protocol-independent adaptive replay of application dialog. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium (2006)
Dornseif, M., Holz, T., Klein, C.N.: Nosebreak-attacking honeynets. arXiv preprint cs/0406052 (2004)
Ferrand, O.: How to detect the cuckoo sandbox and to strengthen it? J. Comput. Virol. Hacking Tech. 11(1), 51–58 (2015)
Fu, X., Yu, W., Cheng, D., Tan, X., Streff, K., Graham, S.: On recognizing virtual honeypots and countermeasures. In: 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing, pp. 211–218. IEEE (2006)
Gajrani, J., Sarswat, J., Tripathi, M., Laxmi, V., Gaur, M.S., Conti, M.: A robust dynamic analysis system preventing sandbox detection by android malware. In: Proceedings of the 8th International Conference on Security of Information and Networks, pp. 290–295. ACM (2015)
Hayatle, O., Otrok, H., Youssef, A.: A game theoretic investigation for high interaction honeypots. In: IEEE International Conference on Communications (ICC). IEEE (2012)
Hayatle, O., Otrok, H., Youssef, A.: A markov decision process model for high interaction honeypots? Inf. Secur. J. Glob. Perpective 22(4), 159–170 (2013)
Hayatle, O., Youssef, A., Otrok, H.: Dempster-shafer evidence combining for (anti)-honeypot technologies. Inf. Secur. J. Glob. Perpective 21(6), 306–316 (2012)
Holz, T., Raynal, F., Honeypots, D.: System Issues, Part 1 (2005). http://www.symantec.com/connect/articles/defeating-honeypots-system-issues-part-1
Holz, T., Raynal, F., Honeypots, D.: System Issues, Part 2 (2005). http://www.symantec.com/connect/articles/defeating-honeypots-system-issues-part-2
Holz, T., Raynal, F.: Detecting honeypots and other suspicious environments. In: Proceedings from the Sixth Annual IEEE SMC on Information Assurance Workshop, IAW 2005, pp. 29–36. IEEE (2005)
Issa, A.: Anti-virtual machines and emulations. J. Comput. Virol. 8(4), 141–149 (2012)
Krawetz, N.: Anti-honeypot technology. IEEE Secur. Priv. 2(1), 76–79 (2004)
Mukkamala, S., Yendrapalli, K., Basnet, R., Shankarapani, M.K., Sung, A.H.: Detection of virtual environments and low interaction honeypots. In: Information Assurance and Security Workshop, IAW 2007, pp. 92–98. IEEE SMC (2007)
Nawrocki, M., Wahlisch, M., Schmidt, T.C., Keil, C., Schonfelder, J.: A survey on honeypot software and data analysis. arXiv preprint (2016)
Pawlick, J., Zhu, Q.: Deception by design: evidence-based signaling games for network defense. In: Workshop on the Economics of Information Security (WEIS) (2015)
Provos, N.: Honeyd Virtual Honeypot. http://www.honeyd.org/
Rauti, S., Leppänen, V.: A survey on fake entities as a method to detect and monitor malicious activity, 8 p. (Submitted to a conference)
Spitzner, L.: Problems and challenges with honeypots (2004). http://www.symantec.com/connect/articles/problems-and-challenges-honeypots
Sysman, D., Itamar, S., Gadi, E.: Breaking Honeypot for Fun and Profit Honeypots. Black Hat, USA (2015). http://winehat.net/wp-content/uploads/2015/10/Dean-Sysman-BreakingHoneypots.pdf
Wang, P., Wu, L., Cunningham, R., Zou, C.: Honeypot detection in advanced botnet attacks. Int. J. Inf. Comput. Secur. 4(1), 30–51 (2010)
Zou, C., Cunningham, R.: Honeypot-aware advanced botnet construction and maintenance. In: International Conference on Dependable Systems and Networks, DSN 2006, pp. 199–208. IEEE (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Uitto, J., Rauti, S., Laurén, S., Leppänen, V. (2017). A Survey on Anti-honeypot and Anti-introspection Methods. In: Rocha, Á., Correia, A., Adeli, H., Reis, L., Costanzo, S. (eds) Recent Advances in Information Systems and Technologies. WorldCIST 2017. Advances in Intelligent Systems and Computing, vol 570. Springer, Cham. https://doi.org/10.1007/978-3-319-56538-5_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-56538-5_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-56537-8
Online ISBN: 978-3-319-56538-5
eBook Packages: EngineeringEngineering (R0)