Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2007: Recent Advances in Intrusion Detection pp 198–218Cite as

“Out-of-the-Box” Monitoring of VM-Based High-Interaction Honeypots

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4637))

Abstract

Honeypot has been an invaluable tool for the detection and analysis of network-based attacks by either human intruders or automated malware in the wild. The insights obtained by deploying honeypots, especially high-interaction ones, largely rely on the monitoring capability on the honeypots. In practice, based on the location of sensors, honeypots can be monitored either internally or externally. Being deployed inside the monitored honeypots, internal sensors are able to provide a semantic-rich view on various aspects of system dynamics (e.g., system calls). However, their very internal existence makes them visible, tangible, and even subvertible to attackers after break-ins. From another perspective, existing external honeypot sensors (e.g., network sniffers) could be made invisible to the monitored honeypot. However, they are not able to capture any internal system events such as system calls executed.

It is desirable to have a honeypot monitoring system that is invisible, tamper-resistant and yet is capable of recording and understanding the honeypot’s system internal events such as system calls. In this paper, we present a virtualization-based system called VMscope which allows us to view the system internal events of virtual machine (VM)-based honeypots from outside the honeypots. Particularly, by observing and interpreting VM-internal system call events at the virtual machine monitor (VMM) layer, VMscope is able to provide the same deep inspection capability as that of traditional inside-the-honeypot monitoring tools (e.g., Sebek) while still obtaining similar tamper-resistance and invisibility as other external monitoring tools. We have built a proof-of-concept prototype by leveraging and extending one key virtualization technique called binary translation. Our experiments with real-world honeypots show that VMscope is robust against advanced countermeasures that can defeat existing internally-deployed honeypot monitors, and it only incurs moderate run-time overhead.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Agobot, http://www.f-secure.com/v-descs/agobot.shtml

  2. Ethereal: A Network Protocol Analyzer, http://www.ethereal.com

  3. Linux/unix nbench, http://www.tux.org/mayer/linux/bmark.html

  4. Sebek, http://www.honeynet.org/tools/sebek/

  5. Syscalltrack: http://syscalltrack.sourceforge.net/

  6. Tcpdump, http://www.tcpdump.org

  7. The adore-ng Rootkit, http://stealth.openwall.net/rootkits/

  8. http://httpd.apache.org

  9. The Honeynet Project, http://www.honeynet.org

  10. The Strange Decline of Computer Worms, http://www.theregister.co.uk/2005/03/17/f-secure_websec/print.html

  11. TRANGO, the Real-Time Embedded Hypervisor, http://www.trango-systems.com/

  12. Unixbench, http://www.tux.org/pub/tux/benchmarks/System/unixbench

  13. Uuencoding, http://en.wikipedia.org/wiki/Uuencode

  14. VirtualBox, http://www.virtualbox.org/

  15. Virus Writers Get Stealthy, http://news.zdnet.co.uk/internet/security/0,39020375,39191840,00.htm

  16. VMware, http://www.vmware.com/

  17. CERT Advisory CA-2001-31 Buffer Overflow in CDE Subprocess Control Service (January 2002), http://www.cert.org/advisories/CA-2001-31.html

  18. CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability (March 2003), http://www.cert.org/advisories/CA-2002-17.html

  19. Linux Kernel Ptrace Privilege Escalation Vulnerability (March 2003), http://www.secunia.com/advisories/8337/

  20. Windows WMF Zero-Day Attack (December 2005), http://www.counterpane.com/alert-cis-ra-0030-01.html

  21. Windows PowerPoint Zero-Day Attack, http://www.eweek.com/article2/0,1895,1988874,00.asp

  22. Windows Word Zero-Day Attack, http://www.eweek.com/article2/0,1895,1965042,00.asp

  23. Anagnostakis, K.G., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E., Keromytis, A.D.: Detecting Targeted Attacks Using Shadow Honeypots. In: Proc. of the 14th USENIX Security Symposium (August 2005)

    Google Scholar 

  24. Arbaugh, W.A., Farbert, D,J., Smith, J.M.: A Secure and Reliable Bootstrap Architecture. In: Proc. of the 1997 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (1997)

    Google Scholar 

  25. Asrigo, K., Litty, L., Lie, D.: Using VMM-Based Sensors to Monitor Honeypots. In: Proc. of the 2nd VEE (June 2006)

    Google Scholar 

  26. Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.: The Nepenthes Platform: An Efficient Approach to Collect Malware. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  27. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Neugebauer, R., Ho, A., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. In: Proc. of the 2003 SOSP (October 2003)

    Google Scholar 

  28. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: Proc. of the 15th European Institute for Computer Antivirus Research Annual Conference (April 2006)

    Google Scholar 

  29. Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: Proc. of USENIX Annual Technical Conference 2005 (FREENIX Track) (July 2005)

    Google Scholar 

  30. Bryant, E., Early, J., Gopalakrishna, R., Roth, G., Spafford, E.H., Watson, K., Williams, P., Yost, S.: Poly2 Paradigm: A Secure Network Service Architecture. In: Proc. of the 19th ACSAC (December 2003)

    Google Scholar 

  31. Chen, P.M., Noble, B.D.: When Virtual is Better Than Real. HotOS VIII (2001)

    Google Scholar 

  32. Corey, J.: Local Honeypot Identification. Phrack 62, article 07 of 15 (July 2004)

    Google Scholar 

  33. Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levine, J., Owen, H.: HoneyStat: Local Worm Detection Using Honeypots. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, Springer, Heidelberg (2004)

    Google Scholar 

  34. Dike, J.: User Mode Linux, http://user-mode-linux.sourceforge.net

  35. Dornseif, M., Holz, T., Klein, C.: NoSEBrEaK - Attacking Honeynets. In: Proc. of the 5th Annual IEEE Information Assurance Workshop, Westpoint, June 2004, IEEE Computer Society Press, Los Alamitos (2004)

    Google Scholar 

  36. Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: Enabling Intrusion Analysis Through Virtual-Machine Logging and Replay. In: Proc. of the 2002 OSDI (December 2002)

    Google Scholar 

  37. Franklin, J., Luk, M., McCune, J.M., Seshadri, A., Perrig, A., van Doorn, L.: Remote Detection of Virtual Machine Monitors with Fuzzy Benchmarking. Technical Report, CMU-CyLab-07-001 (January 2007)

    Google Scholar 

  38. Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proc. of the 2003 NDSS (February 2003)

    Google Scholar 

  39. Jiang, X., Xu, D.: Collapsar: A VM-Based Architecture for Network Attack Detention Center. In: Proc. of the 13th USENIX Security Symposium (August 2004)

    Google Scholar 

  40. Jones, S.T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H.: Antfarm: Tracking Processes in a Virtual Machine Environment. In: Proc. of the 2006 USENIX Annual Technical Conference (March 2006)

    Google Scholar 

  41. Joshi, A., King, S.T., Dunlap, G.W., Chen, P.M.: Detecting Past and Present Intrusions through Vulnerability-specific Predicates. In: Proc. of the 2005 Symposium on Operating Systems Principles (SOSP) (October 2005)

    Google Scholar 

  42. King, S.T., Chen, P.M.: Backtracking Intrusions. In: Proc. of the 19th ACM Symposium on Operating Systems Principles, October 2003, ACM Press, New York (2003)

    Google Scholar 

  43. King, S.T., Dunlap, G.W., Chen, P.M.: Debugging Operating Systems with Time-Traveling Virtual Machines. In: Proc. of the 2005 Annual USENIX Technical Conference (2005)

    Google Scholar 

  44. King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing Malware with Virtual Machines. In: Proc. of the 2006 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2006)

    Google Scholar 

  45. Kohno, T., Broido, A., claffy, k.: Remote Physical Device Fingerprinting. In: Proc. of the 2005 IEEE Symposium on Security and Privacy, May 2005, IEEE Computer Society Press, Los Alamitos (2005)

    Google Scholar 

  46. Koju, T., Takada, S., Doi, N.: An Efficient and Generic Reversible Debugger using the Virtual Machine based Approach. In: Proc. of the 1st ACM/USENIX International Conference on Virtual Execution Environments, June 2005, ACM Press, New York (2005)

    Google Scholar 

  47. Kourai, K., Chiba, S.: HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection. In: Proc. of the 1st ACM/USENIX International Conference on Virtual Execution Environments, June 2005, ACM Press, New York (2005)

    Google Scholar 

  48. Leita, C., Dacier, M., Massicotte, F.: Automatic Handling of Protocol Dependencies and Reaction to 0-day Attacks with ScriptGen based Honeypots. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  49. Liston, T.: On the Cutting Edge: Thwarting Virtual Machine Detection (Invited Talk at NDSS 2007), http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

  50. Meushaw, R., Simard, D.: NetTop: Commercial Technology in High Assurance Applications. Tech Trend Notes: Preview of Tomorrow’s Information Technologies (2000)

    Google Scholar 

  51. Perriot, F., Szor, P.: An Analysis of the Slapper Worm Exploit. Symantec White Paper, http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf

  52. Provos, N.: A Virtual Honeypot Framework. In: Proc. of the 13th USENIX Security Symposium (August 2004)

    Google Scholar 

  53. Quynh, N.A.: Xebek: A Next Generation Honeypot Monitoring System (February 2006), http://www.eusecwest.com/esw06/esw06-nguyen.ppt

  54. Rutkowska, J.: Subverting Vista Kernel For Fun And Profit. Blackhat (2006)

    Google Scholar 

  55. Sailer, R., Valdez, E., Jaeger, T., Perez, R., van Doorn, L., Griffin, J.L., Berger, S.: sHype: Secure Hypervisor Approach to Trusted Virtualized Systems. IBM Research Report RC23511 (February 2005)

    Google Scholar 

  56. sd: Linux on-the-fly kernel patching without LKM. Phrack, 11(58), article 7 of 15 (2001)

    Google Scholar 

  57. Seshadri, A., Luk, M., Shi, E., Perrig, A., van Doorn, L., Khosla, P.: Pioneer: Verifying Integrity and Guaranteeing Execution of Code on Legacy Platforms. In: Proc. of the 2005 SOSP (October 2005)

    Google Scholar 

  58. Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A.C., Voelker, G.M., Savage, S.: Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm. In: Proc. of the 20th ACM Symposium on Operating Systems Principles, October 2005, ACM Press, New York (2005)

    Google Scholar 

  59. Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In: Proc. of the 2006 NDSS (February 2006)

    Google Scholar 

  60. Whitaker, A., Cox, R.S., Gribble, S.D.: Using Time Travel to Diagnose Computer Problems. In: Proc. of the 11th SIGOPS European Workshop (September 2004)

    Google Scholar 

  61. Xu, M., Jiang, X., Sandhu, R., Zhang, X.: Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection. In: Proc. of the 12th ACM Symposium on Access Control Models and Technologies, June 2007, ACM Press, New York (2007)

    Google Scholar 

  62. Zovi, D.D.: Hardware Virtualization Based Rootkits. Blackhat 2006 (August 2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information and Software Engineering, George Mason University, Fairfax, VA 22030,  

    Xuxian Jiang & Xinyuan Wang

Authors
  1. Xuxian Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xinyuan Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Christopher Kruegel Richard Lippmann Andrew Clark

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Jiang, X., Wang, X. (2007). “Out-of-the-Box” Monitoring of VM-Based High-Interaction Honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds) Recent Advances in Intrusion Detection. RAID 2007. Lecture Notes in Computer Science, vol 4637. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74320-0_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-74320-0_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-74319-4

  • Online ISBN: 978-3-540-74320-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation