research-article

Virtual Machine Introspection Based SSH Honeypot

Authors:

Stewart Sentanoe,

Benjamin Taubmann,

Hans P. ReiserAuthors Info & Claims

SHCIS '17: Proceedings of the 4th Workshop on Security in Highly Connected IT Systems

Pages 13 - 18

https://doi.org/10.1145/3099012.3099016

Published: 19 June 2017 Publication History

Abstract

A honeypot provides information about the new attack and exploitation methods and allows analyzing the adversary's activities during or after exploitation. One way of an adversary to communicate with a server is via secure shell (SSH). SSH provides secure login, file transfer, X11 forwarding, and TCP/IP connections over untrusted networks. SSH is a preferred target for attacks, as it is frequently used with password-based authentication, and weak passwords are easily exploited using brute-force attacks.

In this paper, we introduce a Virtual Machine Introspection based SSH honeypot. We discuss the design of the system and how to extract valuable information such as the credential used by the attacker and the entered commands. Our experiments show that the system is able to detect the adversary's activities during and after exploitation, and it has advantages compared to currently used SSH honeypot approaches.

References

[1]

Michael Armbrust, Armando Fox, Rean Griffith, Anthony D Joseph, Randy Katz, Andy Konwinski, Gunho Lee, David Patterson, Ariel Rabkin, Ion Stoica, and others. 2010. A view of cloud computing. Commun. ACM 53, 4 (2010), 50--58.

Digital Library

[2]

Stefan Axelsson. 2000. Intrusion detection systems: A survey and taxonomy. Technical Report 99-15. Chalmers University of Technology, Sweden.

[3]

Daniel J Barrett and Richard E Silverman. 2001. SSH, the Secure Shell: the definitive guide. O'Reilly Media, Inc.

Digital Library

[4]

Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security. ACM, 51--62.

Digital Library

[5]

Wenjun Fan, Zhihui Du, and David Fernandez. 2015. Taxonomy of honeynet solutions. In SAI Intelligent Systems Conference (IntelliSys), 2015. IEEE, 1002--1009.

[6]

Tal Garfinkel, Mendel Rosenblum, and others. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In NDSS, Vol. 3. 191--206.

[7]

Steven A Hofmeyr, Stephanie Forrest, and Anil Somayaji. 1998. Intrusion detection using sequences of system calls. Journal of computer security 6, 3 (1998), 151--180.

Digital Library

[8]

Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. 2010. Stealthy malware detection and monitoring through VMM-based "out-of-the-box" semantic view reconstruction. ACM Transactions on Information and System Security (TISSEC) 13, 2 (2010), 12.

Digital Library

[9]

Andrew P Kosoresow and Steven A Hofmeyr. 1997. Intrusion detection via system call traces. IEEE software 14, 5 (1997), 35.

Digital Library

[10]

Tamas K Lengyel, Justin Neumann, Steve Maresca, Bryan D Payne, and Aggelos Kiayias. 2012. Virtual Machine Introspection in a Hybrid Honeypot Architecture. In Cyber Security Experiment and Test (CSET).

Digital Library

[11]

Jonas Pfoh, Christian Schneider, and Claudia Eckert. 2009. A formal model for virtual machine introspection. In Proceedings of the 1st ACM workshop on Virtual machine security. ACM, 1--10.

Digital Library

[12]

Jonas Pfoh, Christian Schneider, and Claudia Eckert. 2011. Nitro: Hardware-based system call tracing for virtual machines. In International Workshop on Security. Springer, 96--112.

Digital Library

[13]

Niels Provos and others. 2004. A Virtual Honeypot Framework. In USENIX Security Symposium, Vol. 173. 1--14.

Digital Library

[14]

Thomas H Ptacek and Timothy N Newsham. 1998. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical Report. DTIC Document.

[15]

Lance Spitzner. 2002. Honeypots: Tracking hackers. Addison Wesley Professional.

Digital Library

[16]

Lance Spitzner. 2003. Honeypots: Catching the insider threat. In Proceedings of the 19th Annual Computer Security Applications Conference. IEEE, 170--179.

Digital Library

[17]

Benjamin Taubmann, Christoph Frädrich, Dominik Dusold, and Hans P Reiser. 2016. TLSkex: Harnessing virtual machine introspection for decrypting TLS communication. Digital Investigation 16 (2016), S114--S123.

Digital Library

[18]

Tatu Ylonen. 1996. SSH-secure login connections over the Internet. In Proceedings of the 6th USENIX Security Symposium, Vol. 37.

Digital Library

[19]

T. Ylonen and C. Lonvick. 2006. The Secure Shell (SSH) Connection Protocol. RFC 4254. RFC Editor. http://www.rfc-editor.org/rfc/rfc4254.txt http://www.rfc-editor.org/rfc/rfc4254.txt.

[20]

Xiantao Zhang, Qi Li, Sihan Qing, and Huanguo Zhang. 2008. VNIDA: Building an IDS architecture using VMM-based non-intrusive approach. In First International Workshop on Knowledge Discovery and Data Mining (WKDD). IEEE, 594--600.

Digital Library

Cited By

Panker TCohen ALandman TBery CNissim N(2024)MinCloud: Trusted and transferable MinHash-based framework for unknown malware detection for Linux cloud environmentsJournal of Information Security and Applications10.1016/j.jisa.2024.10390787(103907)Online publication date: Dec-2024
https://doi.org/10.1016/j.jisa.2024.103907
Sato MOmori TYamauchi TTaniguchi H(2023)Memory Analysis Based Estimation of Hook Point by Virtual Machine MonitorInternational Journal of Networking and Computing10.15803/ijnc.13.2_27313:2(273-286)Online publication date: 2023
https://doi.org/10.15803/ijnc.13.2_273
Sato MOmori TYamauchi TTaniguchi H(2022)Hook Point Estimation for System Call Detection by Virtual Machine Monitor2022 Tenth International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW57323.2022.00069(358-362)Online publication date: Nov-2022
https://doi.org/10.1109/CANDARW57323.2022.00069
Show More Cited By

Index Terms

Virtual Machine Introspection Based SSH Honeypot
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation

Recommendations

Virtual Machine Introspection
SIN '14: Proceedings of the 7th International Conference on Security of Information and Networks

Due to exposure to the Internet, virtual machines (VMs) as forms of delivering virtualized infrastructures and resources represent a first point-of-target for security attackers who want to gain access into the virtualization environment. In-VM ...
Virtual Machine Introspection: Observation or Interference?

As virtualization becomes increasingly mainstream, virtual machine introspection techniques and tools are evolving to provide methods to monitor the behavior of virtual machines. This survey classifies and describes current VMI introspection ...
Insider Threat Detection Using Virtual Machine Introspection
HICSS '13: Proceedings of the 2013 46th Hawaii International Conference on System Sciences

This paper presents a methodology for signaling potentially malicious insider behavior using virtual machine introspection (VMI). VMI provides a novel means to detect potential malicious insiders because the introspection tools remain transparent and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SHCIS '17: Proceedings of the 4th Workshop on Security in Highly Connected IT Systems

June 2017

53 pages

ISBN:9781450352710

DOI:10.1145/3099012

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 June 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

SHCIS '17

SHCIS '17: Workshop on Security in Highly Connected IT Systems

June 19 - 22, 2017

Neuchâtel, Switzerland

Acceptance Rates

SHCIS '17 Paper Acceptance Rate 8 of 11 submissions, 73%;

Overall Acceptance Rate 8 of 11 submissions, 73%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
395
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)6

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Panker TCohen ALandman TBery CNissim N(2024)MinCloud: Trusted and transferable MinHash-based framework for unknown malware detection for Linux cloud environmentsJournal of Information Security and Applications10.1016/j.jisa.2024.10390787(103907)Online publication date: Dec-2024
https://doi.org/10.1016/j.jisa.2024.103907
Sato MOmori TYamauchi TTaniguchi H(2023)Memory Analysis Based Estimation of Hook Point by Virtual Machine MonitorInternational Journal of Networking and Computing10.15803/ijnc.13.2_27313:2(273-286)Online publication date: 2023
https://doi.org/10.15803/ijnc.13.2_273
Sato MOmori TYamauchi TTaniguchi H(2022)Hook Point Estimation for System Call Detection by Virtual Machine Monitor2022 Tenth International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW57323.2022.00069(358-362)Online publication date: Nov-2022
https://doi.org/10.1109/CANDARW57323.2022.00069
Knochel MWefel S(2022)Analysing Attackers and Intrusions on a High-Interaction Honeypot System2022 27th Asia Pacific Conference on Communications (APCC)10.1109/APCC55198.2022.9943718(433-438)Online publication date: 19-Oct-2022
https://doi.org/10.1109/APCC55198.2022.9943718
TAŞÇI HGÖNEN SBARIŞKAN MKARACAYILMAZ GALHAN BYILMAZ E(2021)Password Attack Analysis Over Honeypot Using Machine Learning Password Attack AnalysisTurkish Journal of Mathematics and Computer Science10.47000/tjmcs.97114113:2(388-402)Online publication date: 31-Dec-2021
https://doi.org/10.47000/tjmcs.971141
Otani KOkazaki TYamauchi TMoriyama HSato MTaniguchi H(2021)Function for Tracing Diffusion of Classified Information to Support Multiple VMs with KVM2021 Ninth International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW53999.2021.00066(352-358)Online publication date: Nov-2021
https://doi.org/10.1109/CANDARW53999.2021.00066
Krasov APetriv RSakharov DStorozhuk NUshakov I(2019)Scalable Honeypot Solution for Corporate Networks Security ProvisionProceedings of Telecommunication Universities10.31854/1813-324X-2019-5-3-86-975:3(86-97)Online publication date: 2019
https://doi.org/10.31854/1813-324X-2019-5-3-86-97
Sentanoe STaubmann BReiser H(2018)Sarracenia: Enhancing the Performance and Stealthiness of SSH Honeypots Using Virtual Machine IntrospectionSecure IT Systems10.1007/978-3-030-03638-6_16(255-271)Online publication date: 2-Nov-2018
https://doi.org/10.1007/978-3-030-03638-6_16

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents