Article

Using VMM-based sensors to monitor honeypots

Authors:

Kurniadi Asrigo,

David LieAuthors Info & Claims

VEE '06: Proceedings of the 2nd international conference on Virtual execution environments

Pages 13 - 23

https://doi.org/10.1145/1134760.1134765

Published: 14 June 2006 Publication History

Abstract

Virtual Machine Monitors (VMMs) are a common tool for implementing honeypots. In this paper we examine the implementation of a VMM-based intrusion detection and monitoring system for collecting information about attacks on honeypots. We document and evaluate three designs we have implemented on two open-source virtualization platforms: User-Mode Linux and Xen. Our results show that our designs give the monitor good visibility into the system and thus, a small number of monitoring sensors can detect a large number of intrusions. In a three month period, we were able to detect five different attacks, as well as collect and try 46 more exploits on our honeypots. All attacks were detected with only two monitoring sensors. We found that the performance overhead for monitoring such intrusions is independent of which events are being monitored, but depends entirely on the number of monitoring events and the underlying monitoring implementation. The performance overhead can be significantly improved by implementing the monitor directly in the privileged code of the VMM, though at the cost of increasing the size of the trusted computing base of the system.

References

[1]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), pages 164--177, Oct. 2003.

Digital Library

[2]

B. Caswell, J. Beale, J. C. Foster, and J. Faircloth. Snort 2.0 Intrusion Detection. Syngress, Feb. 2003.

Digital Library

[3]

C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63--78, Jan. 1998.

Digital Library

[4]

D. Dagon, X. Qin, G. Gu, W. Lee, J. B. Grizzard, J. G. Levine, and H. L. Owen. Honeystat: Local worm detection using honeypots. In Recent Advances in Intrusion Detection: 7th International Symposium, (RAID) 2004, pages 39--58, Sept. 2004.

[5]

J. Dike. A user-mode port of the Linux kernel. In Proceedings of the 2000 Linux Showcase and Conference, pages 63--72, Oct. 2000.

Digital Library

[6]

J. Dike. UML as a honeypot, 2005. http://user-mode-linux.sourceforge.net/honeypots.html.

[7]

G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI 2002), pages 211--224, Dec. 2002.

Digital Library

[8]

T. Garfinkel. Traps and pitfalls: Practical problems in system call interposition based security tools. In Proceedings of the 10th Annual Symposium on Network and Distributed System Security (NDSS 2003), pages 163--157, February 2003.

[9]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 10th Annual Symposium on Network and Distributed System Security (NDSS 2003), pages 191--206, Feb. 2003.

[10]

S. A. Herrod. Using Complete Machine Simulation to Understand Computer System Behavior. PhD thesis, Stanford University, Feb. 1998.

Digital Library

[11]

G. Hoglund. A REAL NT rootkit. Phrack Magazine, 9(55), 1999. http://www.phrack.org/phrack/55/P55-05.

[12]

W.-M. Hu. Reducing timing channels with fuzzy time. In Proceedings of the 1991 IEEE Symposium on Security and Privacy, pages 8--20, May 1991.

[13]

X. Jiang and D. Xu. Collapsar: A VM-based architecture for network attack detention center. In Proceedings of the 13th USENIX Security Symposium, pages 15--28, Aug. 2004.

Digital Library

[14]

A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pages 91--104, Oct. 2005.

Digital Library

[15]

T. Kohno, A. Broido, and K. C. Claffy. Remote physical device fingerprinting. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 211--225, May 2005.

Digital Library

[16]

E. Levy. Dionaea: On the automatic collection of malicious code samples through honey pot farms, 2005. Invited talk at the CASCON 2005 Workshop on Cybersecurity.

[17]

E. Levy. Private conversation, 2005. Symantec Corp.

[18]

LIDS Toolkit, 2005. http://www.lids.org.

[19]

P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In FREENIX Track of the 2001 USENIX Annual Technical Conference (FREENIX'01), pages 29--42, June 2001.

Digital Library

[20]

Metasploit, 2005. http://www.metasploit.com.

[21]

N. L. Petroni Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot--a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium, pages 179--194, Aug. 2004.

Digital Library

[22]

N. Provos. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium, pages 1--14, Aug. 2004.

Digital Library

[23]

A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pages 1--16, Oct. 2005.

Digital Library

[24]

L. Spitzner. Know your enemy: A forensic analysis. Technical report, Honeynet Project, May 2000. http://www.honeynet.org/papers/forensics.

[25]

The Honeynet Project, 2005. http://www.honeynet.org.

[26]

M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pages 148--162, Oct. 2005.

Digital Library

[27]

X. Zhang, L. van Doorn, T. Jaeger, R. Perez, and R. Sailer. Secure coprocessor-based intrusion detection. In Proceedings of the 10th ACM SIGOPS European Workshop, Sept. 2002.

Digital Library

Cited By

Wang YShi Y(2024)Detecting the penetration of malicious behavior in big data using hybrid algorithmsSignal, Image and Video Processing10.1007/s11760-024-03203-318:S1(919-933)Online publication date: 13-May-2024
https://doi.org/10.1007/s11760-024-03203-3
Ma BYang YLi JZhang FShen WZhou YMa JMeng WJensen CCremers CKirda E(2023)Travelling the Hypervisor and SSD: A Tag-Based Approach Against Crypto Ransomware with Fine-Grained Data RecoveryProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616665(341-355)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616665
Ilg NDuplys PSisejkovic DMenth M(2023)A survey of contemporary open-source honeypots, frameworks, and toolsJournal of Network and Computer Applications10.1016/j.jnca.2023.103737220(103737)Online publication date: Nov-2023
https://doi.org/10.1016/j.jnca.2023.103737
Show More Cited By

Index Terms

Using VMM-based sensors to monitor honeypots
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Virtual machine monitor-based lightweight intrusion detection

As virtualization technology gains in popularity, so do attempts to compromise the security and integrity of virtualized computing resources. Anti-virus software and firewall programs are typically deployed in the guest virtual machine to detect ...
A Low Overhead and Reliable Nested Virtualization VMM for Cloud Computing
WISA '13: Proceedings of the 2013 10th Web Information System and Application Conference

Commodity operating systems have already gained functionality of virtual machine monitor. Nested virtualization is needed to run these commodity operating systems as virtual machines. Furthermore, with nested virtualization technology, users can run a ...
Implicit Detection of Hidden Processes with a Feather-Weight Hardware-Assisted Virtual Machine Monitor
ACISP '08: Proceedings of the 13th Australasian conference on Information Security and Privacy

Process hiding is a commonly used stealth technique which facilitates the evasion from the detection by anti-malware programs. In this paper, we propose a new approach called <em>Aries</em>to implicitly detect the hidden processes. Aries introduces a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

VEE '06: Proceedings of the 2nd international conference on Virtual execution environments

June 2006

194 pages

ISBN:1595933328

DOI:10.1145/1134760

General Chair:
Hans-J. Boehm
HP Labs, USA
,
Program Chair:
David Grove
IBM Research, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 June 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

VEE06

Sponsor:

VEE06: Second International Conference on Virtual Execution Environments

June 14 - 16, 2006

Ontario, Ottawa, Canada

Acceptance Rates

Overall Acceptance Rate 80 of 235 submissions, 34%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
1,397
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang YShi Y(2024)Detecting the penetration of malicious behavior in big data using hybrid algorithmsSignal, Image and Video Processing10.1007/s11760-024-03203-318:S1(919-933)Online publication date: 13-May-2024
https://doi.org/10.1007/s11760-024-03203-3
Ma BYang YLi JZhang FShen WZhou YMa JMeng WJensen CCremers CKirda E(2023)Travelling the Hypervisor and SSD: A Tag-Based Approach Against Crypto Ransomware with Fine-Grained Data RecoveryProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616665(341-355)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616665
Ilg NDuplys PSisejkovic DMenth M(2023)A survey of contemporary open-source honeypots, frameworks, and toolsJournal of Network and Computer Applications10.1016/j.jnca.2023.103737220(103737)Online publication date: Nov-2023
https://doi.org/10.1016/j.jnca.2023.103737
Kapil DMishra P(2021)Virtual Machine Introspection in Virtualization: A Security PerspectiveProceedings of the 2021 Thirteenth International Conference on Contemporary Computing10.1145/3474124.3474140(117-124)Online publication date: 5-Aug-2021
https://dl.acm.org/doi/10.1145/3474124.3474140
Sharevski FJevitz S(2021)Message-of-the-Day (MOTD) Banner Language Variations as an Adaptive Honeypot Deterrent of Unauthorized AccessProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3470032(1-7)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3470032
Ajdani MGhaffary H(2020)Design network intrusion detection system using support vector machineInternational Journal of Communication Systems10.1002/dac.468934:3Online publication date: 20-Nov-2020
https://doi.org/10.1002/dac.4689
Shi BLi BCui LOuyang L(2018)Vanguard: A Cache-Level Sensitive File Integrity Monitoring System in Virtual Machine EnvironmentIEEE Access10.1109/ACCESS.2018.28511926(38567-38577)Online publication date: 2018
https://doi.org/10.1109/ACCESS.2018.2851192
Ajay JSong CRathore AZhou CXu W(2017)3DGatesACM SIGPLAN Notices10.1145/3093336.303775252:4(419-433)Online publication date: 4-Apr-2017
https://dl.acm.org/doi/10.1145/3093336.3037752
Cox GBhattacharjee A(2017)Efficient Address Translation for Architectures with Multiple Page SizesACM SIGPLAN Notices10.1145/3093336.303770452:4(435-448)Online publication date: 4-Apr-2017
https://dl.acm.org/doi/10.1145/3093336.3037704
Fukai TTakekoshi SAzuma KShinagawa TKato K(2017)BMCArmor: A Hardware Protection Scheme for Bare-Metal Clouds2017 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)10.1109/CloudCom.2017.43(322-330)Online publication date: Dec-2017
https://doi.org/10.1109/CloudCom.2017.43
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents