virtual machine introspection in a hybrid honeypot
play

Virtual machine introspection in a hybrid honeypot architecture - PowerPoint PPT Presentation

Jan 15, 2024 •698 likes •846 views

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin Neumann University of Connecticut The role of the honeypot The limitations Low-interaction honeypots: "Artificial" attack surface

  1. Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin Neumann University of Connecticut

  2. The role of the honeypot

  3. The limitations Low-interaction honeypots: • "Artificial" attack surface • Limited information about the attacks High-interaction honeypots: • Complexity • Maintenance • High risk

  4. Hybrid honeypots Theory: Combining low and high interaction honeypots can provide the best of the two. Original idea: switch an attack to a high-interaction honeypot based on predefined rules Problem: What rules? Robin Berthier, 2006: Advanced honeypot architecture for network threats quantification

  5. Further problems Few choices for high-interaction honeypots • Sebek • Qebek • Argos Why? " Regarding Reviewer #4’s question as to whether we would consider releasing gateway and containment server code to the community, we indeed considered this. However, in our experience malware execution platforms differ substantially, and it would likely be hard to make our code work in a variety of environments. In addition, we lack the support to commit to the maintenance necessary for such a public release to be effective . " Kreibich et. al., SIGCOMM 2011: GQ: Practical Containment for Measuring Modern Malware Systems

  6. Further problems Virtualization based honeypots: • Modified QEMU • Malware can detect monitoring and alter its behaviour • Most only work with Windows XP SP2

  7. VMI-Honeymon http://vmi-honeymon.sf.net • Built on open source tools • • • • • LibVMI LibVirt LibGuestFS Volatility Xen • Full virtualization, no modification to Xen • Works with all versions of Windows with no in-guest agent • Read-only memory scanning and footprinting eliminates subversion attacks

  8. System overview • Honeybrid filters attackers who already dropped payload on Dionaea • Only one attacker interacts with the HIH at a time • An attack is transferred to the HIH when it is free (random samples)

  9. System overview • Honeybrid detects outgoing connections from HIH, sends trigger to VMI- Honeymon • On time-out Honeybrid sends trigger to VMI- Honeymon • After attack session, HIH is reverted

  10. Results (in two weeks) VMI-Honeymon: 886 binaries (6,335 TCP sessions) Dionaea: 1,411 binaries (1,152,142 TCP sessions)

  11. Performance

  12. Future work • Multiple concurrent HIHs • Using Windows Vista, 7 and 8 as HIH • Fast-clone/memory sharing of HIHs • Automatic analyses of malware memory footprints to detect similarities

  13. Thank you!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation From in-guest kernel/userspace Provided by Xen Buggy emulation blurres the line From trusted computing base (TCB) Possible via Xen

286 views • 26 slides
About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production Environments Student: Benjamin Taubmann PhD stage: Third year, finisher Advisor: Prof. Dr. Hans P. Reiser Affiliation: Assistant Professorship of

313 views • 8 slides
Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection

Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection

Background Detailed Design Implementation Evaluation Related Work Summary Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection Yangchun Fu , Zhiqiang Lin, Kevin Hamlen Department of Computer Science The

814 views • 52 slides
Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Problem Overall Architecture Evaluation Conclusion Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer

472 views • 20 slides
Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 julian (sect) Software Security SoSe 2016 1 / 21

220 views • 21 slides
Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection IFIP SEC 2018 Sergej Proskurin, 1 Julian Kirsch, 1 and Apostolis Zarras 2 1 Technical University of Munich 2 Maastricht University

548 views • 20 slides
Space Traveling across VM Automatically Bridging the Semantic-Gap in Virtual Machine

Space Traveling across VM Automatically Bridging the Semantic-Gap in Virtual Machine

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion Space Traveling across VM Automatically Bridging the Semantic-Gap in Virtual Machine Introspection via Online Kernel Data Redirection Yangchun Fu, and

926 views • 66 slides
Semantics-Driven Introspection in a Virtual Environment . Baiardi 1 D. Maggiari 1 D. Sgandurra 2 .

Semantics-Driven Introspection in a Virtual Environment . Baiardi 1 D. Maggiari 1 D. Sgandurra 2 .

Problem Overall Architecture Evaluation Conclusion Semantics-Driven Introspection in a Virtual Environment . Baiardi 1 D. Maggiari 1 D. Sgandurra 2 . Tamberi 2 F F 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer

311 views • 29 slides
Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David

Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David

Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David Chalmers Four Issues The Power of Introspection 1. Doubts about Introspection 2. Mechanisms of Introspection 3. Introspection and Consciousness

733 views • 26 slides
EXPO REAL Hybrid Summit Your virtual exhibition EXPO REAL Hybrid Summit The Hybrid Conference

EXPO REAL Hybrid Summit Your virtual exhibition EXPO REAL Hybrid Summit The Hybrid Conference

EXPO REAL Hybrid Summit Your virtual exhibition EXPO REAL Hybrid Summit The Hybrid Conference for Property and Investment October 14 15, 2020 Internationales Congress Center Mnchen exporeal.net Building networks EXPO REAL Hybrid

314 views • 13 slides
Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization)

Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization)

Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization) Software to simulate hardware Independent Separate Use one piece of hardware to simulate many computers Topics What are

519 views • 22 slides
100% VIRTUAL LEARNING Chattooga County Schools July 2020 VIRTUAL vs HYBRID vs E-LEARNING

100% VIRTUAL LEARNING Chattooga County Schools July 2020 VIRTUAL vs HYBRID vs E-LEARNING

100% VIRTUAL LEARNING Chattooga County Schools July 2020 VIRTUAL vs HYBRID vs E-LEARNING Virtual lea earnin ing 100% distance learning: away from the school campus Instruction provided by certified teachers at Georgia

351 views • 12 slides
An Online Virtual Machine Placement Algorithm in an Over-Committed Cloud Siqi Ji*, Ming Da Li,

An Online Virtual Machine Placement Algorithm in an Over-Committed Cloud Siqi Ji*, Ming Da Li,

IC2E18 An Online Virtual Machine Placement Algorithm in an Over-Committed Cloud Siqi Ji*, Ming Da Li, Niannian Ji, Baochun Li Virtual Machine Placement Select the most suitable physical machine (PM) to host each virtual machine (VM).

417 views • 13 slides
capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge

capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge

Honware: A virtual honeypot framework for capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge eCrime 2019, APWG Symposium on Electronic Crime Research November 14, 2019 Introduction Honeypot: A

224 views • 19 slides
Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines: Virtual machine technology, often just called virtualization , makes one computer behave as several Running several operating systems simultaneously on

254 views • 10 slides
Hybrid Virtual Private LAN <draft-lee-ppvpn-hybrid-vpls-00.txt> Contributors:

Hybrid Virtual Private LAN <draft-lee-ppvpn-hybrid-vpls-00.txt> Contributors:

Hybrid Virtual Private LAN <draft-lee-ppvpn-hybrid-vpls-00.txt> Contributors: Cheng-Yin.Lee@alcatel.com, Sasha.Cirkovic@alcatel.com, Jeremy.deClercq@alcatel.be Muneyoshi Suzuki suzuki.muneyoshi@lab.ntt.co.jp Siamack Ayandeh

533 views • 14 slides
Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani Name Here About Serianu Limited Serianu is a Pan Africa based Cyber Security and business consulting firm. We are an award winning company in the

759 views • 46 slides
Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

505 views • 31 slides
NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana

NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana

NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana Medkov Martin Husk, Martin Draar Introduction optimal strategy to defend network infrastructure no standard for benchmarking Network Defence

574 views • 18 slides
What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017 Management Summary Research Approach: Overview of the main research topics in the fields of cyber risk and

579 views • 12 slides
Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik Kinkel Jon Osborne Korbin Stich http://may1601.sd.ece.iastate.edu Client : Alliant Energy Advisor : Dr. Doug Jacobson April 28, 2016 May1601 ICS

384 views • 15 slides
NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2.

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2.

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2. SBIR 3. Cuckoo Sandbox 4. Project 5. Architecture 6. Offline demo 7. Roadmap Introduction Pieter Jansen - CEO @ Cybersprint -

859 views • 42 slides
Towards malware inspired management frameworks J er ome Fran cois, Radu State and

Towards malware inspired management frameworks J er ome Fran cois, Radu State and

April, 8 2008 http://madynes.loria.fr/ Towards malware inspired management frameworks J er ome Fran cois, Radu State and Olivier Festor Introduction Malware for management Models Results Conclusion Outline 1 Introduction 2

513 views • 34 slides
@lady_nerd laura@safestack.io https://safestack.io In this talk Fear and loathing Examining

@lady_nerd laura@safestack.io https://safestack.io In this talk Fear and loathing Examining

@lady_nerd laura@safestack.io https://safestack.io In this talk Fear and loathing Examining the root of fear and its effects Fear-based architecture and antipatterns Fear leads to anger, anger leads to hatred. Fearless security

765 views • 40 slides

More recommend