virtual machine introspection in a hybrid honeypot
play

Virtual machine introspection in a hybrid honeypot architecture - PowerPoint PPT Presentation

Jan 15, 2024 •698 likes •846 views

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin Neumann University of Connecticut The role of the honeypot The limitations Low-interaction honeypots: "Artificial" attack surface

  1. Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin Neumann University of Connecticut

  2. The role of the honeypot

  3. The limitations Low-interaction honeypots: • "Artificial" attack surface • Limited information about the attacks High-interaction honeypots: • Complexity • Maintenance • High risk

  4. Hybrid honeypots Theory: Combining low and high interaction honeypots can provide the best of the two. Original idea: switch an attack to a high-interaction honeypot based on predefined rules Problem: What rules? Robin Berthier, 2006: Advanced honeypot architecture for network threats quantification

  5. Further problems Few choices for high-interaction honeypots • Sebek • Qebek • Argos Why? " Regarding Reviewer #4’s question as to whether we would consider releasing gateway and containment server code to the community, we indeed considered this. However, in our experience malware execution platforms differ substantially, and it would likely be hard to make our code work in a variety of environments. In addition, we lack the support to commit to the maintenance necessary for such a public release to be effective . " Kreibich et. al., SIGCOMM 2011: GQ: Practical Containment for Measuring Modern Malware Systems

  6. Further problems Virtualization based honeypots: • Modified QEMU • Malware can detect monitoring and alter its behaviour • Most only work with Windows XP SP2

  7. VMI-Honeymon http://vmi-honeymon.sf.net • Built on open source tools • • • • • LibVMI LibVirt LibGuestFS Volatility Xen • Full virtualization, no modification to Xen • Works with all versions of Windows with no in-guest agent • Read-only memory scanning and footprinting eliminates subversion attacks

  8. System overview • Honeybrid filters attackers who already dropped payload on Dionaea • Only one attacker interacts with the HIH at a time • An attack is transferred to the HIH when it is free (random samples)

  9. System overview • Honeybrid detects outgoing connections from HIH, sends trigger to VMI- Honeymon • On time-out Honeybrid sends trigger to VMI- Honeymon • After attack session, HIH is reverted

  10. Results (in two weeks) VMI-Honeymon: 886 binaries (6,335 TCP sessions) Dionaea: 1,411 binaries (1,152,142 TCP sessions)

  11. Performance

  12. Future work • Multiple concurrent HIHs • Using Windows Vista, 7 and 8 as HIH • Fast-clone/memory sharing of HIHs • Automatic analyses of malware memory footprints to detect similarities

  13. Thank you!

Recommend

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation From in-guest kernel/userspace Provided by Xen Buggy emulation blurres the line From trusted computing base (TCB) Possible via Xen

286 views • 26 slides
About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production Environments Student: Benjamin Taubmann PhD stage: Third year, finisher Advisor: Prof. Dr. Hans P. Reiser Affiliation: Assistant Professorship of

313 views • 8 slides
Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection

Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection

Background Detailed Design Implementation Evaluation Related Work Summary Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection Yangchun Fu , Zhiqiang Lin, Kevin Hamlen Department of Computer Science The

814 views • 52 slides
Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Problem Overall Architecture Evaluation Conclusion Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer

472 views • 20 slides
Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 julian (sect) Software Security SoSe 2016 1 / 21

220 views • 21 slides
Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection IFIP SEC 2018 Sergej Proskurin, 1 Julian Kirsch, 1 and Apostolis Zarras 2 1 Technical University of Munich 2 Maastricht University

548 views • 20 slides
Space Traveling across VM Automatically Bridging the Semantic-Gap in Virtual Machine

Space Traveling across VM Automatically Bridging the Semantic-Gap in Virtual Machine

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion Space Traveling across VM Automatically Bridging the Semantic-Gap in Virtual Machine Introspection via Online Kernel Data Redirection Yangchun Fu, and

926 views • 66 slides
Semantics-Driven Introspection in a Virtual Environment . Baiardi 1 D. Maggiari 1 D. Sgandurra 2 .

Semantics-Driven Introspection in a Virtual Environment . Baiardi 1 D. Maggiari 1 D. Sgandurra 2 .

Problem Overall Architecture Evaluation Conclusion Semantics-Driven Introspection in a Virtual Environment . Baiardi 1 D. Maggiari 1 D. Sgandurra 2 . Tamberi 2 F F 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer

311 views • 29 slides
Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David

Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David

Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David Chalmers Four Issues The Power of Introspection 1. Doubts about Introspection 2. Mechanisms of Introspection 3. Introspection and Consciousness

733 views • 26 slides
EXPO REAL Hybrid Summit Your virtual exhibition EXPO REAL Hybrid Summit The Hybrid Conference

EXPO REAL Hybrid Summit Your virtual exhibition EXPO REAL Hybrid Summit The Hybrid Conference

EXPO REAL Hybrid Summit Your virtual exhibition EXPO REAL Hybrid Summit The Hybrid Conference for Property and Investment October 14 15, 2020 Internationales Congress Center Mnchen exporeal.net Building networks EXPO REAL Hybrid

314 views • 13 slides
Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization)

Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization)

Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization) Software to simulate hardware Independent Separate Use one piece of hardware to simulate many computers Topics What are

519 views • 22 slides
100% VIRTUAL LEARNING Chattooga County Schools July 2020 VIRTUAL vs HYBRID vs E-LEARNING

100% VIRTUAL LEARNING Chattooga County Schools July 2020 VIRTUAL vs HYBRID vs E-LEARNING

100% VIRTUAL LEARNING Chattooga County Schools July 2020 VIRTUAL vs HYBRID vs E-LEARNING Virtual lea earnin ing 100% distance learning: away from the school campus Instruction provided by certified teachers at Georgia

351 views • 12 slides
An Online Virtual Machine Placement Algorithm in an Over-Committed Cloud Siqi Ji*, Ming Da Li,

An Online Virtual Machine Placement Algorithm in an Over-Committed Cloud Siqi Ji*, Ming Da Li,

IC2E18 An Online Virtual Machine Placement Algorithm in an Over-Committed Cloud Siqi Ji*, Ming Da Li, Niannian Ji, Baochun Li Virtual Machine Placement Select the most suitable physical machine (PM) to host each virtual machine (VM).

417 views • 13 slides
capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge

capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge

Honware: A virtual honeypot framework for capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge eCrime 2019, APWG Symposium on Electronic Crime Research November 14, 2019 Introduction Honeypot: A

224 views • 19 slides
Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines: Virtual machine technology, often just called virtualization , makes one computer behave as several Running several operating systems simultaneously on

254 views • 10 slides
Hybrid Virtual Private LAN <draft-lee-ppvpn-hybrid-vpls-00.txt> Contributors:

Hybrid Virtual Private LAN <draft-lee-ppvpn-hybrid-vpls-00.txt> Contributors:

Hybrid Virtual Private LAN <draft-lee-ppvpn-hybrid-vpls-00.txt> Contributors: Cheng-Yin.Lee@alcatel.com, Sasha.Cirkovic@alcatel.com, Jeremy.deClercq@alcatel.be Muneyoshi Suzuki suzuki.muneyoshi@lab.ntt.co.jp Siamack Ayandeh

533 views • 14 slides
The Java Virtual Machine The Java Virtual Machine interpret compile Native Binary Code Michael

The Java Virtual Machine The Java Virtual Machine interpret compile Native Binary Code Michael

Virtual Machines in Compilation Virtual Machines in Compilation Abstract Syntax Tree compile Compilation 2007 Compilation 2007 Virtual Machine Code The Java Virtual Machine The Java Virtual Machine interpret compile Native Binary Code

541 views • 11 slides
Honeypot technologies 2006 First Conference / tutorial Junes 2006

Honeypot technologies 2006 First Conference / tutorial Junes 2006

Honeypot technologies 2006 First Conference / tutorial Junes 2006 {Franck.Veysset,Laurent.Butti}@orange-ft.com D1 -June 2006 Agenda s Origins and background s Different kinds of honeypot Q High interaction honeypots Q Low interaction honeypots

1.5k views • 112 slides
A Tor gatewayed platform for everyday use Using a virtual machine stack with its own virtual

A Tor gatewayed platform for everyday use Using a virtual machine stack with its own virtual

http://infinite.barrel-of-knowledge.info/cryptoparty/ (Surface web) https://yhfitd2wvrz3aybh.onion/cryptoparty/ (Deep web) A Tor gatewayed platform for everyday use Using a virtual machine stack with its own virtual LAN with all traffic

629 views • 9 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project & Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy ! Work

676 views • 52 slides
Electric Machine Simulation T Electric Machine Simulation Technology chnology St Steve Har e

Electric Machine Simulation T Electric Machine Simulation Technology chnology St Steve Har e

Electric Machine Simulation T Electric Machine Simulation Technology chnology St Steve Har e Hartridge ridge Direct Director or, Electric & , Electric & Hybrid V Hybrid Vehicles hicles Agenda Ag Intro/Session description Intr

416 views • 30 slides
Hybrid Format for fall 2020 The class is very big (120+ enrolled), so All lectures virtual over

Hybrid Format for fall 2020 The class is very big (120+ enrolled), so All lectures virtual over

Hybrid Format for fall 2020 The class is very big (120+ enrolled), so All lectures virtual over Zoom All office hours virtual over Zoom (for now) Required in-person component - 1 safe in-person chat with course staff - Details on Piazza soon

508 views • 17 slides
Virtual Machines Virtual Machines What is a virtual machine? Examples? Benefits?

Virtual Machines Virtual Machines What is a virtual machine? Examples? Benefits?

Virtual Machines Virtual Machines What is a virtual machine? Examples? Benefits? Virtualization Creation of an isomorphism that maps a virtual guest system to a real host: Maps guest state S to host state V(S) For any

271 views • 26 slides
Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda

Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda

Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda What is VM Introspection ? VMI ecosystem today Rustifying the VM Introspection ecosystem Future work Virtualization

718 views • 33 slides

More recommend