Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning

  • Tamas K. Lengyel
  • Justin Neumann
  • Steve Maresca
  • Aggelos Kiayias
Conference paper

DOI: 10.1007/978-3-642-38631-2_13

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)
Cite this paper as:
Lengyel T.K., Neumann J., Maresca S., Kiayias A. (2013) Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning. In: Lopez J., Huang X., Sandhu R. (eds) Network and System Security. NSS 2013. Lecture Notes in Computer Science, vol 7873. Springer, Berlin, Heidelberg

Abstract

We present a scalable honeynet system built on Xen using virtual machine introspection and cloning techniques to efficiently and effectively detect intrusions and extract associated malware binaries. By melding forensics tools with live memory introspection, the system is resistant to prior in-guest detection techniques of the monitoring environment and to subversion attacks that may try to hide aspects of an intrusion. By utilizing both copy-on-write disks and memory to create multiple identical high-interaction honeypot clones, the system relaxes the linear scaling of hardware requirements typically associated with scaling such setups. By employing a novel routing approach our system eliminates the need for post-cloning network reconfiguration, allowing the clone honeypots to share IP and MAC addresses while providing concurrent and quarantined access to the network. We deployed our system and tested it with live network traffic, demonstrating its effectiveness and scalability.

Keywords

Honeypot Honeynet Introspection Virtual Machine Network Security Memory Forensics Malware Analysis 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Tamas K. Lengyel
    • 1
  • Justin Neumann
    • 1
  • Steve Maresca
    • 1
  • Aggelos Kiayias
    • 1
  1. 1.Computer Science & Engineering DepartmentUniversity of ConnecticutStorrsUSA

Personalised recommendations