Sarracenia: Enhancing the Performance and Stealthiness of SSH Honeypots Using Virtual Machine Introspection

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11252)


Secure Shell (SSH) is a preferred target for attacks, as it is frequently used with password-based authentication, and weak passwords can be easily exploited using brute-force attacks. To learn more about adversaries, we can use a honeypot that provides information about attack and exploitation methods. The problem of current honeypot implementations is that attackers can easily detect that they are interacting with a honeypot and stop their activities immediately. Moreover, there is no freely available high-interaction SSH honeypot that provides in-depth tracing of attacks.

In this paper, we introduce Sarracenia, a virtual high-interaction SSH honeypot which improves the stealthiness of monitoring by using virtual machine introspection (VMI) based tracing. We discuss the design of the system and how to extract valuable information such as user credential, executed commands, and file changes.


Honeypot Virtual Machine Introspection Secure Shell 



This work has been supported by the German Federal Ministry of Education and Research (BMBF) in the project DINGFEST-EFoVirt and German Research Foundation (DFG) in the project ARADIA.


  1. 1.
    Bahram, S., et al.: DKSM: subverting virtual machine introspection for fun and profit. In: 2010 29th IEEE Symposium on Reliable Distributed Systems, pp. 82–91, October 2010.
  2. 2.
    Block, F., Dewald, A.: Linux memory forensics: dissecting the user space process heap. Digit. Investig. 22, S66–S75 (2017)CrossRefGoogle Scholar
  3. 3.
    Bosman, E., Slowinska, A., Bos, H.: Minemu: the world’s fastest taint tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011). Scholar
  4. 4.
    Briffaut, J., Lalande, J.F., Toinard, C.: Security and results of a large-scale high-interaction honeypot. JCP 4(5), 395–404 (2009)Google Scholar
  5. 5.
  6. 6.
    Coret, J.A.: Kojoney - A Honeypot For The SSH Service (2006). Accessed 17 Feb 2018
  7. 7.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62. ACM (2008)Google Scholar
  8. 8.
    Dolan-Gavitt, B., Payne, B., Lee, W.: Leveraging forensic tools for virtual machine introspection. Technical report GT-CS-11-05, Georgia Institute of Technology (2011)Google Scholar
  9. 9.
    Enemy, K.Y.: Honeywall CDROM Roo 3rd Generation Technology. Honeynet Project & Research Alliance, vol. 17 (2005).
  10. 10.
    Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. In: Network and Distributed Systems Security Symposium (NDSS), vol. 3, pp. 191–206 (2003)Google Scholar
  11. 11.
    Graziano, M., Lanzi, A., Balzarotti, D.: Hypervisor memory forensics. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 21–40. Springer, Heidelberg (2013). Scholar
  12. 12.
    Holz, T., Raynal, F.: Detecting honeypots and other suspicious environments. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 29–36. IEEE (2005)Google Scholar
  13. 13.
    Hoopes, J.: Virtualization for security: including sandboxing, disaster recovery, high availability, forensic analysis, and honeypotting. Syngress (2009)Google Scholar
  14. 14.
    Intel: Intel\({\textregistered }\) 100 Series and Intel\({\textregistered }\) C230 Series Chipset Family Platform Controller Hub (PCH), May 2016Google Scholar
  15. 15.
    Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007). Scholar
  16. 16.
    Jiang, X., Wang, X., Xu, D.: Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(2), 12 (2010)CrossRefGoogle Scholar
  17. 17.
    Joshi, R., Sardana, A.: Honeypots: A New Paradigm to Information Security. CRC Press, Boca Raton (2011)Google Scholar
  18. 18.
    Kittel, T.: Library to parse dwarf information and access/use it in C/C++ (2014). Accessed 17 Feb 2018
  19. 19.
    Krawetz, N.: Anti-honeypot technology. IEEE Secur. Privacy 2(1), 76–79 (2004)CrossRefGoogle Scholar
  20. 20.
    Lengyel, T.K.: Stealthy monitoring with xen altp2m. Accessed 13 Feb 2018
  21. 21.
    Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference (2014)Google Scholar
  22. 22.
    Lengyel, T.K., Neumann, J., Maresca, S., Kiayias, A.: Towards hybrid honeynets via virtual machine introspection and cloning. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 164–177. Springer, Heidelberg (2013). Scholar
  23. 23.
    Oosterhof, M.: Cowrie SSH/Telnet Honeypot (2014). Accessed 17 Feb 2018
  24. 24.
    Payne, B.D.: Simplifying virtual machine introspection using LibVMI. Sandia report, pp. 43–44 (2012)Google Scholar
  25. 25.
    Portokalidis, G., Bos, H.: Eudaemon: involuntary and on-demand emulation against zero-day exploits. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems, Eurosys 2008, pp. 287–299. ACM, New York (2008).
  26. 26.
    Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. SIGOPS Oper. Syst. Rev. 40(4), 15–27 (2006). Scholar
  27. 27.
    Sentanoe, S., Taubmann, B., Reiser, H.P.: Virtual machine introspection based SSH honeypot. In: Proceedings of the 4th Workshop on Security in Highly Connected IT Systems, pp. 13–18. ACM (2017)Google Scholar
  28. 28.
    Spitzner, L.: Know your enemy: Genii honeynets. The Honeynet Alliance (2005)Google Scholar
  29. 29.
    Srivastava, A., Giffin, J.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008). Scholar
  30. 30.
    Stuart: High-interaction MitM SSH honeypot (2016). Accessed 17 Feb 2018
  31. 31.
    Tamminen, U.: Kippo - SSH Honeypot (2009). Accessed 17 Feb 2018
  32. 32.
    Taubmann, B., Frädrich, C., Dusold, D., Reiser, H.P.: Tlskex: harnessing virtual machine introspection for decrypting tls communication. Digit. Investig. 16, S114–S123 (2016)CrossRefGoogle Scholar
  33. 33.
    Taubmann, B., Rakotondravony, N., Reiser, H.P.: Cloudphylactor: harnessing mandatory access control for virtual machine introspection in cloud data centers. In: 2016 IEEE Trustcom/BigDataSE/I SPA, pp. 957–964. IEEE (2016)Google Scholar
  34. 34.
    Taubmann, B., Rakotondravony, N., Reiser, H.P.: Libvmtrace: tracing virtual machines (2016)Google Scholar
  35. 35.
    Testa, J.: SSH man-in-the-middle tool (2017). Accessed 17 Feb 2018
  36. 36.
    Tuzel, T., Bridgman, M., Zepf, J., Lengyel, T.K., Temkin, K.: Who watches the watcher? Detecting hypervisor introspection from unprivileged guests. Digit. Investig. 26, S98–S106 (2018)CrossRefGoogle Scholar
  37. 37.
    Uitto, J., Rauti, S., Laurén, S., Leppänen, V.: A survey on anti-honeypot and anti-introspection methods. In: Rocha, Á., Correia, A.M., Adeli, H., Reis, L.P., Costanzo, S. (eds.) WorldCIST 2017. AISC, vol. 570, pp. 125–134. Springer, Cham (2017). Scholar
  38. 38.
    Wang, P., Wu, L., Cunningham, R., Zou, C.C.: Honeypot detection in advanced botnet attacks. Int. J. Inf. Comput. Secur. 4(1), 30–51 (2010)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.University of PassauPassauGermany

Personalised recommendations