Abstract
Secure Shell (SSH) is a preferred target for attacks, as it is frequently used with password-based authentication, and weak passwords can be easily exploited using brute-force attacks. To learn more about adversaries, we can use a honeypot that provides information about attack and exploitation methods. The problem of current honeypot implementations is that attackers can easily detect that they are interacting with a honeypot and stop their activities immediately. Moreover, there is no freely available high-interaction SSH honeypot that provides in-depth tracing of attacks.
In this paper, we introduce Sarracenia, a virtual high-interaction SSH honeypot which improves the stealthiness of monitoring by using virtual machine introspection (VMI) based tracing. We discuss the design of the system and how to extract valuable information such as user credential, executed commands, and file changes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bahram, S., et al.: DKSM: subverting virtual machine introspection for fun and profit. In: 2010 29th IEEE Symposium on Reliable Distributed Systems, pp. 82–91, October 2010. https://doi.org/10.1109/SRDS.2010.39
Block, F., Dewald, A.: Linux memory forensics: dissecting the user space process heap. Digit. Investig. 22, S66–S75 (2017)
Bosman, E., Slowinska, A., Bos, H.: Minemu: the world’s fastest taint tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_1
Briffaut, J., Lalande, J.F., Toinard, C.: Security and results of a large-scale high-interaction honeypot. JCP 4(5), 395–404 (2009)
Cohen, M.: Rekall memory forensics framework. DFIR Prague (2014). https://digital-forensics.sans.org/summit-archives/dfirprague14/Rekall_Memory_Forensics_Michael_Cohen.pdf
Coret, J.A.: Kojoney - A Honeypot For The SSH Service (2006). http://kojoney.sourceforge.net/. Accessed 17 Feb 2018
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62. ACM (2008)
Dolan-Gavitt, B., Payne, B., Lee, W.: Leveraging forensic tools for virtual machine introspection. Technical report GT-CS-11-05, Georgia Institute of Technology (2011)
Enemy, K.Y.: Honeywall CDROM Roo 3rd Generation Technology. Honeynet Project & Research Alliance, vol. 17 (2005). https://projects.honeynet.org/honeywall/
Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. In: Network and Distributed Systems Security Symposium (NDSS), vol. 3, pp. 191–206 (2003)
Graziano, M., Lanzi, A., Balzarotti, D.: Hypervisor memory forensics. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 21–40. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41284-4_2
Holz, T., Raynal, F.: Detecting honeypots and other suspicious environments. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 29–36. IEEE (2005)
Hoopes, J.: Virtualization for security: including sandboxing, disaster recovery, high availability, forensic analysis, and honeypotting. Syngress (2009)
Intel: Intel\({\textregistered }\) 100 Series and Intel\({\textregistered }\) C230 Series Chipset Family Platform Controller Hub (PCH), May 2016
Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74320-0_11
Jiang, X., Wang, X., Xu, D.: Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(2), 12 (2010)
Joshi, R., Sardana, A.: Honeypots: A New Paradigm to Information Security. CRC Press, Boca Raton (2011)
Kittel, T.: Library to parse dwarf information and access/use it in C/C++ (2014). https://github.com/kittel/libdwarfparser. Accessed 17 Feb 2018
Krawetz, N.: Anti-honeypot technology. IEEE Secur. Privacy 2(1), 76–79 (2004)
Lengyel, T.K.: Stealthy monitoring with xen altp2m. https://blog.xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m/. Accessed 13 Feb 2018
Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference (2014)
Lengyel, T.K., Neumann, J., Maresca, S., Kiayias, A.: Towards hybrid honeynets via virtual machine introspection and cloning. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 164–177. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38631-2_13
Oosterhof, M.: Cowrie SSH/Telnet Honeypot (2014). https://github.com/micheloosterhof/cowrie. Accessed 17 Feb 2018
Payne, B.D.: Simplifying virtual machine introspection using LibVMI. Sandia report, pp. 43–44 (2012)
Portokalidis, G., Bos, H.: Eudaemon: involuntary and on-demand emulation against zero-day exploits. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems, Eurosys 2008, pp. 287–299. ACM, New York (2008). https://doi.org/10.1145/1352592.1352622
Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. SIGOPS Oper. Syst. Rev. 40(4), 15–27 (2006). https://doi.org/10.1145/1218063.1217938
Sentanoe, S., Taubmann, B., Reiser, H.P.: Virtual machine introspection based SSH honeypot. In: Proceedings of the 4th Workshop on Security in Highly Connected IT Systems, pp. 13–18. ACM (2017)
Spitzner, L.: Know your enemy: Genii honeynets. The Honeynet Alliance (2005)
Srivastava, A., Giffin, J.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-87403-4_3
Stuart: High-interaction MitM SSH honeypot (2016). https://github.com/magisterquis/sshhipot. Accessed 17 Feb 2018
Tamminen, U.: Kippo - SSH Honeypot (2009). https://github.com/desaster/kippo. Accessed 17 Feb 2018
Taubmann, B., Frädrich, C., Dusold, D., Reiser, H.P.: Tlskex: harnessing virtual machine introspection for decrypting tls communication. Digit. Investig. 16, S114–S123 (2016)
Taubmann, B., Rakotondravony, N., Reiser, H.P.: Cloudphylactor: harnessing mandatory access control for virtual machine introspection in cloud data centers. In: 2016 IEEE Trustcom/BigDataSE/I SPA, pp. 957–964. IEEE (2016)
Taubmann, B., Rakotondravony, N., Reiser, H.P.: Libvmtrace: tracing virtual machines (2016)
Testa, J.: SSH man-in-the-middle tool (2017). https://github.com/jtesta/ssh-mitm. Accessed 17 Feb 2018
Tuzel, T., Bridgman, M., Zepf, J., Lengyel, T.K., Temkin, K.: Who watches the watcher? Detecting hypervisor introspection from unprivileged guests. Digit. Investig. 26, S98–S106 (2018)
Uitto, J., Rauti, S., Laurén, S., Leppänen, V.: A survey on anti-honeypot and anti-introspection methods. In: Rocha, Á., Correia, A.M., Adeli, H., Reis, L.P., Costanzo, S. (eds.) WorldCIST 2017. AISC, vol. 570, pp. 125–134. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56538-5_13
Wang, P., Wu, L., Cunningham, R., Zou, C.C.: Honeypot detection in advanced botnet attacks. Int. J. Inf. Comput. Secur. 4(1), 30–51 (2010)
Acknowledgment
This work has been supported by the German Federal Ministry of Education and Research (BMBF) in the project DINGFEST-EFoVirt and German Research Foundation (DFG) in the project ARADIA.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Sentanoe, S., Taubmann, B., Reiser, H.P. (2018). Sarracenia: Enhancing the Performance and Stealthiness of SSH Honeypots Using Virtual Machine Introspection. In: Gruschka, N. (eds) Secure IT Systems. NordSec 2018. Lecture Notes in Computer Science(), vol 11252. Springer, Cham. https://doi.org/10.1007/978-3-030-03638-6_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-03638-6_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03637-9
Online ISBN: 978-3-030-03638-6
eBook Packages: Computer ScienceComputer Science (R0)