Skip to main content
SpringerLink
Log in

Sarracenia: Enhancing the Performance and Stealthiness of SSH Honeypots Using Virtual Machine Introspection

  • Conference paper
  • First Online:
Secure IT Systems (NordSec 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11252))

Included in the following conference series:

Abstract

Secure Shell (SSH) is a preferred target for attacks, as it is frequently used with password-based authentication, and weak passwords can be easily exploited using brute-force attacks. To learn more about adversaries, we can use a honeypot that provides information about attack and exploitation methods. The problem of current honeypot implementations is that attackers can easily detect that they are interacting with a honeypot and stop their activities immediately. Moreover, there is no freely available high-interaction SSH honeypot that provides in-depth tracing of attacks.

In this paper, we introduce Sarracenia, a virtual high-interaction SSH honeypot which improves the stealthiness of monitoring by using virtual machine introspection (VMI) based tracing. We discuss the design of the system and how to extract valuable information such as user credential, executed commands, and file changes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bahram, S., et al.: DKSM: subverting virtual machine introspection for fun and profit. In: 2010 29th IEEE Symposium on Reliable Distributed Systems, pp. 82–91, October 2010. https://doi.org/10.1109/SRDS.2010.39

  2. Block, F., Dewald, A.: Linux memory forensics: dissecting the user space process heap. Digit. Investig. 22, S66–S75 (2017)

    Article  Google Scholar 

  3. Bosman, E., Slowinska, A., Bos, H.: Minemu: the world’s fastest taint tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_1

    Chapter  Google Scholar 

  4. Briffaut, J., Lalande, J.F., Toinard, C.: Security and results of a large-scale high-interaction honeypot. JCP 4(5), 395–404 (2009)

    Google Scholar 

  5. Cohen, M.: Rekall memory forensics framework. DFIR Prague (2014). https://digital-forensics.sans.org/summit-archives/dfirprague14/Rekall_Memory_Forensics_Michael_Cohen.pdf

  6. Coret, J.A.: Kojoney - A Honeypot For The SSH Service (2006). http://kojoney.sourceforge.net/. Accessed 17 Feb 2018

  7. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62. ACM (2008)

    Google Scholar 

  8. Dolan-Gavitt, B., Payne, B., Lee, W.: Leveraging forensic tools for virtual machine introspection. Technical report GT-CS-11-05, Georgia Institute of Technology (2011)

    Google Scholar 

  9. Enemy, K.Y.: Honeywall CDROM Roo 3rd Generation Technology. Honeynet Project & Research Alliance, vol. 17 (2005). https://projects.honeynet.org/honeywall/

  10. Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. In: Network and Distributed Systems Security Symposium (NDSS), vol. 3, pp. 191–206 (2003)

    Google Scholar 

  11. Graziano, M., Lanzi, A., Balzarotti, D.: Hypervisor memory forensics. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 21–40. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41284-4_2

    Chapter  Google Scholar 

  12. Holz, T., Raynal, F.: Detecting honeypots and other suspicious environments. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 29–36. IEEE (2005)

    Google Scholar 

  13. Hoopes, J.: Virtualization for security: including sandboxing, disaster recovery, high availability, forensic analysis, and honeypotting. Syngress (2009)

    Google Scholar 

  14. Intel: Intel\({\textregistered }\) 100 Series and Intel\({\textregistered }\) C230 Series Chipset Family Platform Controller Hub (PCH), May 2016

    Google Scholar 

  15. Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of VM-based high-interaction honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198–218. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74320-0_11

    Chapter  Google Scholar 

  16. Jiang, X., Wang, X., Xu, D.: Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(2), 12 (2010)

    Article  Google Scholar 

  17. Joshi, R., Sardana, A.: Honeypots: A New Paradigm to Information Security. CRC Press, Boca Raton (2011)

    Google Scholar 

  18. Kittel, T.: Library to parse dwarf information and access/use it in C/C++ (2014). https://github.com/kittel/libdwarfparser. Accessed 17 Feb 2018

  19. Krawetz, N.: Anti-honeypot technology. IEEE Secur. Privacy 2(1), 76–79 (2004)

    Article  Google Scholar 

  20. Lengyel, T.K.: Stealthy monitoring with xen altp2m. https://blog.xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m/. Accessed 13 Feb 2018

  21. Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference (2014)

    Google Scholar 

  22. Lengyel, T.K., Neumann, J., Maresca, S., Kiayias, A.: Towards hybrid honeynets via virtual machine introspection and cloning. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 164–177. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38631-2_13

    Chapter  Google Scholar 

  23. Oosterhof, M.: Cowrie SSH/Telnet Honeypot (2014). https://github.com/micheloosterhof/cowrie. Accessed 17 Feb 2018

  24. Payne, B.D.: Simplifying virtual machine introspection using LibVMI. Sandia report, pp. 43–44 (2012)

    Google Scholar 

  25. Portokalidis, G., Bos, H.: Eudaemon: involuntary and on-demand emulation against zero-day exploits. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems, Eurosys 2008, pp. 287–299. ACM, New York (2008). https://doi.org/10.1145/1352592.1352622

  26. Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. SIGOPS Oper. Syst. Rev. 40(4), 15–27 (2006). https://doi.org/10.1145/1218063.1217938

    Article  Google Scholar 

  27. Sentanoe, S., Taubmann, B., Reiser, H.P.: Virtual machine introspection based SSH honeypot. In: Proceedings of the 4th Workshop on Security in Highly Connected IT Systems, pp. 13–18. ACM (2017)

    Google Scholar 

  28. Spitzner, L.: Know your enemy: Genii honeynets. The Honeynet Alliance (2005)

    Google Scholar 

  29. Srivastava, A., Giffin, J.: Tamper-resistant, application-aware blocking of malicious network connections. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 39–58. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-87403-4_3

    Chapter  Google Scholar 

  30. Stuart: High-interaction MitM SSH honeypot (2016). https://github.com/magisterquis/sshhipot. Accessed 17 Feb 2018

  31. Tamminen, U.: Kippo - SSH Honeypot (2009). https://github.com/desaster/kippo. Accessed 17 Feb 2018

  32. Taubmann, B., Frädrich, C., Dusold, D., Reiser, H.P.: Tlskex: harnessing virtual machine introspection for decrypting tls communication. Digit. Investig. 16, S114–S123 (2016)

    Article  Google Scholar 

  33. Taubmann, B., Rakotondravony, N., Reiser, H.P.: Cloudphylactor: harnessing mandatory access control for virtual machine introspection in cloud data centers. In: 2016 IEEE Trustcom/BigDataSE/I SPA, pp. 957–964. IEEE (2016)

    Google Scholar 

  34. Taubmann, B., Rakotondravony, N., Reiser, H.P.: Libvmtrace: tracing virtual machines (2016)

    Google Scholar 

  35. Testa, J.: SSH man-in-the-middle tool (2017). https://github.com/jtesta/ssh-mitm. Accessed 17 Feb 2018

  36. Tuzel, T., Bridgman, M., Zepf, J., Lengyel, T.K., Temkin, K.: Who watches the watcher? Detecting hypervisor introspection from unprivileged guests. Digit. Investig. 26, S98–S106 (2018)

    Article  Google Scholar 

  37. Uitto, J., Rauti, S., Laurén, S., Leppänen, V.: A survey on anti-honeypot and anti-introspection methods. In: Rocha, Á., Correia, A.M., Adeli, H., Reis, L.P., Costanzo, S. (eds.) WorldCIST 2017. AISC, vol. 570, pp. 125–134. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56538-5_13

    Chapter  Google Scholar 

  38. Wang, P., Wu, L., Cunningham, R., Zou, C.C.: Honeypot detection in advanced botnet attacks. Int. J. Inf. Comput. Secur. 4(1), 30–51 (2010)

    Google Scholar 

Download references

Acknowledgment

This work has been supported by the German Federal Ministry of Education and Research (BMBF) in the project DINGFEST-EFoVirt and German Research Foundation (DFG) in the project ARADIA.

Author information

Authors and Affiliations

  1. University of Passau, Passau, Germany

    Stewart Sentanoe, Benjamin Taubmann & Hans P. Reiser

Authors
  1. Stewart Sentanoe
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Benjamin Taubmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hans P. Reiser
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stewart Sentanoe .

Editor information

Editors and Affiliations

  1. University of Oslo, Oslo, Norway

    Nils Gruschka

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sentanoe, S., Taubmann, B., Reiser, H.P. (2018). Sarracenia: Enhancing the Performance and Stealthiness of SSH Honeypots Using Virtual Machine Introspection. In: Gruschka, N. (eds) Secure IT Systems. NordSec 2018. Lecture Notes in Computer Science(), vol 11252. Springer, Cham. https://doi.org/10.1007/978-3-030-03638-6_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-03638-6_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-03637-9

  • Online ISBN: 978-3-030-03638-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation