Skip to main content

A Survey on Anti-honeypot and Anti-introspection Methods

Part of the Advances in Intelligent Systems and Computing book series (AISC,volume 570)

Abstract

Modern virtual machines, debuggers, and sandboxing solutions lend themselves towards more and more inconspicuous ways to run honeypots, and to observe and analyze malware and other malicious activity. This analysis yields valuable data for threat-assessment, malware identification and prevention. However, the use of such introspection methods has caused malware authors to create malicious programs with the ability to detect and evade such environments. This paper presents an overview on existing research of anti-honeypot and anti-introspection methods. We also propose our own taxonomy of detection vectors used by malware.

The authors gratefully acknowledge Tekes – the Finnish Funding Agency for Innovation, DIMECC Oy and Cyber Trust research program for their support.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-56538-5_13
  • Chapter length: 10 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   349.00
Price excludes VAT (USA)
  • ISBN: 978-3-319-56538-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   449.99
Price excludes VAT (USA)

References

  1. Bahram, S., Jiang, X., Wang, Z., Grace, M., Li, J., Srinivasan, D., Rhee, J., Xu, D.: DKSM: subverting virtual machine introspection for fun and profit. In: 2010 29th IEEE Symposium on Reliable Distributed Systems, pp. 82–91. IEEE (2010)

    Google Scholar 

  2. Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE International Conference on Dependable Systems and Networks with FTCS and DCC, DSN 2008, pp. 177–186. IEEE (2008)

    Google Scholar 

  3. Costarella, C., Chung, S., Endicott-Popovsky, B., Dittrich, D.: Hardening honeynets against honeypot-aware botnet attacks. University of Washington, US (2013)

    Google Scholar 

  4. Credo, T.: Hyper-V how to: detect if you are inside a VM (2009). https://blogs.technet.microsoft.com/tonyso/2009/08/20/hyper-v-how-to-detect-if-you-are-inside-a-vm/

  5. Cui, W., Paxson, V., Weaver, N., Katz, R.H.: Protocol-independent adaptive replay of application dialog. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium (2006)

    Google Scholar 

  6. Dornseif, M., Holz, T., Klein, C.N.: Nosebreak-attacking honeynets. arXiv preprint cs/0406052 (2004)

    Google Scholar 

  7. Ferrand, O.: How to detect the cuckoo sandbox and to strengthen it? J. Comput. Virol. Hacking Tech. 11(1), 51–58 (2015)

    CrossRef  Google Scholar 

  8. Fu, X., Yu, W., Cheng, D., Tan, X., Streff, K., Graham, S.: On recognizing virtual honeypots and countermeasures. In: 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing, pp. 211–218. IEEE (2006)

    Google Scholar 

  9. Gajrani, J., Sarswat, J., Tripathi, M., Laxmi, V., Gaur, M.S., Conti, M.: A robust dynamic analysis system preventing sandbox detection by android malware. In: Proceedings of the 8th International Conference on Security of Information and Networks, pp. 290–295. ACM (2015)

    Google Scholar 

  10. Hayatle, O., Otrok, H., Youssef, A.: A game theoretic investigation for high interaction honeypots. In: IEEE International Conference on Communications (ICC). IEEE (2012)

    Google Scholar 

  11. Hayatle, O., Otrok, H., Youssef, A.: A markov decision process model for high interaction honeypots? Inf. Secur. J. Glob. Perpective 22(4), 159–170 (2013)

    CrossRef  Google Scholar 

  12. Hayatle, O., Youssef, A., Otrok, H.: Dempster-shafer evidence combining for (anti)-honeypot technologies. Inf. Secur. J. Glob. Perpective 21(6), 306–316 (2012)

    CrossRef  Google Scholar 

  13. Holz, T., Raynal, F., Honeypots, D.: System Issues, Part 1 (2005). http://www.symantec.com/connect/articles/defeating-honeypots-system-issues-part-1

  14. Holz, T., Raynal, F., Honeypots, D.: System Issues, Part 2 (2005). http://www.symantec.com/connect/articles/defeating-honeypots-system-issues-part-2

  15. Holz, T., Raynal, F.: Detecting honeypots and other suspicious environments. In: Proceedings from the Sixth Annual IEEE SMC on Information Assurance Workshop, IAW 2005, pp. 29–36. IEEE (2005)

    Google Scholar 

  16. Issa, A.: Anti-virtual machines and emulations. J. Comput. Virol. 8(4), 141–149 (2012)

    CrossRef  Google Scholar 

  17. Krawetz, N.: Anti-honeypot technology. IEEE Secur. Priv. 2(1), 76–79 (2004)

    CrossRef  Google Scholar 

  18. Mukkamala, S., Yendrapalli, K., Basnet, R., Shankarapani, M.K., Sung, A.H.: Detection of virtual environments and low interaction honeypots. In: Information Assurance and Security Workshop, IAW 2007, pp. 92–98. IEEE SMC (2007)

    Google Scholar 

  19. Nawrocki, M., Wahlisch, M., Schmidt, T.C., Keil, C., Schonfelder, J.: A survey on honeypot software and data analysis. arXiv preprint (2016)

    Google Scholar 

  20. Pawlick, J., Zhu, Q.: Deception by design: evidence-based signaling games for network defense. In: Workshop on the Economics of Information Security (WEIS) (2015)

    Google Scholar 

  21. Provos, N.: Honeyd Virtual Honeypot. http://www.honeyd.org/

  22. Rauti, S., Leppänen, V.: A survey on fake entities as a method to detect and monitor malicious activity, 8 p. (Submitted to a conference)

    Google Scholar 

  23. Spitzner, L.: Problems and challenges with honeypots (2004). http://www.symantec.com/connect/articles/problems-and-challenges-honeypots

  24. Sysman, D., Itamar, S., Gadi, E.: Breaking Honeypot for Fun and Profit Honeypots. Black Hat, USA (2015). http://winehat.net/wp-content/uploads/2015/10/Dean-Sysman-BreakingHoneypots.pdf

  25. Wang, P., Wu, L., Cunningham, R., Zou, C.: Honeypot detection in advanced botnet attacks. Int. J. Inf. Comput. Secur. 4(1), 30–51 (2010)

    Google Scholar 

  26. Zou, C., Cunningham, R.: Honeypot-aware advanced botnet construction and maintenance. In: International Conference on Dependable Systems and Networks, DSN 2006, pp. 199–208. IEEE (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Sampsa Rauti .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Uitto, J., Rauti, S., Laurén, S., Leppänen, V. (2017). A Survey on Anti-honeypot and Anti-introspection Methods. In: Rocha, Á., Correia, A., Adeli, H., Reis, L., Costanzo, S. (eds) Recent Advances in Information Systems and Technologies. WorldCIST 2017. Advances in Intelligent Systems and Computing, vol 570. Springer, Cham. https://doi.org/10.1007/978-3-319-56538-5_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-56538-5_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-56537-8

  • Online ISBN: 978-3-319-56538-5

  • eBook Packages: EngineeringEngineering (R0)