skip to main content
10.1145/1134760.1134765acmconferencesArticle/Chapter ViewAbstractPublication PagesveeConference Proceedingsconference-collections
Article

Using VMM-based sensors to monitor honeypots

Published:14 June 2006Publication History

ABSTRACT

Virtual Machine Monitors (VMMs) are a common tool for implementing honeypots. In this paper we examine the implementation of a VMM-based intrusion detection and monitoring system for collecting information about attacks on honeypots. We document and evaluate three designs we have implemented on two open-source virtualization platforms: User-Mode Linux and Xen. Our results show that our designs give the monitor good visibility into the system and thus, a small number of monitoring sensors can detect a large number of intrusions. In a three month period, we were able to detect five different attacks, as well as collect and try 46 more exploits on our honeypots. All attacks were detected with only two monitoring sensors. We found that the performance overhead for monitoring such intrusions is independent of which events are being monitored, but depends entirely on the number of monitoring events and the underlying monitoring implementation. The performance overhead can be significantly improved by implementing the monitor directly in the privileged code of the VMM, though at the cost of increasing the size of the trusted computing base of the system.

References

  1. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), pages 164--177, Oct. 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. B. Caswell, J. Beale, J. C. Foster, and J. Faircloth. Snort 2.0 Intrusion Detection. Syngress, Feb. 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63--78, Jan. 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. D. Dagon, X. Qin, G. Gu, W. Lee, J. B. Grizzard, J. G. Levine, and H. L. Owen. Honeystat: Local worm detection using honeypots. In Recent Advances in Intrusion Detection: 7th International Symposium, (RAID) 2004, pages 39--58, Sept. 2004.Google ScholarGoogle ScholarCross RefCross Ref
  5. J. Dike. A user-mode port of the Linux kernel. In Proceedings of the 2000 Linux Showcase and Conference, pages 63--72, Oct. 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. J. Dike. UML as a honeypot, 2005. http://user-mode-linux.sourceforge.net/honeypots.html.Google ScholarGoogle Scholar
  7. G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI 2002), pages 211--224, Dec. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. T. Garfinkel. Traps and pitfalls: Practical problems in system call interposition based security tools. In Proceedings of the 10th Annual Symposium on Network and Distributed System Security (NDSS 2003), pages 163--157, February 2003.Google ScholarGoogle Scholar
  9. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 10th Annual Symposium on Network and Distributed System Security (NDSS 2003), pages 191--206, Feb. 2003.Google ScholarGoogle Scholar
  10. S. A. Herrod. Using Complete Machine Simulation to Understand Computer System Behavior. PhD thesis, Stanford University, Feb. 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. G. Hoglund. A REAL NT rootkit. Phrack Magazine, 9(55), 1999. http://www.phrack.org/phrack/55/P55-05.Google ScholarGoogle Scholar
  12. W.-M. Hu. Reducing timing channels with fuzzy time. In Proceedings of the 1991 IEEE Symposium on Security and Privacy, pages 8--20, May 1991.Google ScholarGoogle ScholarCross RefCross Ref
  13. X. Jiang and D. Xu. Collapsar: A VM-based architecture for network attack detention center. In Proceedings of the 13th USENIX Security Symposium, pages 15--28, Aug. 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pages 91--104, Oct. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. T. Kohno, A. Broido, and K. C. Claffy. Remote physical device fingerprinting. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 211--225, May 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. E. Levy. Dionaea: On the automatic collection of malicious code samples through honey pot farms, 2005. Invited talk at the CASCON 2005 Workshop on Cybersecurity.Google ScholarGoogle Scholar
  17. E. Levy. Private conversation, 2005. Symantec Corp.Google ScholarGoogle Scholar
  18. LIDS Toolkit, 2005. http://www.lids.org.Google ScholarGoogle Scholar
  19. P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In FREENIX Track of the 2001 USENIX Annual Technical Conference (FREENIX'01), pages 29--42, June 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Metasploit, 2005. http://www.metasploit.com.Google ScholarGoogle Scholar
  21. N. L. Petroni Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot--a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium, pages 179--194, Aug. 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. N. Provos. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium, pages 1--14, Aug. 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pages 1--16, Oct. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. L. Spitzner. Know your enemy: A forensic analysis. Technical report, Honeynet Project, May 2000. http://www.honeynet.org/papers/forensics.Google ScholarGoogle Scholar
  25. The Honeynet Project, 2005. http://www.honeynet.org.Google ScholarGoogle Scholar
  26. M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pages 148--162, Oct. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. X. Zhang, L. van Doorn, T. Jaeger, R. Perez, and R. Sailer. Secure coprocessor-based intrusion detection. In Proceedings of the 10th ACM SIGOPS European Workshop, Sept. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Using VMM-based sensors to monitor honeypots

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in
        • Published in

          cover image ACM Conferences
          VEE '06: Proceedings of the 2nd international conference on Virtual execution environments
          June 2006
          194 pages
          ISBN:1595933328
          DOI:10.1145/1134760

          Copyright © 2006 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 14 June 2006

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • Article

          Acceptance Rates

          Overall Acceptance Rate80of235submissions,34%

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!