ABSTRACT
Virtual Machine Monitors (VMMs) are a common tool for implementing honeypots. In this paper we examine the implementation of a VMM-based intrusion detection and monitoring system for collecting information about attacks on honeypots. We document and evaluate three designs we have implemented on two open-source virtualization platforms: User-Mode Linux and Xen. Our results show that our designs give the monitor good visibility into the system and thus, a small number of monitoring sensors can detect a large number of intrusions. In a three month period, we were able to detect five different attacks, as well as collect and try 46 more exploits on our honeypots. All attacks were detected with only two monitoring sensors. We found that the performance overhead for monitoring such intrusions is independent of which events are being monitored, but depends entirely on the number of monitoring events and the underlying monitoring implementation. The performance overhead can be significantly improved by implementing the monitor directly in the privileged code of the VMM, though at the cost of increasing the size of the trusted computing base of the system.
- P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), pages 164--177, Oct. 2003. Google Scholar
Digital Library
- B. Caswell, J. Beale, J. C. Foster, and J. Faircloth. Snort 2.0 Intrusion Detection. Syngress, Feb. 2003. Google Scholar
Digital Library
- C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63--78, Jan. 1998. Google Scholar
Digital Library
- D. Dagon, X. Qin, G. Gu, W. Lee, J. B. Grizzard, J. G. Levine, and H. L. Owen. Honeystat: Local worm detection using honeypots. In Recent Advances in Intrusion Detection: 7th International Symposium, (RAID) 2004, pages 39--58, Sept. 2004.Google Scholar
Cross Ref
- J. Dike. A user-mode port of the Linux kernel. In Proceedings of the 2000 Linux Showcase and Conference, pages 63--72, Oct. 2000. Google Scholar
Digital Library
- J. Dike. UML as a honeypot, 2005. http://user-mode-linux.sourceforge.net/honeypots.html.Google Scholar
- G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI 2002), pages 211--224, Dec. 2002. Google Scholar
Digital Library
- T. Garfinkel. Traps and pitfalls: Practical problems in system call interposition based security tools. In Proceedings of the 10th Annual Symposium on Network and Distributed System Security (NDSS 2003), pages 163--157, February 2003.Google Scholar
- T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 10th Annual Symposium on Network and Distributed System Security (NDSS 2003), pages 191--206, Feb. 2003.Google Scholar
- S. A. Herrod. Using Complete Machine Simulation to Understand Computer System Behavior. PhD thesis, Stanford University, Feb. 1998. Google Scholar
Digital Library
- G. Hoglund. A REAL NT rootkit. Phrack Magazine, 9(55), 1999. http://www.phrack.org/phrack/55/P55-05.Google Scholar
- W.-M. Hu. Reducing timing channels with fuzzy time. In Proceedings of the 1991 IEEE Symposium on Security and Privacy, pages 8--20, May 1991.Google Scholar
Cross Ref
- X. Jiang and D. Xu. Collapsar: A VM-based architecture for network attack detention center. In Proceedings of the 13th USENIX Security Symposium, pages 15--28, Aug. 2004. Google Scholar
Digital Library
- A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pages 91--104, Oct. 2005. Google Scholar
Digital Library
- T. Kohno, A. Broido, and K. C. Claffy. Remote physical device fingerprinting. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 211--225, May 2005. Google Scholar
Digital Library
- E. Levy. Dionaea: On the automatic collection of malicious code samples through honey pot farms, 2005. Invited talk at the CASCON 2005 Workshop on Cybersecurity.Google Scholar
- E. Levy. Private conversation, 2005. Symantec Corp.Google Scholar
- LIDS Toolkit, 2005. http://www.lids.org.Google Scholar
- P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In FREENIX Track of the 2001 USENIX Annual Technical Conference (FREENIX'01), pages 29--42, June 2001. Google Scholar
Digital Library
- Metasploit, 2005. http://www.metasploit.com.Google Scholar
- N. L. Petroni Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot--a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium, pages 179--194, Aug. 2004. Google Scholar
Digital Library
- N. Provos. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium, pages 1--14, Aug. 2004. Google Scholar
Digital Library
- A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pages 1--16, Oct. 2005. Google Scholar
Digital Library
- L. Spitzner. Know your enemy: A forensic analysis. Technical report, Honeynet Project, May 2000. http://www.honeynet.org/papers/forensics.Google Scholar
- The Honeynet Project, 2005. http://www.honeynet.org.Google Scholar
- M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pages 148--162, Oct. 2005. Google Scholar
Digital Library
- X. Zhang, L. van Doorn, T. Jaeger, R. Perez, and R. Sailer. Secure coprocessor-based intrusion detection. In Proceedings of the 10th ACM SIGOPS European Workshop, Sept. 2002. Google Scholar
Digital Library
Index Terms
Using VMM-based sensors to monitor honeypots
Recommendations
Virtual machine monitor-based lightweight intrusion detection
As virtualization technology gains in popularity, so do attempts to compromise the security and integrity of virtualized computing resources. Anti-virus software and firewall programs are typically deployed in the guest virtual machine to detect ...
A Low Overhead and Reliable Nested Virtualization VMM for Cloud Computing
WISA '13: Proceedings of the 2013 10th Web Information System and Application ConferenceCommodity operating systems have already gained functionality of virtual machine monitor. Nested virtualization is needed to run these commodity operating systems as virtual machines. Furthermore, with nested virtualization technology, users can run a ...
Implementing a Hybrid Virtual Machine Monitor for Flexible and Efficient Security Mechanisms
PRDC '10: Proceedings of the 2010 IEEE 16th Pacific Rim International Symposium on Dependable ComputingVirtual machine monitors (VMMs) have emerged as potential tools %% are one of the promising approaches for implementing security mechanisms to enhance the security and/or reliability of software systems. There are two approaches to implementing VMMs. ...






Comments