NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning

Tamas K Lengyel
Tamas K LengyelSenior Security Researcher at Intel Corporation
Towards Hybrid 
Honeynets via Virtual 
Machine Introspection 
and Cloning 
Tamas K Lengyel 
University of Connecticut
The role of the honeypot
The limitations 
Low-interaction honeypots: 
● "Artificial" attack surface 
● Limited information about the attacks 
● Easily identified 
High-interaction honeypots: 
● Complexity 
● Maintenance 
● High risk
Hybrid honeypot 
Robin Berthier, 2006: Advanced honeypot architecture for network threats 
quantification 
Primarily use the Low 
interaction honeypot and 
utilize a High interaction 
honeypot when something 
"interesting" is happening. 
How do you define 
"interesting"?
Hybrid honeynet
VMI-Honeymon http://vmi-honeymon.sf.net 
● Fidelity via Virtual Machine Introspection 
○ LibVMI 
○ Volatility 
○ LibGuestFS 
● Scalability via Virtual Machine Cloning 
○ QEMU copy-on-write disk 
○ Xen copy-on-write RAM
Issues: clone routing 
Clones share IP and MAC address! 
○ Post-cloning in-guest network reconfiguration should 
be avoided 
○ Separate bridge/VLAN required for each clone to 
avoid collision 
○ Honeybrid requires extra setup (iptables rules, 
routing tables & ip marks) to be able to route clones
Network overview
Clone initiated routing
Memsharing results 
6207 attack sessions on clone HIHs in two 
weeks (single IP address) 
Windows XP SP3 x86 (128MB RAM) Windows 7 SP1 x86 (1GB RAM)
Memsharing results 
Projected memory savings via CoW RAM 
Windows XP SP3 x86 Windows 7 SP1 x86
Future work 
● Clone routing using Open vSwitch & 
OpenFlow 
● Auto-balloon number of HIHs 
● Mix Linux and Windows HIHs with additional 
software packages installed 
● Test large-scale deployment (/24) 
● Zazen IDS!
Thank you! 
Questions?
1 of 13

Recommended

Virtual Machine Introspection in a Hyberid Honeypot Architecture by
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureTamas K Lengyel
3.7K views13 slides
Malware Collection and Analysis via Hardware Virtualization by
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
4.7K views36 slides
CyberSEED: Virtual Machine Introspection to Detect and Protect by
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
3.8K views19 slides
Building a Cyber Range - Kevin Cardwell by
Building a Cyber Range - Kevin CardwellBuilding a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin CardwellEC-Council
4.7K views23 slides
A Distributed Malware Analysis System Cuckoo Sandbox by
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxAndy Lee
1.8K views14 slides
How to detect side channel attacks in cloud infrastructures by
How to detect side channel attacks in cloud infrastructuresHow to detect side channel attacks in cloud infrastructures
How to detect side channel attacks in cloud infrastructuresPasquale Puzio
5.2K views29 slides

More Related Content

What's hot

Directions in SELinux Networking by
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux NetworkingJames Morris
529 views15 slides
BSides Algiers - Metasploit framework - Oussama Elhamer by
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerShellmates
931 views17 slides
Vulnerabilities assessment of windows hyper by
Vulnerabilities assessment of windows hyperVulnerabilities assessment of windows hyper
Vulnerabilities assessment of windows hyperBank Alfalah Limited
136 views3 slides
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats by
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
1.3K views35 slides
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-... by
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
812 views41 slides
Exploits by
ExploitsExploits
ExploitsTylor Shellenberger
77 views5 slides

What's hot(16)

Directions in SELinux Networking by James Morris
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux Networking
James Morris529 views
BSides Algiers - Metasploit framework - Oussama Elhamer by Shellmates
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
Shellmates931 views
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats by James Morris
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
James Morris1.3K views
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-... by BlueHat Security Conference
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ... by James Morris
Have You Driven an SELinux Lately? - An Update on the SELinux Project -  OLS ...Have You Driven an SELinux Lately? - An Update on the SELinux Project -  OLS ...
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
James Morris451 views
Linux Kernel Security Overview - KCA 2009 by James Morris
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
James Morris2.5K views
computer viruses by upenthira I
computer virusescomputer viruses
computer viruses
upenthira I105 views
Adding Extended Attribute Support to NFS by James Morris
Adding Extended Attribute Support to NFSAdding Extended Attribute Support to NFS
Adding Extended Attribute Support to NFS
James Morris1.7K views
Csw2016 wang docker_escapetechnology by CanSecWest
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
CanSecWest4.5K views
Introduction to Blockchain by Aalok Singh
Introduction to BlockchainIntroduction to Blockchain
Introduction to Blockchain
Aalok Singh48 views
Introduction to ethereum_public by antitree
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_public
antitree1.4K views

Viewers also liked

Cloud Security with LibVMI by
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMITamas K Lengyel
3.4K views52 slides
Virtual Machine Introspection with Xen by
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with XenTamas K Lengyel
3.3K views26 slides
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System by
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
97.8K views15 slides
Pitfalls of virtual machine introspection on modern hardware by
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwareTamas K Lengyel
3.3K views27 slides
Stealthy, Hypervisor-based Malware Analysis by
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
13.1K views58 slides
CrySys guest-lecture: Virtual machine introspection on modern hardware by
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareTamas K Lengyel
4.4K views36 slides

Viewers also liked(8)

Virtual Machine Introspection with Xen by Tamas K Lengyel
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with Xen
Tamas K Lengyel3.3K views
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System by Tamas K Lengyel
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel97.8K views
Pitfalls of virtual machine introspection on modern hardware by Tamas K Lengyel
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardware
Tamas K Lengyel3.3K views
Stealthy, Hypervisor-based Malware Analysis by Tamas K Lengyel
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
Tamas K Lengyel13.1K views
CrySys guest-lecture: Virtual machine introspection on modern hardware by Tamas K Lengyel
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
Tamas K Lengyel4.4K views
31c3 Presentation - Virtual Machine Introspection by Tamas K Lengyel
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
Tamas K Lengyel4.1K views
Virtual Machine Introspection with Xen on ARM by Tamas K Lengyel
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARM
Tamas K Lengyel3.8K views

Similar to NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning

Identify and defend botmaster in a network by
Identify and defend botmaster in a networkIdentify and defend botmaster in a network
Identify and defend botmaster in a networkvicky Amr
495 views9 slides
XS Boston 2008 XenLoop by
XS Boston 2008 XenLoopXS Boston 2008 XenLoop
XS Boston 2008 XenLoopThe Linux Foundation
895 views19 slides
Botnets & DDoS Introduction by
Botnets & DDoS IntroductionBotnets & DDoS Introduction
Botnets & DDoS IntroductionKae Hsu
1.2K views21 slides
How to hack a telecom and stay alive by
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay aliveqqlan
6.8K views71 slides
Sergey Gordeychik - How to hack a telecom and stay alive by
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveDefconRussia
852 views71 slides
How to hack a telecommunication company and stay alive. Sergey Gordeychik by
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
7.5K views71 slides

Similar to NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning(18)

Identify and defend botmaster in a network by vicky Amr
Identify and defend botmaster in a networkIdentify and defend botmaster in a network
Identify and defend botmaster in a network
vicky Amr495 views
Botnets & DDoS Introduction by Kae Hsu
Botnets & DDoS IntroductionBotnets & DDoS Introduction
Botnets & DDoS Introduction
Kae Hsu1.2K views
How to hack a telecom and stay alive by qqlan
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
qqlan6.8K views
Sergey Gordeychik - How to hack a telecom and stay alive by DefconRussia
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
DefconRussia852 views
How to hack a telecommunication company and stay alive. Sergey Gordeychik by Positive Hack Days
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
Positive Hack Days7.5K views
Decentralized mining Pools: Security and Attacks by Alexei Zamyatin
Decentralized mining  Pools: Security and AttacksDecentralized mining  Pools: Security and Attacks
Decentralized mining Pools: Security and Attacks
Alexei Zamyatin154 views
Research Inventy : International Journal of Engineering and Science by researchinventy
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Science
researchinventy325 views
Windows server 8 hyper v networking (aidan finn) by hypervnu
Windows server 8 hyper v networking (aidan finn)Windows server 8 hyper v networking (aidan finn)
Windows server 8 hyper v networking (aidan finn)
hypervnu1.2K views
The Future of Internet Exchange Points - NANOG 47 by Richard Steenbergen
The Future of Internet Exchange Points - NANOG 47The Future of Internet Exchange Points - NANOG 47
The Future of Internet Exchange Points - NANOG 47
Neutron-to-Neutron: interconnecting multiple OpenStack deployments by Thomas Morin
Neutron-to-Neutron: interconnecting multiple OpenStack deploymentsNeutron-to-Neutron: interconnecting multiple OpenStack deployments
Neutron-to-Neutron: interconnecting multiple OpenStack deployments
Thomas Morin650 views
Botnet and its Detection Techniques by SafiUllah Saikat
Botnet  and its Detection Techniques Botnet  and its Detection Techniques
Botnet and its Detection Techniques
SafiUllah Saikat144 views
Honeypot honeynet by Sina Manavi
Honeypot honeynetHoneypot honeynet
Honeypot honeynet
Sina Manavi11.9K views
Windows Server 8 Hyper V Networking by Aidan Finn
Windows Server 8 Hyper V NetworkingWindows Server 8 Hyper V Networking
Windows Server 8 Hyper V Networking
Aidan Finn1.6K views
Cooperative Mining by Stephen Reed (Bitcoin Proof-of-Stake Co-operative Project) by Hashers United
Cooperative Mining by Stephen Reed (Bitcoin Proof-of-Stake Co-operative Project)Cooperative Mining by Stephen Reed (Bitcoin Proof-of-Stake Co-operative Project)
Cooperative Mining by Stephen Reed (Bitcoin Proof-of-Stake Co-operative Project)
Hashers United423 views
"One network to rule them all" - OpenStack Summit Austin 2016 by Phil Estes
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
Phil Estes955 views

More from Tamas K Lengyel

Estimating Security Risk Through Repository Mining by
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningTamas K Lengyel
50 views34 slides
OffensiveCon2022: Case Studies of Fuzzing with Xen by
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
1.6K views39 slides
Pitfalls and limits of dynamic malware analysis by
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
559 views33 slides
VM Forking and Hypervisor-based Fuzzing with Xen by
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenTamas K Lengyel
1.6K views33 slides
VM Forking and Hypervisor-based fuzzing by
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingTamas K Lengyel
132 views81 slides
BSides Denver: Stealthy, hypervisor-based malware analysis by
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisTamas K Lengyel
390 views62 slides

More from Tamas K Lengyel(11)

Estimating Security Risk Through Repository Mining by Tamas K Lengyel
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository Mining
Tamas K Lengyel50 views
OffensiveCon2022: Case Studies of Fuzzing with Xen by Tamas K Lengyel
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel1.6K views
Pitfalls and limits of dynamic malware analysis by Tamas K Lengyel
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel559 views
VM Forking and Hypervisor-based Fuzzing with Xen by Tamas K Lengyel
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
Tamas K Lengyel1.6K views
VM Forking and Hypervisor-based fuzzing by Tamas K Lengyel
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
Tamas K Lengyel132 views
BSides Denver: Stealthy, hypervisor-based malware analysis by Tamas K Lengyel
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
Tamas K Lengyel390 views
Hacktivity 2016: Stealthy, hypervisor based malware analysis by Tamas K Lengyel
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Tamas K Lengyel331 views
Anti-evil maid with UEFI and Xen by Tamas K Lengyel
Anti-evil maid with UEFI and XenAnti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and Xen
Tamas K Lengyel202 views
Troopers15 Lightning talk: VMI & DRAKVUF by Tamas K Lengyel
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
Tamas K Lengyel1.1K views
Hacktivity2014: Virtual Machine Introspection to Detect and Protect by Tamas K Lengyel
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel2.6K views
Dfrws eu 2014 rekall workshop by Tamas K Lengyel
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
Tamas K Lengyel3.3K views

Recently uploaded

Renewal Projects in Seismic Construction by
Renewal Projects in Seismic ConstructionRenewal Projects in Seismic Construction
Renewal Projects in Seismic ConstructionEngineering & Seismic Construction
8 views8 slides
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx by
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptxlwang78
314 views19 slides
Design_Discover_Develop_Campaign.pptx by
Design_Discover_Develop_Campaign.pptxDesign_Discover_Develop_Campaign.pptx
Design_Discover_Develop_Campaign.pptxShivanshSeth6
56 views20 slides
unit 1.pptx by
unit 1.pptxunit 1.pptx
unit 1.pptxrrbornarecm
5 views53 slides
Unlocking Research Visibility.pdf by
Unlocking Research Visibility.pdfUnlocking Research Visibility.pdf
Unlocking Research Visibility.pdfKhatirNaima
11 views19 slides
Programmable Logic Devices : SPLD and CPLD by
Programmable Logic Devices : SPLD and CPLDProgrammable Logic Devices : SPLD and CPLD
Programmable Logic Devices : SPLD and CPLDUsha Mehta
27 views54 slides

Recently uploaded(20)

2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx by lwang78
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx
lwang78314 views
Design_Discover_Develop_Campaign.pptx by ShivanshSeth6
Design_Discover_Develop_Campaign.pptxDesign_Discover_Develop_Campaign.pptx
Design_Discover_Develop_Campaign.pptx
ShivanshSeth656 views
Unlocking Research Visibility.pdf by KhatirNaima
Unlocking Research Visibility.pdfUnlocking Research Visibility.pdf
Unlocking Research Visibility.pdf
KhatirNaima11 views
Programmable Logic Devices : SPLD and CPLD by Usha Mehta
Programmable Logic Devices : SPLD and CPLDProgrammable Logic Devices : SPLD and CPLD
Programmable Logic Devices : SPLD and CPLD
Usha Mehta27 views
ASSIGNMENTS ON FUZZY LOGIC IN TRAFFIC FLOW.pdf by AlhamduKure
ASSIGNMENTS ON FUZZY LOGIC IN TRAFFIC FLOW.pdfASSIGNMENTS ON FUZZY LOGIC IN TRAFFIC FLOW.pdf
ASSIGNMENTS ON FUZZY LOGIC IN TRAFFIC FLOW.pdf
AlhamduKure10 views
Field Programmable Gate Arrays : Architecture by Usha Mehta
Field Programmable Gate Arrays : ArchitectureField Programmable Gate Arrays : Architecture
Field Programmable Gate Arrays : Architecture
Usha Mehta23 views
REACTJS.pdf by ArthyR3
REACTJS.pdfREACTJS.pdf
REACTJS.pdf
ArthyR339 views
Integrating Sustainable Development Goals (SDGs) in School Education by SheetalTank1
Integrating Sustainable Development Goals (SDGs) in School EducationIntegrating Sustainable Development Goals (SDGs) in School Education
Integrating Sustainable Development Goals (SDGs) in School Education
SheetalTank113 views
Design of Structures and Foundations for Vibrating Machines, Arya-ONeill-Pinc... by csegroupvn
Design of Structures and Foundations for Vibrating Machines, Arya-ONeill-Pinc...Design of Structures and Foundations for Vibrating Machines, Arya-ONeill-Pinc...
Design of Structures and Foundations for Vibrating Machines, Arya-ONeill-Pinc...
csegroupvn16 views
AWS Certified Solutions Architect Associate Exam Guide_published .pdf by Kiran Kumar Malik
AWS Certified Solutions Architect Associate Exam Guide_published .pdfAWS Certified Solutions Architect Associate Exam Guide_published .pdf
AWS Certified Solutions Architect Associate Exam Guide_published .pdf
Trust Metric-Based Anomaly Detection via Deep Deterministic Policy Gradient R... by IJCNCJournal
Trust Metric-Based Anomaly Detection via Deep Deterministic Policy Gradient R...Trust Metric-Based Anomaly Detection via Deep Deterministic Policy Gradient R...
Trust Metric-Based Anomaly Detection via Deep Deterministic Policy Gradient R...
IJCNCJournal5 views
GDSC Mikroskil Members Onboarding 2023.pdf by gdscmikroskil
GDSC Mikroskil Members Onboarding 2023.pdfGDSC Mikroskil Members Onboarding 2023.pdf
GDSC Mikroskil Members Onboarding 2023.pdf
gdscmikroskil72 views
MongoDB.pdf by ArthyR3
MongoDB.pdfMongoDB.pdf
MongoDB.pdf
ArthyR351 views
Créativité dans le design mécanique à l’aide de l’optimisation topologique by LIEGE CREATIVE
Créativité dans le design mécanique à l’aide de l’optimisation topologiqueCréativité dans le design mécanique à l’aide de l’optimisation topologique
Créativité dans le design mécanique à l’aide de l’optimisation topologique
LIEGE CREATIVE9 views
Basic Design Flow for Field Programmable Gate Arrays by Usha Mehta
Basic Design Flow for Field Programmable Gate ArraysBasic Design Flow for Field Programmable Gate Arrays
Basic Design Flow for Field Programmable Gate Arrays
Usha Mehta10 views

NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning

  • 1. Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning Tamas K Lengyel University of Connecticut
  • 2. The role of the honeypot
  • 3. The limitations Low-interaction honeypots: ● "Artificial" attack surface ● Limited information about the attacks ● Easily identified High-interaction honeypots: ● Complexity ● Maintenance ● High risk
  • 4. Hybrid honeypot Robin Berthier, 2006: Advanced honeypot architecture for network threats quantification Primarily use the Low interaction honeypot and utilize a High interaction honeypot when something "interesting" is happening. How do you define "interesting"?
  • 6. VMI-Honeymon http://vmi-honeymon.sf.net ● Fidelity via Virtual Machine Introspection ○ LibVMI ○ Volatility ○ LibGuestFS ● Scalability via Virtual Machine Cloning ○ QEMU copy-on-write disk ○ Xen copy-on-write RAM
  • 7. Issues: clone routing Clones share IP and MAC address! ○ Post-cloning in-guest network reconfiguration should be avoided ○ Separate bridge/VLAN required for each clone to avoid collision ○ Honeybrid requires extra setup (iptables rules, routing tables & ip marks) to be able to route clones
  • 10. Memsharing results 6207 attack sessions on clone HIHs in two weeks (single IP address) Windows XP SP3 x86 (128MB RAM) Windows 7 SP1 x86 (1GB RAM)
  • 11. Memsharing results Projected memory savings via CoW RAM Windows XP SP3 x86 Windows 7 SP1 x86
  • 12. Future work ● Clone routing using Open vSwitch & OpenFlow ● Auto-balloon number of HIHs ● Mix Linux and Windows HIHs with additional software packages installed ● Test large-scale deployment (/24) ● Zazen IDS!