Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning

1,907 views

Published on

Network and System Security 2013

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning

  1. 1. Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning Tamas K Lengyel University of Connecticut
  2. 2. The role of the honeypot
  3. 3. The limitations Low-interaction honeypots: ● "Artificial" attack surface ● Limited information about the attacks ● Easily identified High-interaction honeypots: ● Complexity ● Maintenance ● High risk
  4. 4. Hybrid honeypot Robin Berthier, 2006: Advanced honeypot architecture for network threats quantification Primarily use the Low interaction honeypot and utilize a High interaction honeypot when something "interesting" is happening. How do you define "interesting"?
  5. 5. Hybrid honeynet
  6. 6. VMI-Honeymon http://vmi-honeymon.sf.net ● Fidelity via Virtual Machine Introspection ○ LibVMI ○ Volatility ○ LibGuestFS ● Scalability via Virtual Machine Cloning ○ QEMU copy-on-write disk ○ Xen copy-on-write RAM
  7. 7. Issues: clone routing Clones share IP and MAC address! ○ Post-cloning in-guest network reconfiguration should be avoided ○ Separate bridge/VLAN required for each clone to avoid collision ○ Honeybrid requires extra setup (iptables rules, routing tables & ip marks) to be able to route clones
  8. 8. Network overview
  9. 9. Clone initiated routing
  10. 10. Memsharing results 6207 attack sessions on clone HIHs in two weeks (single IP address) Windows XP SP3 x86 (128MB RAM) Windows 7 SP1 x86 (1GB RAM)
  11. 11. Memsharing results Projected memory savings via CoW RAM Windows XP SP3 x86 Windows 7 SP1 x86
  12. 12. Future work ● Clone routing using Open vSwitch & OpenFlow ● Auto-balloon number of HIHs ● Mix Linux and Windows HIHs with additional software packages installed ● Test large-scale deployment (/24) ● Zazen IDS!
  13. 13. Thank you! Questions?

×