SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
3.
The limitations
Low-interaction honeypots:
● "Artificial" attack surface
● Limited information about the attacks
● Easily identified
High-interaction honeypots:
● Complexity
● Maintenance
● High risk
4.
Hybrid honeypot
Robin Berthier, 2006: Advanced honeypot architecture for network threats
quantification
Primarily use the Low
interaction honeypot and
utilize a High interaction
honeypot when something
"interesting" is happening.
How do you define
"interesting"?
6.
VMI-Honeymon http://vmi-honeymon.sf.net
● Fidelity via Virtual Machine Introspection
○ LibVMI
○ Volatility
○ LibGuestFS
● Scalability via Virtual Machine Cloning
○ QEMU copy-on-write disk
○ Xen copy-on-write RAM
7.
Issues: clone routing
Clones share IP and MAC address!
○ Post-cloning in-guest network reconfiguration should
be avoided
○ Separate bridge/VLAN required for each clone to
avoid collision
○ Honeybrid requires extra setup (iptables rules,
routing tables & ip marks) to be able to route clones
10.
Memsharing results
6207 attack sessions on clone HIHs in two
weeks (single IP address)
Windows XP SP3 x86 (128MB RAM) Windows 7 SP1 x86 (1GB RAM)
11.
Memsharing results
Projected memory savings via CoW RAM
Windows XP SP3 x86 Windows 7 SP1 x86
12.
Future work
● Clone routing using Open vSwitch &
OpenFlow
● Auto-balloon number of HIHs
● Mix Linux and Windows HIHs with additional
software packages installed
● Test large-scale deployment (/24)
● Zazen IDS!