usenix conference policies
Virtual Machine Introspection in a Hybrid Honeypot Architecture
Tamas K. Lengyel, Justin Neumann, and Steve Maresca, University of Connecticut; Bryan D. Payne, Nebula, Inc.; Aggelos Kiayias, University of Connecticut
With the recent advent of effective and practical virtual machine introspection tools, we revisit the use of hybrid honeypots as a means to implement automated malware collection and analysis. We introduce VMI-Honeymon, a high-interaction honeypot monitor which uses virtual machine memory introspection on Xen. VMI-Honeymon remains transparent to the monitored virtual machine and bypasses reliance on the untrusted guest kernel by utilizing memory scans for state reconstruction. VMI-Honeymon builds on open-source introspection and forensics tools that provide a rich set of information about intrusion and infection processes while enabling the automatic capture of the associated malware binaries. Our experiments show that using VMI-Honeymon in a hybrid setup expands the range of mal-ware captures and is effective in capturing both known and unclassified malware samples.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
title = {Virtual Machine Introspection in a Hybrid Honeypot Architecture},
booktitle = {5th Workshop on Cyber Security Experimentation and Test (CSET 12)},
year = {2012},
address = {Bellevue, WA},
url = {https://www.usenix.org/conference/cset12/workshop-program/presentation/Lengyel},
publisher = {USENIX Association},
month = aug
}
connect with us