Using VMM-based sensors to monitor honeypots

VEE 2006 - Proceedings of the Second International Conference on Virtual Execution Environments

Volumn 2006, Issue , 2006, Pages 13-23

  Asrigo, Kurniadi ^a   Litty, Lionel ^a   Lie, David ^a  

^a UNIVERSITY OF TORONTO   (Canada)

Author keywords

Honeypot Monitoring; IDS; Intrusion Detection; Virtual Machine Monitor

Indexed keywords

COMPUTER OPERATING SYSTEMS; COSTS; DATA ACQUISITION; VIRTUAL REALITY;

HONEYPOT MONITORING; IDS; INTRUSION DETECTION; VIRTUAL MACHINE MONITOR;

SENSORS;

EID: 33745946637     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1134760.1134765     Document Type: Conference Paper

References (27)

1. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), pages 164-177, Oct. 2003.
2. B. Caswell, J. Beale, J. C. Foster, and J. Faircloth. Snort 2.0 Intrusion Detection. Syngress, Feb. 2003.
3. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63-78, Jan. 1998.
4. D. Dagon, X. Qin, G. Gu, W. Lee, J. B. Grizzard, J. G. Levine, and H. L. Owen. Honeystat: Local worm detection using honeypots. In Recent Advances in Intrusion Detection: 7th International Symposium, (RAID) 2004, pages 39-58, Sept. 2004.
5. J. Dike. A user-mode port of the Linux kernel. In Proceedings of the 2000 Linux Showcase and Conference, pages 63-72, Oct. 2000.
6. J. Dike. UML as a honeypot, 2005. http://user-mode-linux.sourceforge.net/ honeypots.html.
7. G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI 2002), pages 211-224, Dec. 2002.
8. T. Garfinkel. Traps and pitfalls: Practical problems in system call interposition based security tools. In Proceedings of the 10th Annual Symposium on Network and Distributed System Security (NDSS 2003), pages 163-157, February 2003.
9. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 10th Annual Symposium on Network and Distributed System Security (NDSS 2003), pages 191-206, Feb. 2003.
10. S. A. Herrod. Using Complete Machine Simulation to Understand Computer System Behavior. PhD thesis, Stanford University, Feb. 1998.
11. G. Hoglund. A REAL NT rootkit. Phrack Magazine, 9(55), 1999. http://www.phrack.org/phrack/55/P55-05.
12. W.-M. Hu. Reducing timing channels with fuzzy time. In Proceedings of the 1991 IEEE Symposium on Security and Privacy, pages 8-20, May 1991.
13. X. Jiang and D. Xu. Collapsar: A VM-based architecture for network attack detention center. In Proceedings of the 13th USENIX Security Symposium, pages 15-28, Aug. 2004.
14. A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting pact and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pages 91-104, Oct. 2005.
15. T. Kohno, A. Broido, and K. C. Claffy. Remote physical device fingerprinting. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 211-225, May 2005.
16. E. Levy. Dionaea: On the automatic collection of malicious code samples through honey pot farms, 2005. Invited talk at the GASCON 2005 Workshop on Cybersecurity.
17. E. Levy. Private conversation, 2005. Symantec Corp.
18. LIDS Toolkit, 2005. http://www.lids.org.
19. P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In FREENIX Track of the 2001 USENIX Annual Technical Conference (FREENIX'01), pages 29-42, June 2001.
20. Metasploit, 2005. http://www.metasploit.com.
21. N. L. Petroni Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium, pages 179-194, Aug. 2004.
22. N. Provos. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium, pages 1-14, Aug. 2004.
23. A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doom, and P. Khosla. Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pages 1-16, Oct. 2005.
24. L. Spitzner. Know your enemy: A forensic analysis. Technical report, Honeynet Project, May 2000. http://www.honey-net.org/papers/forensics.
25. The Honeynet Project, 2005. http://www.honeynet.org.
26. M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), pages 148-162, Oct. 2005.
27. X. Zhang, L. van Doom, T. Jaeger, R. Perez, and R. Sailer. Secure coprocessor-based intrusion detection. In Proceedings of the 10th ACM SIGOPS European Workshop, Sept. 2002.