Virtual Machine Introspection in a Hybrid Honeypot Architecture.

CSET'12: Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test(2012)

引用 23|浏览108
With the recent advent of effective and practical virtual machine introspection tools, we revisit the use of hybrid honeypots as a means to implement automated malware collection and analysis. We introduce VMI-Honeymon, a high-interaction honeypot monitor which uses virtual machine memory introspection on Xen. VMI-Honeymon remains transparent to the monitored virtual machine and bypasses reliance on the untrusted guest kernel by utilizing memory scans for state reconstruction. VMI-Honeymon builds on open-source introspection and forensics tools that provide a rich set of information about intrusion and infection processes while enabling the automatic capture of the associated malware binaries. Our experiments show that using VMI-Honeymon in a hybrid setup expands the range of malware captures and is effective in capturing both known and unclassified malware samples.
associated malware binary,malware capture,malware collection,unclassified malware sample,monitored virtual machine,open-source introspection,practical virtual machine introspection,virtual machine memory introspection,hybrid honeypots,hybrid setup,hybrid honeypot architecture
AI 理解论文
Chat Paper