Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning

Network and System Security 2013

  • Inicia sesión para ver los comentarios

  • Sé el primero en recomendar esto

NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning

  1. 1. Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning Tamas K Lengyel University of Connecticut
  2. 2. The role of the honeypot
  3. 3. The limitations Low-interaction honeypots: ● "Artificial" attack surface ● Limited information about the attacks ● Easily identified High-interaction honeypots: ● Complexity ● Maintenance ● High risk
  4. 4. Hybrid honeypot Robin Berthier, 2006: Advanced honeypot architecture for network threats quantification Primarily use the Low interaction honeypot and utilize a High interaction honeypot when something "interesting" is happening. How do you define "interesting"?
  5. 5. Hybrid honeynet
  6. 6. VMI-Honeymon http://vmi-honeymon.sf.net ● Fidelity via Virtual Machine Introspection ○ LibVMI ○ Volatility ○ LibGuestFS ● Scalability via Virtual Machine Cloning ○ QEMU copy-on-write disk ○ Xen copy-on-write RAM
  7. 7. Issues: clone routing Clones share IP and MAC address! ○ Post-cloning in-guest network reconfiguration should be avoided ○ Separate bridge/VLAN required for each clone to avoid collision ○ Honeybrid requires extra setup (iptables rules, routing tables & ip marks) to be able to route clones
  8. 8. Network overview
  9. 9. Clone initiated routing
  10. 10. Memsharing results 6207 attack sessions on clone HIHs in two weeks (single IP address) Windows XP SP3 x86 (128MB RAM) Windows 7 SP1 x86 (1GB RAM)
  11. 11. Memsharing results Projected memory savings via CoW RAM Windows XP SP3 x86 Windows 7 SP1 x86
  12. 12. Future work ● Clone routing using Open vSwitch & OpenFlow ● Auto-balloon number of HIHs ● Mix Linux and Windows HIHs with additional software packages installed ● Test large-scale deployment (/24) ● Zazen IDS!
  13. 13. Thank you! Questions?

×