Virtual Machine Introspection Based SSH Honeypot
Title | Virtual Machine Introspection Based SSH Honeypot |
Publication Type | Conference Paper |
Year of Publication | 2017 |
Authors | Sentanoe, Stewart, Taubmann, Benjamin, Reiser, Hans P. |
Conference Name | Proceedings of the 4th Workshop on Security in Highly Connected IT Systems |
Date Published | June 2017 |
Publisher | ACM |
Conference Location | New York, NY, USA |
ISBN Number | 978-1-4503-5271-0 |
Keywords | High-level interaction, honey pots, honeypot, human factors, pubcrawl, resilience, Resiliency, Scalability, SSH, virtual machine introspection |
Abstract | A honeypot provides information about the new attack and exploitation methods and allows analyzing the adversary's activities during or after exploitation. One way of an adversary to communicate with a server is via secure shell (SSH). SSH provides secure login, file transfer, X11 forwarding, and TCP/IP connections over untrusted networks. SSH is a preferred target for attacks, as it is frequently used with password-based authentication, and weak passwords are easily exploited using brute-force attacks. In this paper, we introduce a Virtual Machine Introspection based SSH honeypot. We discuss the design of the system and how to extract valuable information such as the credential used by the attacker and the entered commands. Our experiments show that the system is able to detect the adversary's activities during and after exploitation, and it has advantages compared to currently used SSH honeypot approaches. |
URL | https://dl.acm.org/doi/10.1145/3099012.3099016 |
DOI | 10.1145/3099012.3099016 |
Citation Key | sentanoe_virtual_2017 |