Visible to the public Virtual Machine Introspection Based SSH Honeypot

TitleVirtual Machine Introspection Based SSH Honeypot
Publication TypeConference Paper
Year of Publication2017
AuthorsSentanoe, Stewart, Taubmann, Benjamin, Reiser, Hans P.
Conference NameProceedings of the 4th Workshop on Security in Highly Connected IT Systems
Date PublishedJune 2017
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-5271-0
KeywordsHigh-level interaction, honey pots, honeypot, human factors, pubcrawl, resilience, Resiliency, Scalability, SSH, virtual machine introspection
Abstract

A honeypot provides information about the new attack and exploitation methods and allows analyzing the adversary's activities during or after exploitation. One way of an adversary to communicate with a server is via secure shell (SSH). SSH provides secure login, file transfer, X11 forwarding, and TCP/IP connections over untrusted networks. SSH is a preferred target for attacks, as it is frequently used with password-based authentication, and weak passwords are easily exploited using brute-force attacks. In this paper, we introduce a Virtual Machine Introspection based SSH honeypot. We discuss the design of the system and how to extract valuable information such as the credential used by the attacker and the entered commands. Our experiments show that the system is able to detect the adversary's activities during and after exploitation, and it has advantages compared to currently used SSH honeypot approaches.

URLhttps://dl.acm.org/doi/10.1145/3099012.3099016
DOI10.1145/3099012.3099016
Citation Keysentanoe_virtual_2017