Data Analytics Layer For high-interaction Honeypots
| Title | Data Analytics Layer For high-interaction Honeypots |
| Publication Type | Conference Paper |
| Year of Publication | 2019 |
| Authors | Khan, Iqra, Durad, Hanif, Alam, Masoom |
| Conference Name | 2019 16th International Bhurban Conference on Applied Sciences and Technology (IBCAST) |
| Date Published | jan |
| Publisher | IEEE |
| ISBN Number | 978-1-5386-7729-2 |
| Keywords | cloud computing, cloud computing paradigm, computer systems security, Data analysis, data analytics layer, high-interaction honeypots, honey pots, honeypot, human factors, hyper-visor based security services, intrusion detection system, invasive software, IOCs, IOCs (Indicators of compromise), Kernel-based Virtual Machine (KVM), KVM, LibVMI, Linux, Linux based hypervisor, live VMs, Malware, malware attack, Monitoring, Organizations, pubcrawl, Resiliency, Scalability, STIX, STIX (Structure Threat Information Expression), structure threat information expression, virtual honeypots, virtual machine introspection, Virtual machine monitors, virtual machine security, virtual machines, Virtual machining, virtualisation, virtualization, virtualization rejuvenation, VMI (Virtual machine introspection), VMM, volatility plug-ins |
| Abstract | Security of VMs is now becoming a hot topic due to their outsourcing in cloud computing paradigm. All VMs present on the network are connected to each other, making exploited VMs danger to other VMs. and threats to organization. Rejuvenation of virtualization brought the emergence of hyper-visor based security services like VMI (Virtual machine introspection). As there is a greater chance for any intrusion detection system running on the same system, of being dis-abled by the malware or attacker. Monitoring of VMs using VMI, is one of the most researched and accepted technique, that is used to ensure computer systems security mostly in the paradigm of cloud computing. This thesis presents a work that is to integrate LibVMI with Volatility on a KVM, a Linux based hypervisor, to introspect memory of VMs. Both of these tools are used to monitor the state of live VMs. VMI capability of monitoring VMs is combined with the malware analysis and virtual honeypots to achieve the objective of this project. A testing environment is deployed, where a network of VMs is used to be introspected using Volatility plug-ins. Time execution of each plug-in executed on live VMs is calculated to observe the performance of Volatility plug-ins. All these VMs are deployed as Virtual Honeypots having honey-pots configured on them, which is used as a detection mechanism to trigger alerts when some malware attack the VMs. Using STIX (Structure Threat Information Expression), extracted IOCs are converted into the understandable, flexible, structured and shareable format. |
| URL | https://ieeexplore.ieee.org/document/8667132 |
| DOI | 10.1109/IBCAST.2019.8667132 |
| Citation Key | khan_data_2019 |
- hyper-visor based security services
- live VMs
- Linux based hypervisor
- Linux
- LibVMI
- KVM
- Kernel-based Virtual Machine (KVM)
- IOCs (Indicators of compromise)
- IOCs
- invasive software
- intrusion detection system
- malware
- Human Factors
- honeypot
- honey pots
- high-interaction honeypots
- data analytics layer
- data analysis
- computer systems security
- cloud computing paradigm
- Cloud Computing
- virtual honeypots
- VMM
- VMI (Virtual machine introspection)
- virtualization rejuvenation
- Virtualization
- virtualisation
- Virtual machining
- virtual machines
- virtual machine security
- Virtual machine monitors
- virtual machine introspection
- volatility plug-ins
- structure threat information expression
- STIX (Structure Threat Information Expression)
- STIX
- Scalability
- Resiliency
- pubcrawl
- Organizations
- Monitoring
- malware attack