A First Look: Using Linux Containers for Deceptive Honeypots

Alexander Kedrowitsch; Danfeng Yao; Gang Wang; Kirk Cameron

doi:10.1145/3140368.3140371

A First Look: Using Linux Containers for Deceptive Honeypots

Alexander Kedrowitsch, Danfeng Yao, Gang Wang, Kirk Cameron

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

The ever-increasing sophistication of malware has made malicious binary collection and analysis an absolute necessity for proactive defenses. Meanwhile, malware authors seek to harden their binaries against analysis by incorporating environment detection techniques, in order to identify if the binary is executing within a virtual environment or in the presence of monitoring tools. For security researchers, it is still an open question regarding how to remove the artifacts from virtual machines to effectively build deceptive "honeypots" for malware collection and analysis. In this paper, we explore a completely different and yet promising approach by using Linux containers. Linux containers, in theory, have minimal virtualization artifacts and are easily deployable on low-power devices. Our work performs the first controlled experiments to compare Linux containers with bare metal and 5 major types of virtual machines. We seek to measure the deception capabilities offered by Linux containers to defeat mainstream virtual environment detection techniques. In addition, we empirically explore the potential weaknesses in Linux containers to help defenders to make more informed design decisions.

Original language	English (US)
Title of host publication	SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017
Publisher	Association for Computing Machinery
Pages	15-22
Number of pages	8
ISBN (Electronic)	9781450352031
DOIs	https://doi.org/10.1145/3140368.3140371
State	Published - Nov 3 2017
Externally published	Yes
Event	10th Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig 2017 - Dallas, United States Duration: Nov 3 2017 → …

Conference

Conference	10th Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig 2017
Country/Territory	United States
City	Dallas
Period	11/3/17 → …

Keywords

Deception
Honeypots
Linux Containers
Virtual Machine

ASJC Scopus subject areas

Artificial Intelligence
Computational Theory and Mathematics
Computer Science Applications

Online availability

10.1145/3140368.3140371

Library availability

Discover UIUC Full Text

Cite this

A First Look: Using Linux Containers for Deceptive Honeypots. / Kedrowitsch, Alexander; Yao, Danfeng; Wang, Gang et al.
SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017. Association for Computing Machinery, 2017. p. 15-22.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kedrowitsch, A, Yao, D, Wang, G & Cameron, K 2017, A First Look: Using Linux Containers for Deceptive Honeypots. in SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017. Association for Computing Machinery, pp. 15-22, 10th Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig 2017, Dallas, United States, 11/3/17. https://doi.org/10.1145/3140368.3140371

@inproceedings{de45d1ccfcf848eeb376b178dc0fff47,

title = "A First Look: Using Linux Containers for Deceptive Honeypots",

abstract = "The ever-increasing sophistication of malware has made malicious binary collection and analysis an absolute necessity for proactive defenses. Meanwhile, malware authors seek to harden their binaries against analysis by incorporating environment detection techniques, in order to identify if the binary is executing within a virtual environment or in the presence of monitoring tools. For security researchers, it is still an open question regarding how to remove the artifacts from virtual machines to effectively build deceptive {"}honeypots{"} for malware collection and analysis. In this paper, we explore a completely different and yet promising approach by using Linux containers. Linux containers, in theory, have minimal virtualization artifacts and are easily deployable on low-power devices. Our work performs the first controlled experiments to compare Linux containers with bare metal and 5 major types of virtual machines. We seek to measure the deception capabilities offered by Linux containers to defeat mainstream virtual environment detection techniques. In addition, we empirically explore the potential weaknesses in Linux containers to help defenders to make more informed design decisions.",

keywords = "Deception, Honeypots, Linux Containers, Virtual Machine",

author = "Alexander Kedrowitsch and Danfeng Yao and Gang Wang and Kirk Cameron",

note = "Funding Information: This work has been supported in part by NSF grants CNS-1565314 and CNS-1717028. Publisher Copyright: {\textcopyright} 2017 Association for Computing Machinery.; 10th Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig 2017 ; Conference date: 03-11-2017",

year = "2017",

month = nov,

day = "3",

doi = "10.1145/3140368.3140371",

language = "English (US)",

pages = "15--22",

booktitle = "SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017",

publisher = "Association for Computing Machinery",

address = "United States",

}

TY - GEN

T1 - A First Look: Using Linux Containers for Deceptive Honeypots

AU - Kedrowitsch, Alexander

AU - Yao, Danfeng

AU - Wang, Gang

AU - Cameron, Kirk

PY - 2017/11/3

Y1 - 2017/11/3

N2 - The ever-increasing sophistication of malware has made malicious binary collection and analysis an absolute necessity for proactive defenses. Meanwhile, malware authors seek to harden their binaries against analysis by incorporating environment detection techniques, in order to identify if the binary is executing within a virtual environment or in the presence of monitoring tools. For security researchers, it is still an open question regarding how to remove the artifacts from virtual machines to effectively build deceptive "honeypots" for malware collection and analysis. In this paper, we explore a completely different and yet promising approach by using Linux containers. Linux containers, in theory, have minimal virtualization artifacts and are easily deployable on low-power devices. Our work performs the first controlled experiments to compare Linux containers with bare metal and 5 major types of virtual machines. We seek to measure the deception capabilities offered by Linux containers to defeat mainstream virtual environment detection techniques. In addition, we empirically explore the potential weaknesses in Linux containers to help defenders to make more informed design decisions.

AB - The ever-increasing sophistication of malware has made malicious binary collection and analysis an absolute necessity for proactive defenses. Meanwhile, malware authors seek to harden their binaries against analysis by incorporating environment detection techniques, in order to identify if the binary is executing within a virtual environment or in the presence of monitoring tools. For security researchers, it is still an open question regarding how to remove the artifacts from virtual machines to effectively build deceptive "honeypots" for malware collection and analysis. In this paper, we explore a completely different and yet promising approach by using Linux containers. Linux containers, in theory, have minimal virtualization artifacts and are easily deployable on low-power devices. Our work performs the first controlled experiments to compare Linux containers with bare metal and 5 major types of virtual machines. We seek to measure the deception capabilities offered by Linux containers to defeat mainstream virtual environment detection techniques. In addition, we empirically explore the potential weaknesses in Linux containers to help defenders to make more informed design decisions.

KW - Deception

KW - Honeypots

KW - Linux Containers

KW - Virtual Machine

UR - http://www.scopus.com/inward/record.url?scp=85037117661&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85037117661&partnerID=8YFLogxK

U2 - 10.1145/3140368.3140371

DO - 10.1145/3140368.3140371

M3 - Conference contribution

AN - SCOPUS:85037117661

SP - 15

EP - 22

BT - SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017

PB - Association for Computing Machinery

T2 - 10th Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig 2017

Y2 - 3 November 2017

ER -

A First Look: Using Linux Containers for Deceptive Honeypots

Abstract

Conference

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this