A first look: Using linux containers for deceptive honeypots

Alexander Kedrowitsch, Danfeng Yao, Gang Wang, Kirk Cameron

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The ever-increasing sophistication of malware has made malicious binary collection and analysis an absolute necessity for proactive defenses. Meanwhile, malware authors seek to harden their binaries against analysis by incorporating environment detection techniques, in order to identify if the binary is executing within a virtual environment or in the presence of monitoring tools. For security researchers, it is still an open question regarding how to remove the artifacts from virtual machines to effectively build deceptive "honeypots" for malware collection and analysis. In this paper, we explore a completely different and yet promising approach by using Linux containers. Linux containers, in theory, have minimal virtualization artifacts and are easily deployable on low-power devices. Our work performs the first controlled experiments to compare Linux containers with bare metal and 5 major types of virtual machines. We seek to measure the deception capabilities offered by Linux containers to defeat mainstream virtual environment detection techniques. In addition, we empirically explore the potential weaknesses in Linux containers to help defenders to make more informed design decisions.

Original languageEnglish (US)
Title of host publicationSafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017
PublisherAssociation for Computing Machinery, Inc
Pages15-22
Number of pages8
ISBN (Electronic)9781450352031
DOIs
StatePublished - Nov 3 2017
Externally publishedYes
Event10th Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig 2017 - Dallas, United States
Duration: Nov 3 2017 → …

Publication series

NameSafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017

Conference

Conference10th Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig 2017
CountryUnited States
CityDallas
Period11/3/17 → …

Keywords

  • Deception
  • Honeypots
  • Linux Containers
  • Virtual Machine

ASJC Scopus subject areas

  • Artificial Intelligence
  • Computational Theory and Mathematics
  • Computer Science Applications

Fingerprint Dive into the research topics of 'A first look: Using linux containers for deceptive honeypots'. Together they form a unique fingerprint.

Cite this