Skip to main content
SpringerLink
Log in

Detecting indicators of deception in emulated monitoring systems

  • Special Issue Paper
  • Published:
Service Oriented Computing and Applications Aims and scope Submit manuscript

Abstract

There has been a proliferation of cyber attacks in the form of malware manifestations, Botnet attacks and intruder access to unauthorized systems due to a larger attack surface available to threat actors. Security researchers leverage computer systems to monitor and analyze security threats in order to secure their data. Some of the security tools employed by security analysts are Honeypots, virtual machines, sandboxes and debuggers referred to as emulated monitoring systems (EMS). However, threat actors are working hard at reducing the efficacy of EMS by exploiting the inherent limitations of these security tools. They have employed various detection techniques to reveal EMS artifacts referred to as indicators of deception. In this paper, we investigate the level of EMS evasive measures and provide a taxonomy on the indictors of deception in EMS to gain an insight into the broad range of detection vectors available to threat actors. This would enhance EMS as a formidable weapon in the continuing struggle against threat actors, resulting in an improved detection of advanced malware samples and higher detection of intrusions.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Gandotra E (2014) Malware analysis and classification: a survey. J Inf Secur 5:56–64

    Google Scholar 

  2. Spitzner L (2002) Honeypots: tracking hackers. Addison-Wesley Longman Publishing Co. Inc., Boston

    Google Scholar 

  3. Omella AA (2006) Methods for virtual machine detection. http://www.s21sec.com/descargas/vmware-eng.pdf. Accessed May 2017

  4. Marpaung JA, Sain M, Lee H-J (2012) Survey on malware evasion techniques: State of the art and challenges. In: 2012 14th international conference on advanced communication technology (ICACT). IEEE

  5. Kolbitsch C, Kirda E, Kruegel C (2011) The power of procrastination: detection and mitigation of execution-stalling malicious code. In Proceedings of the 18th ACM conference on computer and communications security. ACM

  6. Minerva-labs (2018) minerva labs research report: 2017 year in review. https://l.minerva-labs.com/hubfs/Minerva%202017%20Yearly%20Report_FINAL.pdf. Accessed 25 Nov 2018

  7. Uitto J, et al. (2017) A survey on anti-honeypot and anti-introspection methods. In: World conference on information systems and technologies. Springer

  8. Keragala D (2016) Detecting malware and sandbox evasion techniques. SANS Institute InfoSec reading room. https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667. Accessed Dec 2018

  9. Cohen F (1998) The deception toolkit. http://all.net/dtk.html. Accessed May 2017

  10. Symantec (2008) A guide to different kinds of honeypots. https://www.symantec.com/connect/articles/guide-different-kinds-honeypots. Accessed May 2017

  11. Akkaya D,. Thalgott F (2010). Honeypots in network security. http://www.divaportal.org/smash/get/diva2:327476/fulltext01. Accessed May 2017

  12. Gorzelak K, et al. (2011) Proactive detection of network security incidents. In: Belasovs A (ed) ENISA report. http://www.enisa.europa.eu. Accessed June 2017

  13. Riden J (2008) Server honeypots vs client honeypots. https://www.honeynet.org/node/158. Accessed June 2017

  14. Campbell S, Jeronimo M (2006) An introduction to virtualization. Published in “Applied Virtualization”, Intel, pp 1–15

  15. Goldberg RP (1972) Architectural principles for virtual computer systems. Ph.D thesis, Harvard University

  16. Marshall D (2007) Understanding full virtualization, paravirtualization, and hardware assist. VMWare White Paper. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/VMware_paravirtualization.pdf. Accessed June 2017

  17. Barham P, et al. (2003) Xen and the art of virtualization. In: ACM SIGOPS operating systems review. ACM

  18. Rodríguez-Haro F et al (2012) A summary of virtualization techniques. Proc Technol 3:267–272

    Article  Google Scholar 

  19. Morabito R, Kjällman J, Komu M (2015) Hypervisors vs. lightweight virtualization: a performance comparison. In 2015 IEEE international conference on cloud engineering (IC2E). IEEE

  20. Sikorski M, Honig A (2012) Practical malware analysis: the hands-on guide to dissecting malicious software. No starch press, San Francisco

  21. Sysman D, Evron G, Sher I (2015) Breaking honeypots for fun and profit. Talk at Blackhat, vol 8

  22. Valli C (2003) Honeyd-A OS fingerprinting artifice. In: Proceedings of Australian computer, network and information forensics conference

  23. Fu X, et al. (2006) On recognizing virtual honeypots and countermeasures. In: 2nd IEEE international symposium on dependable, autonomic and secure computing. IEEE

  24. Fu X et al (2005) Camouflaging virtual honeypots. Texas A&M University, College Station

    Google Scholar 

  25. Mukkamala S, et al. (2007) Detection of virtual environments and low interaction honeypots. In: Information assurance and security workshop, 2007. IAW’07. IEEE SMC. IEEE

  26. Defibaugh-Chavez P, et al. (2006) Network based detection of virtual environments and low interaction honeypots. In Proceedings of the 2006 IEEE SMC, workshop on information assurance

  27. Krawetz N (2004) Anti-honeypot technology. IEEE Secur Priv 2(1):76–79

    Article  Google Scholar 

  28. Zou CC, Cunningham R (2006) Honeypot-aware advanced botnet construction and maintenance. In: International conference on dependable systems and networks, 2006. DSN 2006. IEEE

  29. Wang P et al (2010) Honeypot detection in advanced botnet attacks. Int J Inf Comput Secur 4(1):30–51

    Google Scholar 

  30. Dornseif M, Holz T, Klein CN (2004) Nosebreak-attacking honeynets. In Information assurance workshop, 2004. Proceedings from the fifth annual IEEE SMC. IEEE

  31. Holz T, Raynal F (2005) Detecting honeypots and other suspicious environments. In Information assurance workshop, 2005. IAW’05. Proceedings from the sixth annual IEEE SMC. IEEE

  32. Kapravelos A, et al. (2011) Escape from monkey island: evading high-interaction honeyclients. Detection of intrusions and malware, and vulnerability assessment, pp 124–143

  33. Innes S, Valli C (2006) Honeypots: how do you know when you are inside one? In: Australian digital forensics conference

  34. Oberheide J, Karir M (2006) Honeyd detection via packet fragmentation. Ann Arbor 1001:48104

    Google Scholar 

  35. Popek GJ, Goldberg RP (1974) Formal requirements for virtualizable third generation architectures. Commun ACM 17(7):412–421

    Article  MathSciNet  MATH  Google Scholar 

  36. Jämthagen C, Hell M, Smeets B (2011) A technique for remote detection of certain virtual machine monitors. In International conference on trusted systems. Springer

  37. Wang G, et al. (2015) Hypervisor Introspection: a technique for evading passive virtual machine monitoring. In WOOT

  38. Ho G, et al. (2014) Tick tock: building browser red pills from timing side channels. In Proceedings of the USENIX workshop on offensive technologies

  39. Liston T, Skoudis E (2006) On the cutting edge: Thwarting virtual machine detection. http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf. Accessed July 2017

  40. Miramirkhani N, et al. (2017) Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In IEEE symposium on security and privacy

  41. Bahram S, et al. (2010) Dksm: subverting virtual machine introspection for fun and profit. In: 2010 29th IEEE symposium on reliable distributed systems. IEEE

  42. Brengel M, Backes M, Rossow C (2016) Detecting hardware-assisted virtualization. In: Detection of intrusions and malware, and vulnerability assessment. Springer, pp 207–227

  43. Quist D, Smith V, Computing O (2006) Detecting the presence of virtual machines using the local data table. Offensive Computing 2006. http://www.offensivecomputing.net/files/active/0/vm.pdf. Accessed July 2017

  44. Franklin J et al (2008) Remote detection of virtual machine monitors with fuzzy benchmarking. ACM SIGOPS Oper Syst Rev 42(3):83–92

    Article  Google Scholar 

  45. Paleari R, et al (2009). A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In: USENIX workshop on offensive technologies (WOOT)

  46. Raffetseder T, Kruegel C, Kirda E (2007) Detecting system emulators. In: International conference on information security. Springer

  47. Kedrowitsch A, et al. (2017) A first look: using linux containers for deceptive honeypots. In: Proceedings of the 2017 workshop on automated decision making for active cyber defense. ACM

  48. Yokoyama A, et al. (2016) SandPrint: fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In International symposium on research in attacks, intrusions, and defenses. Springer

  49. Ferrand O (2015) How to detect the cuckoo sandbox and to strengthen it? J Comput Virol Hack Tech 11(1):51–58

    Article  Google Scholar 

  50. Alexander Chailytko SS (2016) Defeating sandbox evasion: how to increase the successful emulation rate in your virtual environment. https://blog.checkpoint.com/wp-content/uploads/2016/10/DefeatingSandBoxEvasion-VB2016_CheckPoint.pdf. Accessed Sep 2018

  51. Issa A (2012) Anti-virtual machines and emulations. J Comput Virol 8(4):141–149

    Article  Google Scholar 

  52. Chen X, et al. (2008) Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE international conference on dependable systems and networks with fTCS and DCC, 2008. DSN 2008. IEEE

  53. Dahbul R, Lim C, Purnama J (2017) Enhancing honeypot deception capability through network service fingerprinting. In: Journal of physics: conference series. IOP Publishing

  54. Garfinkel T, Rosenblum M (2003) A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of network and distributed systems security symposium

  55. Garfinkel T, et al. (2007) Compatibility is not transparency: VMM detection myths and realities. In: Proceedings of the 11th workshop on hot topics in operating systems (HotOS-XI)

  56. Ferrie P (2017) Attacks on more virtual machine emulators. Symantec technology exchange 2007. http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf. Accessed Dec 2017

Download references

Acknowledgements

The research work reported here was made possible by the Defence Science Institute Grant G22015SChilamkurtiLaT023, an initiative of the State Government of Victoria.

Author information

Authors and Affiliations

  1. La Trobe University, Victoria, 3086, Australia

    Kon Papazis & Naveen Chilamkurti

Authors
  1. Kon Papazis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Naveen Chilamkurti
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Naveen Chilamkurti.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Papazis, K., Chilamkurti, N. Detecting indicators of deception in emulated monitoring systems. SOCA 13, 17–29 (2019). https://doi.org/10.1007/s11761-018-0252-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11761-018-0252-2

Keywords

Search

Navigation