Abstract
There has been a proliferation of cyber attacks in the form of malware manifestations, Botnet attacks and intruder access to unauthorized systems due to a larger attack surface available to threat actors. Security researchers leverage computer systems to monitor and analyze security threats in order to secure their data. Some of the security tools employed by security analysts are Honeypots, virtual machines, sandboxes and debuggers referred to as emulated monitoring systems (EMS). However, threat actors are working hard at reducing the efficacy of EMS by exploiting the inherent limitations of these security tools. They have employed various detection techniques to reveal EMS artifacts referred to as indicators of deception. In this paper, we investigate the level of EMS evasive measures and provide a taxonomy on the indictors of deception in EMS to gain an insight into the broad range of detection vectors available to threat actors. This would enhance EMS as a formidable weapon in the continuing struggle against threat actors, resulting in an improved detection of advanced malware samples and higher detection of intrusions.
Similar content being viewed by others
References
Gandotra E (2014) Malware analysis and classification: a survey. J Inf Secur 5:56–64
Spitzner L (2002) Honeypots: tracking hackers. Addison-Wesley Longman Publishing Co. Inc., Boston
Omella AA (2006) Methods for virtual machine detection. http://www.s21sec.com/descargas/vmware-eng.pdf. Accessed May 2017
Marpaung JA, Sain M, Lee H-J (2012) Survey on malware evasion techniques: State of the art and challenges. In: 2012 14th international conference on advanced communication technology (ICACT). IEEE
Kolbitsch C, Kirda E, Kruegel C (2011) The power of procrastination: detection and mitigation of execution-stalling malicious code. In Proceedings of the 18th ACM conference on computer and communications security. ACM
Minerva-labs (2018) minerva labs research report: 2017 year in review. https://l.minerva-labs.com/hubfs/Minerva%202017%20Yearly%20Report_FINAL.pdf. Accessed 25 Nov 2018
Uitto J, et al. (2017) A survey on anti-honeypot and anti-introspection methods. In: World conference on information systems and technologies. Springer
Keragala D (2016) Detecting malware and sandbox evasion techniques. SANS Institute InfoSec reading room. https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667. Accessed Dec 2018
Cohen F (1998) The deception toolkit. http://all.net/dtk.html. Accessed May 2017
Symantec (2008) A guide to different kinds of honeypots. https://www.symantec.com/connect/articles/guide-different-kinds-honeypots. Accessed May 2017
Akkaya D,. Thalgott F (2010). Honeypots in network security. http://www.divaportal.org/smash/get/diva2:327476/fulltext01. Accessed May 2017
Gorzelak K, et al. (2011) Proactive detection of network security incidents. In: Belasovs A (ed) ENISA report. http://www.enisa.europa.eu. Accessed June 2017
Riden J (2008) Server honeypots vs client honeypots. https://www.honeynet.org/node/158. Accessed June 2017
Campbell S, Jeronimo M (2006) An introduction to virtualization. Published in “Applied Virtualization”, Intel, pp 1–15
Goldberg RP (1972) Architectural principles for virtual computer systems. Ph.D thesis, Harvard University
Marshall D (2007) Understanding full virtualization, paravirtualization, and hardware assist. VMWare White Paper. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/VMware_paravirtualization.pdf. Accessed June 2017
Barham P, et al. (2003) Xen and the art of virtualization. In: ACM SIGOPS operating systems review. ACM
Rodríguez-Haro F et al (2012) A summary of virtualization techniques. Proc Technol 3:267–272
Morabito R, Kjällman J, Komu M (2015) Hypervisors vs. lightweight virtualization: a performance comparison. In 2015 IEEE international conference on cloud engineering (IC2E). IEEE
Sikorski M, Honig A (2012) Practical malware analysis: the hands-on guide to dissecting malicious software. No starch press, San Francisco
Sysman D, Evron G, Sher I (2015) Breaking honeypots for fun and profit. Talk at Blackhat, vol 8
Valli C (2003) Honeyd-A OS fingerprinting artifice. In: Proceedings of Australian computer, network and information forensics conference
Fu X, et al. (2006) On recognizing virtual honeypots and countermeasures. In: 2nd IEEE international symposium on dependable, autonomic and secure computing. IEEE
Fu X et al (2005) Camouflaging virtual honeypots. Texas A&M University, College Station
Mukkamala S, et al. (2007) Detection of virtual environments and low interaction honeypots. In: Information assurance and security workshop, 2007. IAW’07. IEEE SMC. IEEE
Defibaugh-Chavez P, et al. (2006) Network based detection of virtual environments and low interaction honeypots. In Proceedings of the 2006 IEEE SMC, workshop on information assurance
Krawetz N (2004) Anti-honeypot technology. IEEE Secur Priv 2(1):76–79
Zou CC, Cunningham R (2006) Honeypot-aware advanced botnet construction and maintenance. In: International conference on dependable systems and networks, 2006. DSN 2006. IEEE
Wang P et al (2010) Honeypot detection in advanced botnet attacks. Int J Inf Comput Secur 4(1):30–51
Dornseif M, Holz T, Klein CN (2004) Nosebreak-attacking honeynets. In Information assurance workshop, 2004. Proceedings from the fifth annual IEEE SMC. IEEE
Holz T, Raynal F (2005) Detecting honeypots and other suspicious environments. In Information assurance workshop, 2005. IAW’05. Proceedings from the sixth annual IEEE SMC. IEEE
Kapravelos A, et al. (2011) Escape from monkey island: evading high-interaction honeyclients. Detection of intrusions and malware, and vulnerability assessment, pp 124–143
Innes S, Valli C (2006) Honeypots: how do you know when you are inside one? In: Australian digital forensics conference
Oberheide J, Karir M (2006) Honeyd detection via packet fragmentation. Ann Arbor 1001:48104
Popek GJ, Goldberg RP (1974) Formal requirements for virtualizable third generation architectures. Commun ACM 17(7):412–421
Jämthagen C, Hell M, Smeets B (2011) A technique for remote detection of certain virtual machine monitors. In International conference on trusted systems. Springer
Wang G, et al. (2015) Hypervisor Introspection: a technique for evading passive virtual machine monitoring. In WOOT
Ho G, et al. (2014) Tick tock: building browser red pills from timing side channels. In Proceedings of the USENIX workshop on offensive technologies
Liston T, Skoudis E (2006) On the cutting edge: Thwarting virtual machine detection. http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf. Accessed July 2017
Miramirkhani N, et al. (2017) Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In IEEE symposium on security and privacy
Bahram S, et al. (2010) Dksm: subverting virtual machine introspection for fun and profit. In: 2010 29th IEEE symposium on reliable distributed systems. IEEE
Brengel M, Backes M, Rossow C (2016) Detecting hardware-assisted virtualization. In: Detection of intrusions and malware, and vulnerability assessment. Springer, pp 207–227
Quist D, Smith V, Computing O (2006) Detecting the presence of virtual machines using the local data table. Offensive Computing 2006. http://www.offensivecomputing.net/files/active/0/vm.pdf. Accessed July 2017
Franklin J et al (2008) Remote detection of virtual machine monitors with fuzzy benchmarking. ACM SIGOPS Oper Syst Rev 42(3):83–92
Paleari R, et al (2009). A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In: USENIX workshop on offensive technologies (WOOT)
Raffetseder T, Kruegel C, Kirda E (2007) Detecting system emulators. In: International conference on information security. Springer
Kedrowitsch A, et al. (2017) A first look: using linux containers for deceptive honeypots. In: Proceedings of the 2017 workshop on automated decision making for active cyber defense. ACM
Yokoyama A, et al. (2016) SandPrint: fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In International symposium on research in attacks, intrusions, and defenses. Springer
Ferrand O (2015) How to detect the cuckoo sandbox and to strengthen it? J Comput Virol Hack Tech 11(1):51–58
Alexander Chailytko SS (2016) Defeating sandbox evasion: how to increase the successful emulation rate in your virtual environment. https://blog.checkpoint.com/wp-content/uploads/2016/10/DefeatingSandBoxEvasion-VB2016_CheckPoint.pdf. Accessed Sep 2018
Issa A (2012) Anti-virtual machines and emulations. J Comput Virol 8(4):141–149
Chen X, et al. (2008) Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: IEEE international conference on dependable systems and networks with fTCS and DCC, 2008. DSN 2008. IEEE
Dahbul R, Lim C, Purnama J (2017) Enhancing honeypot deception capability through network service fingerprinting. In: Journal of physics: conference series. IOP Publishing
Garfinkel T, Rosenblum M (2003) A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of network and distributed systems security symposium
Garfinkel T, et al. (2007) Compatibility is not transparency: VMM detection myths and realities. In: Proceedings of the 11th workshop on hot topics in operating systems (HotOS-XI)
Ferrie P (2017) Attacks on more virtual machine emulators. Symantec technology exchange 2007. http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf. Accessed Dec 2017
Acknowledgements
The research work reported here was made possible by the Defence Science Institute Grant G22015SChilamkurtiLaT023, an initiative of the State Government of Victoria.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Papazis, K., Chilamkurti, N. Detecting indicators of deception in emulated monitoring systems. SOCA 13, 17–29 (2019). https://doi.org/10.1007/s11761-018-0252-2
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11761-018-0252-2