A Survey on Anti-honeypot and Anti-introspection Methods

Modern virtual machines, debuggers, and sandboxing solutions lend themselves towards more and more inconspicuous ways to run honeypots, and to observe and analyze malware and other malicious activity. This analysis yields valuable data for threat-assessment, malware identification and prevention. However, the use of such introspection methods has caused malware authors to create malicious programs with the ability to detect and evade such environments. This paper presents an overview on existing research of anti-honeypot and anti-introspection methods. We also propose our own taxonomy of detection vectors used by malware.

[1]  Amr M. Youssef,et al.  A Markov Decision Process Model for High Interaction Honeypots , 2013, Inf. Secur. J. A Glob. Perspect..

[2]  Marcin Nawrocki,et al.  A Survey on Honeypot Software and Data Analysis , 2016, ArXiv.

[3]  Andrew H. Sung,et al.  Detection of Virtual Environments and Low Interaction Honeypots , 2007 .

[4]  Amr M. Youssef,et al.  A game theoretic investigation for high interaction honeypots , 2012, 2012 IEEE International Conference on Communications (ICC).

[5]  Xuejun Tan,et al.  On Recognizing Virtual Honeypots and Countermeasures , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[6]  Quanyan Zhu,et al.  Deception by Design: Evidence-Based Signaling Games for Network Defense , 2015, WEIS.

[7]  Olivier Ferrand How to detect the Cuckoo Sandbox and to Strengthen it? , 2014, Journal of Computer Virology and Hacking Techniques.

[8]  Zhi Wang,et al.  DKSM: Subverting Virtual Machine Introspection for Fun and Profit , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.

[9]  Vijay Laxmi,et al.  A robust dynamic analysis system preventing SandBox detection by Android malware , 2015, SIN.

[10]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[11]  Ville Leppänen,et al.  A Survey on Fake Entities as a Method to Detect and Monitor Malicious Activity , 2017, 2017 25th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP).

[12]  Thorsten Holz,et al.  NoSEBrEaK - attacking honeynets , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[13]  Randy H. Katz,et al.  Protocol-Independent Adaptive Replay of Application Dialog , 2006, NDSS.

[14]  Lei Wu,et al.  Honeypot detection in advanced botnet attacks , 2010, Int. J. Inf. Comput. Secur..

[15]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[16]  Ryan Cunningham,et al.  Honeypot-Aware Advanced Botnet Construction and Maintenance , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[17]  Anoirel Issa Anti-virtual machines and emulations , 2012, Journal in Computer Virology.

[18]  Amr M. Youssef,et al.  Dempster-Shafer Evidence Combining for (Anti)-Honeypot Technologies , 2012, Inf. Secur. J. A Glob. Perspect..

[19]  Neal Krawetz,et al.  Anti-honeypot technology , 2004, IEEE Security & Privacy Magazine.