Detection of Virtual Environments and Low Interaction Honeypots S. Mukkamala, K. Yendrapalli, R. Basnet, M. K. Shankarapani, A. H. Sung Department of Computer Science Institute for Complex Additive Systems Analysis New Mexico Tech (srinivas|krishna|rbasnet|madhu|sung@cs.nmt.edu) Abstract – This paper focuses on the detection of virtual environments and low interaction honeypots by using a feature set that is built using traditional system and network level finger printing mechanisms. Earlier work in the area has been mostly based on the system level detection. The results aim at bringing out the limitations in the current honeypot technology. This paper also describes the results concerning the robustness and generalization capabilities of kernel methods in detecting honeypots using system and network finger printing data. We use traditional support vector machines (SVM), biased support vector machine (BSVM) and leave-one-out model selection for support vector machines (looms) for model selection. We also evaluate the impact of kernel type and parameter values on the accuracy of a support vector machine (SVM) performing honeypot classification. Through a variety of comparative experiments, it is found that SVM performs the best for data sent on the same network; BSVM performs the best for data sent from a remote network. 1. INTRODUCTION ne of the purposes of a honeypot is to lure the attacker into interacting with the honeypot and gather information about emerging threats or attack vectors so that the organization’s defenses can be updated. New tools can be discovered, attack patterns can be determined, and the very motives of the attackers can be studied [1, 2]. Being able to detect honeypots is important to malicious users as well as security professionals. The stealthy-ness of a honeypot is an important factor to consider in an organization’s overall security strategy but more importantly honeypot developers have few tools with which to test their products. Earlier work on detection of honeypots has focused on detecting them at system level by examining simple features such as system calls or installed software [3]. The work presented in this paper concentrates on network level detection. The fact that low interaction honeypots do not implement a complete feature set (which a real system does) and also that emulated environments have a significant software overhead when multiple virtual machines are running on a single physical machine have been the key features in carrying out the experiments. A technique called service exercising was implemented based on low interaction honeypots having an incomplete feature set and TCP/IP finger printing techniques in combination with learning machines are implemented to detect a benign and honeypot systems. One of the key features used in TCP/IP finger printing is timing analysis, technique that sends a stream of ICMP echo requests to the target and then measures how quickly the nodes can reply. The results obtained show how the two groups (honeypots and real systems) can be clearly distinguished. The paper is constructed as follows: the first section is this introduction; section 2 provides an insight to network level detection of honeypots. Section 3 describes methodologies used for detection and data collection. Models generated by Biased Support Vector Machine using leave-one-out model for support vector machines (looms) is given in section 4. A brief introduction to model selection using SVMs for detecting honeypots is given in section 6. In section 6, we analyze classification accuracies of SVMs using ROC curves. Section 7 presents the results and discussion. Summary and Conclusions are given in section 8. II. NETWORK LEVEL DETECTION OF HONEYPOTS Previous efforts to detect honeypots have focused on system level features such as installed software, detecting kernel modules, detecting virtual environments, and performing timing analysis of system functions [3]. While successful, these techniques require access to the local system. Use of these techniques in a networked environment requires a user account or some other way to execute arbitrary code. A faster, more versatile method of network based honeypot detection is needed [4]. Network based honeypot features: An ideal honeypot will mirror a real system exactly and is thus difficult to detect but unfortunately existing honeypot technology is far from ideal. In general there are O