Design And Research Of Xen-Based Highly Stealth Virtual Honeynet

Honeynet is a kind of high-interaction honeypot technology. Compared to the conventional passive defense security measures, it provides more knowledge on adversary activities to the administrators, including the vulnerability, utilities and techniques they are using, which considerably increases the ability against malicious behaviors. Virtual honeynet is a new technology that combined honeynet with virtualization technology. By preserving the defense of honeynet, it consolidates multiple honeypot hosts and dramatically improves the resource efficiency, as well as deployment efforts and maintainability. This grants virtual honeynet an increasing research and application.However, this leads to the development of honeypot identification techniques. With these techniques, adversary is likely to find out the honeypot nature of the targeted environment, and subsequently abandon the target or do other countermeasures. This renders honeypot systems much less useful, and becomes a bottleneck for further development and application of honeypot technology.The introducing of virtual machine by virtual honeynet actually brings two other effects. In one hand, because of the growing of the system, there is more hints and potential vulnerability to an adversary, and thus more possibility to be exposed and compromised. In the other hand, it is also possible to introduce rootkit that uses virtual machine specific features so that it is more difficult to detect. Through carefully design with virtual machine monitor and honeynet modules, we can more effectively hide the existence of the honeynet as well as the virtual environment, thus largely increase the invisibility of virtual honeynet systems.This paper first discusses the concept of honeynet technologies and analyzes common hiding and detection techniques. Virtualization and Xen open source virtual machine monitor is then introduced to elaborate the anti-detection honeynet utilizing Xen interface in Xen hardware virtual machines (HVM). At the end of the paper, we describe in details the architecture and implementation of the highly stealth virtual honeynet.