3. The limitations
Low-interaction honeypots:
● "Artificial" attack surface
● Limited information about the attacks
● Easily identified
High-interaction honeypots:
● Complexity
● Maintenance
● High risk
4. Hybrid honeypot
Robin Berthier, 2006: Advanced honeypot architecture for network threats
quantification
Primarily use the Low
interaction honeypot and
utilize a High interaction
honeypot when something
"interesting" is happening.
How do you define
"interesting"?
6. VMI-Honeymon http://vmi-honeymon.sf.net
● Fidelity via Virtual Machine Introspection
○ LibVMI
○ Volatility
○ LibGuestFS
● Scalability via Virtual Machine Cloning
○ QEMU copy-on-write disk
○ Xen copy-on-write RAM
7. Issues: clone routing
Clones share IP and MAC address!
○ Post-cloning in-guest network reconfiguration should
be avoided
○ Separate bridge/VLAN required for each clone to
avoid collision
○ Honeybrid requires extra setup (iptables rules,
routing tables & ip marks) to be able to route clones
12. Future work
● Clone routing using Open vSwitch &
OpenFlow
● Auto-balloon number of HIHs
● Mix Linux and Windows HIHs with additional
software packages installed
● Test large-scale deployment (/24)
● Zazen IDS!