Virtual Machine Introspection in a Hybrid Honeypot Architecture.

With the recent advent of effective and practical virtual machine introspection tools, we revisit the use of hybrid honeypots as a means to implement automated malware collection and analysis. We introduce VMI-Honeymon, a high-interaction honeypot monitor which uses virtual machine memory introspection on Xen. VMI-Honeymon remains transparent to the monitored virtual machine and bypasses reliance on the untrusted guest kernel by utilizing memory scans for state reconstruction. VMI-Honeymon builds on open-source introspection and forensics tools that provide a rich set of information about intrusion and infection processes while enabling the automatic capture of the associated malware binaries. Our experiments show that using VMI-Honeymon in a hybrid setup expands the range of malware captures and is effective in capturing both known and unclassified malware samples.