Detecting Honeypots and Other Suspicious Environments
Thorsten Holz, Frederic Raynal
IEEE Information Assurance Workshop (IAW), West Point, NY, June 2005
To learn more about attack patterns and attacker behavior, the concept of electronic decoys, i.e. network resources (computers, routers, switches, etc.) deployed to be probed, attacked, and compromised, is used in the area of IT security under the name honeypots. These electronic baits lure in attackers and help in assessment of vulnerabilities.
Because honeypots are more and more deployed within computer networks, malicious attackers start to devise techniques to detect and circumvent these security tools. This paper will explain how an attacker typically proceeds in order to attack this kind of systems. We will introduce several techniques and present diverse tools and techniques which help attackers. In addition, we present several methods to detect suspicious environments (e.g. virtual machines and presence of debuggers). The article aims at showing the limitation of current honeypot-based research. After a brief theoretical introduction, we present several technical examples of different methodologies.[pdf]