A First Look: Using Linux Containers for Deceptive Honeypots

Author USMA Department

Electrical Engineering and Computer Science

Document Type

Conference Proceeding

Publication Date

Fall 11-3-2017


Deception, Honeypots, Virtual machines, Linux containers, Cyber security, Malware, Cyber defense, Computer security experiment


The ever-increasing sophistication of malware has made malicious binary collection and analysis an absolute necessity for proactive defenses. Meanwhile, malware authors seek to harden their binaries against analysis by incorporating environment detection techniques, in order to identify if the binary is executing within a virtual environment or in the presence of monitoring tools. For security researchers, it is still an open question regarding how to remove the artifacts from virtual machines to effectively build deceptive “honeypots” for malware collection and analysis. In this paper, we explore a completely different and yet promising approach by using Linux containers. Linux containers, in theory, have minimal virtualization artifacts and are easily deployable on low-power devices. Our work performs the first controlled experiments to compare Linux containers with bare metal and 5 major types of virtual machines. We seek to measure the deception capabilities offered by Linux containers to defeat mainstream virtual environment detection techniques. In addition, we empirically explore the potential weaknesses in Linux containers to help defenders to make more informed design decisions.

First Page


Last Page


Conference Name

2017 Workshop on Automated Decision Making for Active Cyber Defense (SafeConfig '17)

Conference Location

Dallas, Texas

Conference Dates