Scalability, fidelity, and containment in the Potemkin virtual honeyfarm

Michael Vrable; Justin Ma; Jay Chen; David Moore; Erik Vandekieft; Alex C. Snoeren; Geoffrey M. Voelker; Stefan Savage

doi:10.1145/1095809.1095825

Scalability, fidelity, and containment in the Potemkin virtual honeyfarm

Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, Stefan Savage

Computer Science

Research output: Contribution to journal › Article › peer-review

Abstract

The rapid evolution of large-scale worms, viruses and botnets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.

Original language	English (US)
Pages (from-to)	148-162
Number of pages	15
Journal	Operating Systems Review (ACM)
Volume	39
Issue number	5
DOIs	https://doi.org/10.1145/1095809.1095825
State	Published - 2005

Keywords

Copy-on-write
Honeyfarm
Honeypot
Malware
Virtual machine monitor

ASJC Scopus subject areas

Information Systems
Hardware and Architecture
Computer Networks and Communications

Access to Document

10.1145/1095809.1095825

Fingerprint Dive into the research topics of 'Scalability, fidelity, and containment in the Potemkin virtual honeyfarm'. Together they form a unique fingerprint.

Cite this

@article{00ace223bc414efcb4b6cd6e9c72b39b,

title = "Scalability, fidelity, and containment in the Potemkin virtual honeyfarm",

abstract = "The rapid evolution of large-scale worms, viruses and botnets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.",

keywords = "Copy-on-write, Honeyfarm, Honeypot, Malware, Virtual machine monitor",

author = "Michael Vrable and Justin Ma and Jay Chen and David Moore and Erik Vandekieft and Snoeren, {Alex C.} and Voelker, {Geoffrey M.} and Stefan Savage",

year = "2005",

doi = "10.1145/1095809.1095825",

language = "English (US)",

volume = "39",

pages = "148--162",

journal = "Operating Systems Review (ACM)",

issn = "0163-5980",

publisher = "Association for Computing Machinery (ACM)",

number = "5",

}

TY - JOUR

T1 - Scalability, fidelity, and containment in the Potemkin virtual honeyfarm

AU - Vrable, Michael

AU - Ma, Justin

AU - Chen, Jay

AU - Moore, David

AU - Vandekieft, Erik

AU - Snoeren, Alex C.

AU - Voelker, Geoffrey M.

AU - Savage, Stefan

PY - 2005

Y1 - 2005

N2 - The rapid evolution of large-scale worms, viruses and botnets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.

AB - The rapid evolution of large-scale worms, viruses and botnets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.

KW - Copy-on-write

KW - Honeyfarm

KW - Honeypot

KW - Malware

KW - Virtual machine monitor

UR - http://www.scopus.com/inward/record.url?scp=33750376717&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33750376717&partnerID=8YFLogxK

U2 - 10.1145/1095809.1095825

DO - 10.1145/1095809.1095825

M3 - Article

AN - SCOPUS:33750376717

VL - 39

SP - 148

EP - 162

JO - Operating Systems Review (ACM)

JF - Operating Systems Review (ACM)

SN - 0163-5980

IS - 5

ER -