Scalability, fidelity, and containment in the Potemkin virtual honeyfarm

Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, Stefan Savage

Research output: Contribution to journalArticlepeer-review

Abstract

The rapid evolution of large-scale worms, viruses and botnets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.

Original languageEnglish (US)
Pages (from-to)148-162
Number of pages15
JournalOperating Systems Review (ACM)
Volume39
Issue number5
DOIs
StatePublished - 2005

Keywords

  • Copy-on-write
  • Honeyfarm
  • Honeypot
  • Malware
  • Virtual machine monitor

ASJC Scopus subject areas

  • Information Systems
  • Hardware and Architecture
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Scalability, fidelity, and containment in the Potemkin virtual honeyfarm'. Together they form a unique fingerprint.

Cite this