TY - GEN
T1 - Scalability, fidelity, and containment in the Potemkin virtual honeyfarm
AU - Vrable, Michael
AU - Ma, Justin
AU - Chen, Jay
AU - Moore, David
AU - Vandekieft, Erik
AU - Snoeren, Alex C.
AU - Voelker, Geoffrey M.
AU - Savage, Stefan
N1 - Copyright:
Copyright 2013 Elsevier B.V., All rights reserved.
PY - 2005
Y1 - 2005
N2 - The rapid evolution of large-scale worms, viruses and bot-nets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.
AB - The rapid evolution of large-scale worms, viruses and bot-nets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.
KW - copy-on-write
KW - honeyfarm
KW - honeypot
KW - malware
KW - virtual machine monitor
UR - http://www.scopus.com/inward/record.url?scp=84885575254&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84885575254&partnerID=8YFLogxK
U2 - 10.1145/1095810.1095825
DO - 10.1145/1095810.1095825
M3 - Conference contribution
AN - SCOPUS:84885575254
SN - 1595930795
SN - 9781595930798
T3 - Proceedings of the 20th ACM Symposium on Operating Systems Principles, SOSP 2005
SP - 148
EP - 162
BT - Proceedings of the 20th ACM Symposium on Operating Systems Principles, SOSP 2005
T2 - 20th ACM Symposium on Operating Systems Principles, SOSP 2005
Y2 - 23 October 2005 through 26 October 2005
ER -