Scalability, fidelity, and containment in the Potemkin virtual honeyfarm

Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, Stefan Savage

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The rapid evolution of large-scale worms, viruses and bot-nets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.

Original languageEnglish (US)
Title of host publicationProceedings of the 20th ACM Symposium on Operating Systems Principles, SOSP 2005
Pages148-162
Number of pages15
DOIs
StatePublished - 2005
Event20th ACM Symposium on Operating Systems Principles, SOSP 2005 - Brighton, United Kingdom
Duration: Oct 23 2005Oct 26 2005

Publication series

NameProceedings of the 20th ACM Symposium on Operating Systems Principles, SOSP 2005

Other

Other20th ACM Symposium on Operating Systems Principles, SOSP 2005
CountryUnited Kingdom
CityBrighton
Period10/23/0510/26/05

Keywords

  • copy-on-write
  • honeyfarm
  • honeypot
  • malware
  • virtual machine monitor

ASJC Scopus subject areas

  • Software

Fingerprint Dive into the research topics of 'Scalability, fidelity, and containment in the Potemkin virtual honeyfarm'. Together they form a unique fingerprint.

  • Cite this

    Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A. C., Voelker, G. M., & Savage, S. (2005). Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, SOSP 2005 (pp. 148-162). (Proceedings of the 20th ACM Symposium on Operating Systems Principles, SOSP 2005). https://doi.org/10.1145/1095810.1095825