Scalability, fidelity, and containment in the potemkin virtual honeyfarm

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Scalability, fidelity, and containment in the potemkin virtual honeyfarm

Full text

Pdf (506 KB)

Source

ACM Symposium on Operating Systems Principles archive
Proceedings of the twentieth ACM symposium on Operating systems principles table of contents

Brighton, United Kingdom

SESSION: Containment table of contents

Pages: 148 - 162

Year of Publication: 2005

ISBN:1-59593-079-5

Also published in ...

Authors

Michael Vrable	University of California, San Diego, CA
Justin Ma	University of California, San Diego, CA
Jay Chen	University of California, San Diego, CA
David Moore	University of California, San Diego, CA
Erik Vandekieft	University of California, San Diego, CA
Alex C. Snoeren	University of California, San Diego, CA
Geoffrey M. Voelker	University of California, San Diego, CA
Stefan Savage	University of California, San Diego, CA

Sponsors

ACM: Association for Computing Machinery
SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 25, Downloads (12 Months): 166, Citation Count: 29

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1095810.1095825 What is a DOI?

ABSTRACT

The rapid evolution of large-scale worms, viruses and bot-nets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware -- network honeypots -- have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS '05), San Diego, CA, Feb. 2005.
	2	M. Bailey, E. Cooke, F. Jahanian, N. Provos, K. Rosaen, and D. Watson. Data Reduction for the Scalable Automated Analysis of Distributed Darknet Traffic. In Proceedings of the USENIX/ACM Internet Measurement Conference, New Orleans, LA, Oct. 2005.
	3	Paul Barham , Boris Dragovic , Keir Fraser , Steven Hand , Tim Harris , Alex Ho , Rolf Neugebauer , Ian Pratt , Andrew Warfield, Xen and the art of virtualization, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	4	Ashlesha Joshi , Samuel T. King , George W. Dunlap , Peter M. Chen, Detecting past and present intrusions through vulnerability-specific predicates, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	5	B. Cheswick. An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied. In Proceedings of the Winter Usenix Conference, San Francisco, CA, 1992.
	6	C. Clark, K. Fraser, S. Hand, J. G. Hansen, E. Jul, C. Limpach, I. Pratt, and A. Warfield. Live Migration of Virtual Machines. In Proceedings of the 2nd ACM/USENIX Symposium on Networked Systems Design and Implementation (NSDI), Boston, MA, May 2005.
	7	Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	8	D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen. HoneyStat: Local Worm Detection Using Honeypots. In In Recent Advances In Intrusion Detection (RAID) 2004, Sept. 2004.
	9	Daniel R. Ellis , John G. Aiken , Kira S. Attwood , Scott D. Tenaglia, A behavioral approach to worm detection, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA [doi>10.1145/1029618.1029625]
	10	D. Farinacci, T. Li, S. Hanks, D. Meyer, and P. Traina. RFC 2784 - Generic Routing Encapsulation (GRE). RFC 2784, Mar. 2000.
	11	T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the 10th Annual Network and Distributed System Security Symposium (NDSS '03), San Diego, CA, Feb. 2003.
	12	Honeynet Project. Know Your Enemy: Learning about Security Threats. Pearson Education, Inc., Boston, MA, second edition, 2004.
	13	Honeynet Project. Know Your Enemy: Tracking Botnets. http://www.honeynet.org/papers/bots/, Mar. 2005.
	14	Intel. Virtualization Technology. http://www.intel.com/technology/computing/vptech/.
	15	X. Jiang and D. Xu. Collapsar: A VM-Based Architecture for Network Attack Detention Center. In Proceedings of the USENIX Security Symposium, San Diego, CA, Aug. 2004.
	16	H.-A. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proceedings of the USENIX Security Symposium, San Diego, CA, Aug. 2004.
	17	Eddie Kohler , Robert Morris , Benjie Chen , John Jannotti , M. Frans Kaashoek, The click modular router, ACM Transactions on Computer Systems (TOCS), v.18 n.3, p.263-297, Aug. 2000 [doi>10.1145/354871.354874]
	18	C. Kreibich and J. Crowcroft. Honeycomb -- Creating Intrusion Detection Signatures Using Honeypots. In Proceedings of the 2nd ACM Workshop on Hot Topics in Networks (HotNets-II), Cambridge, MA, Nov. 2003.
	19	G. R. Malan, D. Watson, F. Jahanian, and P. Howell. Transport and Application Protocol Scrubbing. In Proceedings of IEEE Infocom Conference, pages 1381--1390, Tel-Aviv, Isreal, Mar. 2000.
	20	David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003 [doi>10.1109/MSECP.2003.1219056]
	21	David Moore , Colleen Shannon , k claffy, Code-Red: a case study on the spread and victims of an internet worm, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637244]
	22	D. Moore, C. Shannon, G. Voelker, and S. Savage. Network telescopes: Technical report. Technical Report CS2004-0795, UCSD, July 2004.
	23	D. Moore, G. M. Voelker, and S. Savage. Inferring Internet Denial of Service Activity. In Proceedings of the USENIX Security Symposium, Washington, D.C., Aug. 2001.
	24	C. Nachenberg. From AntiVirus to AntiWorm: A New Strategy for A New Threat Landscape. Invited talk at 2004 ACM Worm, http://www.icir.org/vern/worm04/carey.ppt.
	25	J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS '05), San Diego, CA, Feb. 2005.
	26	Ruoming Pang , Vinod Yegneswaran , Paul Barford , Vern Paxson , Larry Peterson, Characteristics of internet background radiation, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy [doi>10.1145/1028788.1028794]
	27	N. Provos. A Virtual Honeypot Framework. In Proceedings of the USENIX Security Symposium, San Diego, CA, Aug. 2004.
	28	Jesse C. Rabek , Roger I. Khazan , Scott M. Lewandowski , Robert K. Cunningham, Detection of injected, dynamically generated, and obfuscated malicious code, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA [doi>10.1145/948187.948201]
	29	S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting. In Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), San Francisco, CA, Dec. 2004.
	30	D. Song, R. Malan, and R. Stone. A Snapshot of Global Internet Worm Activity. Technical report, Arbor Networks Technical Report, Nov. 2001.
	31	C. Stoll. The Cuckoo's Egg. Pocket Books, New York, NY, 1990.
	32	Symantec. Decoy Server Product Sheet. http://www.symantec.com/.
	33	S. Venkataraman, D. Song, P. Gibbons, and A. Blum. New Streaming Algorithms for Superspreader Detection. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS '05), San Diego, CA, Feb. 2005.
	34	Carl A. Waldspurger, Memory resource management in VMware ESX server, Proceedings of the 5th symposium on Operating systems design and implementation Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading , December 09-11, 2002, Boston, Massachusetts [doi>10.1145/1060289.1060307]
	35	Y.-M. Wang, D. Beck, X. Jiang, and R. Roussev. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites that Exploit Browser Vulnerabilities. Technical Report MSR-TR-2005-72, Microsoft Research, Aug. 2005.
	36	A. Warfield, R. Ross, K. Fraser, C. Limpach, and S. Hand. Parallax: Managing Storage for a Million Machines. In Proceedings of the 10th USENIX Workshop on Hot Topics in Operating Systems (HotOS-X), Santa Fe, NM, June 2005.
	37	N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. In Proceedings of the USENIX Security Symposium, San Diego, CA, Aug. 2004.
	38	Andrew Whitaker , Marianne Shaw , Steven D. Gribble, Scale and performance in the Denali isolation kernel, Proceedings of the 5th symposium on Operating systems design and implementation Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading , December 09-11, 2002, Boston, Massachusetts [doi>10.1145/1060289.1060308]
	39	Jintao Xiong, ACT: attachment chain tracing scheme for email virus detection and control, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA [doi>10.1145/1029618.1029621]
	40	V. Yegneswaran, P. Barford, and D. Plonka. On the Design and Use of Internet Sinks for Network Abuse Monitoring. In Proceedings of Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2004.

CITED BY 29

	Jon Oberheide , Evan Cooke , Farnam Jahanian, Rethinking antivirus: executable analysis in the network cloud, Proceedings of the 2nd USENIX workshop on Hot topics in security, p.1-5, August 07, 2007, Boston, MA
	Timothy Roscoe , Kevin Elphinstone , Gernot Heiser, Hype and virtue, Proceedings of the 11th USENIX workshop on Hot topics in operating systems, p.1-6, May 07-09, 2007, San Diego, CA
	Tal Garfinkel , Keith Adams , Andrew Warfield , Jason Franklin, Compatibility is not transparency: VMM detection myths and realities, Proceedings of the 11th USENIX workshop on Hot topics in operating systems, p.1-6, May 07-09, 2007, San Diego, CA
	Diego Zamboni , James Riordan , Milton Yates, Boundary detection and containment of local worm infections, Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet, p.1-7, June 18, 2007, Santa Clara, CA
	Moheeb Abu Rajab , Jay Zarfoss , Fabian Monrose , Andreas Terzis, A multifaceted approach to understanding the botnet phenomenon, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
	Jedidiah R. Crandall , Gary Wassermann , Daniela A. S. de Oliveira , Zhendong Su , S. Felix Wu , Frederic T. Chong, Temporal search: detecting hidden malware timebombs with virtual machines, ACM SIGPLAN Notices, v.41 n.11, November 2006
	Xuxian Jiang , Dongyan Xu , Yi-Min Wang, Collapsar: a VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention, Journal of Parallel and Distributed Computing, v.66 n.9, p.1165-1180, September 2006
	Alex Ho , Michael Fetterman , Christopher Clark , Andrew Warfield , Steven Hand, Practical taint-based protection using demand emulation, ACM SIGOPS Operating Systems Review, v.40 n.4, October 2006
	Rohan Narayana Murty , Matt Welsh, Towards a dependable architecture for internet-scale sensing, Proceedings of the 2nd conference on Hot Topics in System Dependability, p.8-8, November 08, 2006, Seattle, WA
	Hiroshi Yamada , Kenji Kono, FoxyTechnique: tricking operating system policies with a virtual machine monitor, Proceedings of the 3rd international conference on Virtual execution environments, June 13-15, 2007, San Diego, California, USA
	John Aycock , Heather Crawford , Rennie deGraaf, Spamulator: the Internet on a laptop, Proceedings of the 13th annual conference on Innovation and technology in computer science education, June 30-July 02, 2008, Madrid, Spain
	Richard Ta-Min , Lionel Litty , David Lie, Splitting interfaces: making trust between applications and operating systems configurable, Proceedings of the 7th symposium on Operating systems design and implementation, November 06-08, 2006, Seattle, Washington
	Kiyokuni Kawachiya , Kazunori Ogata , Daniel Silva , Tamiya Onodera , Hideaki Komatsu , Toshio Nakatani, Cloneable JVM: a new approach to start isolated java applications faster, Proceedings of the 3rd international conference on Virtual execution environments, June 13-15, 2007, San Diego, California, USA
	Paul Barford , Mike Blodgett, Toward botnet mesocosms, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.6-6, April 10, 2007, Cambridge, MA
	Shinsuke Miwa , Toshiyuki Miyachi , Masashi Eto , Masashi Yoshizumi , Yoichi Shinoda, Design and implementation of an isolated sandbox with mimetic internet used to analyze malwares, Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007, p.6-6, August 06-07, 2007, Boston, MA
	Ariel Futoransky , Fernando Miranda , José Orlicki , Carlos Sarraute, Simulating cyber-attacks for fun and profit, Proceedings of the 2nd International Conference on Simulation Tools and Techniques, March 02-06, 2009, Rome, Italy
	Paula Ta-Shma , Guy Laden , Muli Ben-Yehuda , Michael Factor, Virtual machine time travel using continuous data protection and checkpointing, ACM SIGOPS Operating Systems Review, v.42 n.1, January 2008
	Dut h T. Meyer , Gitika Aggarwal , Brendan Cully , Geoffrey Lefebvre , Mi hael J. Feeley , Norman C. Hut hinson , Andrew Warfield, Parallax: virtual disks for virtual machines, ACM SIGOPS Operating Systems Review, v.42 n.4, May 2008
	Jason Franklin , Mark Luk , Jonathan M. McCune , Arvind Seshadri , Adrian Perrig , Leendert van Doorn, Remote detection of virtual machine monitors with fuzzy benchmarking, ACM SIGOPS Operating Systems Review, v.42 n.3, April 2008
	Min Gyung Kang , Pongsin Poosankam , Heng Yin, Renovo: a hidden code extractor for packed executables, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
	Yih Huang , Angelos Stavrou , Anup K. Ghosh , Sushil Jajodia, Efficiently tracking application interactions using lightweight virtualization, Proceedings of the 1st ACM workshop on Virtual machine security, October 27-27, 2008, Alexandria, Virginia, USA
	Mark Thober , J. Aaron Pendergrass , C. Durward McDonell, Improving coherency of runtime integrity measurement, Proceedings of the 3rd ACM workshop on Scalable trusted computing, October 31-31, 2008, Alexandria, Virginia, USA
	Yan Wen , Jinjing Zhao , Huaimin Wang, Hiding "real" machine from attackers and malware with a minimal virtual machine monitor, Proceedings of the 4th international conference on Security and privacy in communication netowrks, September 22-25, 2008, Istanbul, Turkey
	Kiran Lakkaraju , Adam Slagell, Evaluating the utility of anonymized network traces for intrusion detection, Proceedings of the 4th international conference on Security and privacy in communication netowrks, September 22-25, 2008, Istanbul, Turkey
	Philip Patchin , H. Andrés Lagar-Cavilla , Eyal de Lara , Michael Brudno, Adding the easy button to the cloud with SnowFlock and MPI, Proceedings of the 3rd ACM Workshop on System-level Virtualization for High Performance Computing, p.1-8, March 31-31, 2009, Nuremburg, Germany
	Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: End-to-end containment of Internet worm epidemics, ACM Transactions on Computer Systems (TOCS), v.26 n.4, p.1-68, December 2008
	Horacio Andrés Lagar-Cavilla , Joseph Andrew Whitney , Adin Matthew Scannell , Philip Patchin , Stephen M. Rumble , Eyal de Lara , Michael Brudno , Mahadev Satyanarayanan, SnowFlock: rapid virtual machine cloning for cloud computing, Proceedings of the fourth ACM european conference on Computer systems, April 01-03, 2009, Nuremberg, Germany
	John P. John , Alexander Moshchuk , Steven D. Gribble , Arvind Krishnamurthy, Studying spamming botnets using Botlab, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.291-306, April 22-24, 2009, Boston, Massachusetts
	Chris Matthews , Yvonne Coady, Virtualized recomposition: Cloudy or clear?, Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing, p.38-43, May 23-23, 2009