Scalability, fidelity, and containment in the Potemkin virtual honeyfarm

Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, Stefan Savage

Research output: Contribution to journalArticle

Abstract

The rapid evolution of large-scale worms, viruses and botnets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.

Original languageEnglish (US)
Pages (from-to)148-162
Number of pages15
JournalOperating Systems Review (ACM)
Volume39
Issue number5
DOIs
StatePublished - Dec 1 2005

Fingerprint

Scalability
Internet
Computer worms
Computer viruses
Computer systems
Servers
Data storage equipment
Monitoring
Malware
Virtual machine
Botnet

Keywords

  • Copy-on-write
  • Honeyfarm
  • Honeypot
  • Malware
  • Virtual machine monitor

ASJC Scopus subject areas

  • Information Systems
  • Hardware and Architecture
  • Computer Networks and Communications

Cite this

Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A. C., ... Savage, S. (2005). Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. Operating Systems Review (ACM), 39(5), 148-162. https://doi.org/10.1145/1095809.1095825

Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. / Vrable, Michael; Ma, Justin; Chen, Jay; Moore, David; Vandekieft, Erik; Snoeren, Alex C.; Voelker, Geoffrey M.; Savage, Stefan.

In: Operating Systems Review (ACM), Vol. 39, No. 5, 01.12.2005, p. 148-162.

Research output: Contribution to journalArticle

Vrable, M, Ma, J, Chen, J, Moore, D, Vandekieft, E, Snoeren, AC, Voelker, GM & Savage, S 2005, 'Scalability, fidelity, and containment in the Potemkin virtual honeyfarm', Operating Systems Review (ACM), vol. 39, no. 5, pp. 148-162. https://doi.org/10.1145/1095809.1095825
Vrable, Michael ; Ma, Justin ; Chen, Jay ; Moore, David ; Vandekieft, Erik ; Snoeren, Alex C. ; Voelker, Geoffrey M. ; Savage, Stefan. / Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In: Operating Systems Review (ACM). 2005 ; Vol. 39, No. 5. pp. 148-162.
@article{00ace223bc414efcb4b6cd6e9c72b39b,
title = "Scalability, fidelity, and containment in the Potemkin virtual honeyfarm",
abstract = "The rapid evolution of large-scale worms, viruses and botnets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.",
keywords = "Copy-on-write, Honeyfarm, Honeypot, Malware, Virtual machine monitor",
author = "Michael Vrable and Justin Ma and Jay Chen and David Moore and Erik Vandekieft and Snoeren, {Alex C.} and Voelker, {Geoffrey M.} and Stefan Savage",
year = "2005",
month = "12",
day = "1",
doi = "10.1145/1095809.1095825",
language = "English (US)",
volume = "39",
pages = "148--162",
journal = "Operating Systems Review (ACM)",
issn = "0163-5980",
publisher = "Association for Computing Machinery (ACM)",
number = "5",

}

TY - JOUR

T1 - Scalability, fidelity, and containment in the Potemkin virtual honeyfarm

AU - Vrable, Michael

AU - Ma, Justin

AU - Chen, Jay

AU - Moore, David

AU - Vandekieft, Erik

AU - Snoeren, Alex C.

AU - Voelker, Geoffrey M.

AU - Savage, Stefan

PY - 2005/12/1

Y1 - 2005/12/1

N2 - The rapid evolution of large-scale worms, viruses and botnets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.

AB - The rapid evolution of large-scale worms, viruses and botnets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.

KW - Copy-on-write

KW - Honeyfarm

KW - Honeypot

KW - Malware

KW - Virtual machine monitor

UR - http://www.scopus.com/inward/record.url?scp=33750376717&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33750376717&partnerID=8YFLogxK

U2 - 10.1145/1095809.1095825

DO - 10.1145/1095809.1095825

M3 - Article

AN - SCOPUS:33750376717

VL - 39

SP - 148

EP - 162

JO - Operating Systems Review (ACM)

JF - Operating Systems Review (ACM)

SN - 0163-5980

IS - 5

ER -