Scalability, fidelity, and containment in the potemkin virtual honeyfarm

Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles Pub Date : 2005-10-23 DOI:10.1145/1095810.1095825

Michael Vrable, Justin Ma, Jay Chen, D. Moore, Erik Vandekieft, A. Snoeren, G. Voelker, S. Savage

{"title":"Scalability, fidelity, and containment in the potemkin virtual honeyfarm","authors":"Michael Vrable, Justin Ma, Jay Chen, D. Moore, Erik Vandekieft, A. Snoeren, G. Voelker, S. Savage","doi":"10.1145/1095810.1095825","DOIUrl":null,"url":null,"abstract":"The rapid evolution of large-scale worms, viruses and bot-nets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware -- network honeypots -- have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.","PeriodicalId":20672,"journal":{"name":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2005-10-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"390","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1095810.1095825","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 390

Abstract

The rapid evolution of large-scale worms, viruses and bot-nets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware -- network honeypots -- have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

波坦金虚拟蜜场的可扩展性、保真度和包容性

大规模蠕虫、病毒和僵尸网络的快速发展使互联网恶意软件成为一个紧迫的问题。这种感染是DDoS勒索、在线身份盗窃、垃圾邮件、网络钓鱼和盗版等现代祸害的根源。然而，用于收集新恶意软件情报的最广泛使用的工具——网络蜜罐——迫使调查人员在大规模监控活动和高保真捕获行为之间做出选择。在本文中，我们描述了一种方法来最小化这种紧张，并将蜜罐可伸缩性提高多达六个数量级，同时仍然密切模拟单个互联网主机的执行行为。我们已经建立了一个原型蜜场系统，称为Potemkin，它利用虚拟机，积极的内存共享和资源的后期绑定来实现这一目标。虽然Potemkin仍然是一个不成熟的实现，但它已经在实时测试中模拟了超过64,000个Internet蜜罐，只使用了少量的物理服务器。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles

自引率

0.00%

发文量