This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage Collaborative Center for Internet Epidemiology and Defenses Department of Computer Science and Engineering University of California, San Diego ABSTRACT The rapid evolution of large-scale worms, viruses and bot- nets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelli- gence on new malware — network honeypots — have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magni- tude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype hon- eyfarm system, called Potemkin , that exploits virtual ma- chines, aggressive memory sharing, and late binding of re- sources to achieve this goal. While still an immature im- plementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers. Categories and Subject Descriptors D.4.6 [ Operating Systems ]: Security and Protection— In- vasive software ; C.2.0 [ Computer-Communication Net- works ]: General— Security and protection ; D.4.2 [ Oper- ating Systems ]: Storage Management— Virtual memory ; C.2.3 [ Computer-Communication Networks ]: Network Operations— Network monitoring General Terms Measurement, Security Keywords copy-on-write, honeyfarm, honeypot, malware, virtual ma- chine monitor Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SOSP’05, October 23–26, 2005, Brighton, United Kingdom. Copyright 2005 ACM 1-59593-079-5/05/0010 ... $ 5.00. 1. INTRODUCTION The ability to compromise large numbers of Internet hosts has emerged as the backbone of a new criminal economy en- compassing bulk-email (SPAM), denial-of-service extortion, phishing, piracy, and identify theft. Using tools such as worms, viruses and scanning botnets, the technical cadre of this community can leverage a handful of software vul- nerabilities into a large-scale virtual commodity — hun- dreds of thousands of remotely controlled “bot” hosts — that are then used, resold or leased for a variety of illegal purposes ....
View Full Document
This note was uploaded on 08/25/2011 for the course CDA 6938 taught by Professor Zou,c during the Fall '08 term at University of Central Florida.
- Fall '08