Potemkin Honeyfarm System
An interesting paper was presented at the 20th ACM Symposium on Operating Systems Principles. The paper entitled "Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm" describes a prototype implementation of a honeyfarm system that is capable of emulating thousand of hosts in parallel. They use XEN, a virtual machine monitor that uses paravirtualization, as a basic building block. Furthermore, the paper introduces the ideas of flashing cloning and delta virtualization to enhance performance. Unfortunately, the system is not avaiable for download...
Abstract:
The rapid evolution of large-scale worms, viruses and botnets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.
Abstract:
The rapid evolution of large-scale worms, viruses and botnets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware - network honeypots - have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.
BibTeX:
@inproceedings{Vrable:2005:SFC,
author = {Michael Vrable and Justin Ma and Jay Chen and David Moore and
Erik Vandekieft and Alex C. Snoeren and Geoffrey M. Voelker
and Stefan Savage},
title = {Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm},
booktitle = {Proceedings of the 20th ACM Symposium on Operating Systems Principles
(SOSP 2005)},
year = {2005},
month = {October},
pages = {pp. 148-162},
}
".
