Scalability, fidelity, and containment in the Potemkin virtual honeyfarm

Proceedings of the 20th ACM Symposium on Operating Systems Principles, SOSP 2005

Volumn , Issue , 2005, Pages 148-162

  Vrable, Michael ^a   Ma, Justin ^a   Chen, Jay ^a   Moore, David ^a   Vandekieft, Erik ^a   Snoeren, Alex C ^a   Voelker, Geoffrey M ^a   Savage, Stefan ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

copy on write; honeyfarm; honeypot; malware; virtual machine monitor

Indexed keywords

COPY-ON-WRITE; HONEYFARM; HONEYPOTS; MALWARES; VIRTUAL MACHINE MONITORS;

COMPUTER WORMS; CRIME; INTERNET; SCALABILITY; VIRUSES;

COMPUTER VIRUSES;

EID: 84885575254     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1095810.1095825     Document Type: Conference Paper

References (40)

1. M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS '05), San Diego, CA, Feb. 2005.
2. M. Bailey, E. Cooke, F. Jahanian, N. Provos, K. Rosaen, and D. Watson. Data Reduction for the Scalable Automated Analysis of Distributed Darknet Traffic. In Proceedings of the USENIX/ACM Internet Measurement Conference, New Orleans, LA, Oct. 2005.
3. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proceedings of the 19th ACM Symposium on Operating System Principles (SOSP), Bolton Landing, NY, Oct. 2003.
4. P. Chen, A. Joshi, S. King, and G. Dunlap. Detecting Past and Present Intrusions through Vulnerability-specific Predicates. In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005.
5. B. Cheswick. An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied. In Proceedings of the Winter Usenix Conference, San Francisco, CA, 1992.
6. C. Clark, K. Fraser, S. Hand, J. G. Hansen, E. Jul, C. Limpach, I. Pratt, and A. Warfield. Live Migration of Virtual Machines. In Proceedings of the 2nd ACM/USENIX Symposium on Networked Systems Design and Implementation (NSDI), Boston, MA, May 2005.
7. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-End Containment of Internet Worms. In Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, Oct. 2005.
8. D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen. HoneyStat: Local Worm Detection Using Honeypots. In In Recent Advances In Intrusion Detection (RAID) 2004, Sept. 2004.
9. D. Ellis, J. Aiken, K. Attwood, and S. Tenaglia. A Behavioral Approach to Worm Detection. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), Fairfax, VA, Oct. 2004.
10. D. Farinacci, T. Li, S. Hanks, D. Meyer, and P. Traina. RFC 2784 - Generic Routing Encapsulation (GRE). RFC 2784, Mar. 2000.
11. T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the 10th Annual Network and Distributed System Security Symposium (NDSS '03), San Diego, CA, Feb. 2003.
12. Honeynet Project. Know Your Enemy: Learning about Security Threats. Pearson Education, Inc., Boston, MA, second edition, 2004.
13. Honeynet Project. Know Your Enemy: Tracking Botnets. http://www.honeynet. org/papers/bots/, Mar. 2005.
14. Intel. Virtualization Technology. http://www.intel.com/technology/ computing/vptech/.
15. X. Jiang and D. Xu. Collapsar: A VM-Based Architecture for Network Attack Detention Center. In Proceedings of the USENIX Security Symposium, San Diego, CA, Aug. 2004.
16. H.-A. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proceedings of the USENIX Security Symposium, San Diego, CA, Aug. 2004.
17. E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click Modular Router. ACM Transactions on Computer Systems, 18(3):263-297, Aug. 2000.
18. C. Kreibich and J. Crowcroft. Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In Proceedings of the 2nd ACM Workshop on Hot Topics in Networks (HotNets-II), Cambridge, MA, Nov. 2003.
19. G. R. Malan, D. Watson, F. Jahanian, and P. Howell. Transport and Application Protocol Scrubbing. In Proceedings of IEEE Infocom Conference, pages 1381-1390, Tel-Aviv, Isreal, Mar. 2000.
20. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. IEEE Security and Privacy, 1(4):33-39, July 2003.
21. D. Moore, C. Shannon, and J. Brown. Code-Red: a case study on the spread and victims of an Internet worm. In Proceedings of the ACM/USENIX Internet Measurement Workshop (IMW), Marseille, France, Nov. 2002.
22. D. Moore, C. Shannon, G. Voelker, and S. Savage. Network telescopes: Technical report. Technical Report CS2004-0795, UCSD, July 2004.
23. D. Moore, G. M. Voelker, and S. Savage. Inferring Internet Denial of Service Activity. In Proceedings of the USENIX Security Symposium, Washington, D.C., Aug. 2001.
24. C. Nachenberg. From AntiVirus to AntiWorm: A New Strategy for A New Threat Landscape. Invited talk at 2004 ACM Worm, http://www.icir.org/vern/ worm04/carey.ppt.
25. J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS '05), San Diego, CA, Feb. 2005.
26. R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet Background Radiation. In Proceedings of the USENIX/ACM Internet Measurement Conference, Taormina, Sicily, Italy, Oct. 2004.
27. N. Provos. A Virtual Honeypot Framework. In Proceedings of the USENIX Security Symposium, San Diego, CA, Aug. 2004.
28. J. Rabek, R. Khazan, S. Lewandowski, and R. Cunningham. Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), Washington, D.C., Oct. 2003.
29. S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting. In Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), San Francisco, CA, Dec. 2004.
30. D. Song, R. Malan, and R. Stone. A Snapshot of Global Internet Worm Activity. Technical report, Arbor Networks Technical Report, Nov. 2001.
31. C. Stoll. The Cuckoo's Egg. Pocket Books, New York, NY, 1990.
32. Symantec. Decoy Server Product Sheet. http://www.symantec.com/.
33. S. Venkataraman, D. Song, P. Gibbons, and A. Blum. New Streaming Algorithms for Superspreader Detection. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS '05), San Diego, CA, Feb. 2005.
34. C. A. Waldspurger. Memory Resource Management in VMware ESX Server. In Proceedings of the 5th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), Boston, MA, Dec. 2002.
35. Y.-M. Wang, D. Beck, X. Jiang, and R. Roussev. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites that Exploit Browser Vulnerabilities. Technical Report MSR-TR-2005-72, Microsoft Research, Aug. 2005.
36. A. Warfield, R. Ross, K. Fraser, C. Limpach, and S. Hand. Parallax: Managing Storage for a Million Machines. In Proceedings of the 10th USENIX Workshop on Hot Topics in Operating Systems (HotOS-X), Santa Fe, NM, June 2005.
37. N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. In Proceedings of the USENIX Security Symposium, San Diego, CA, Aug. 2004.
38. A. Whitaker, M. Shaw, and S. D. Gribble. Scale and Performance in the Denali Isolation Kernel. In Proceedings of the 5th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), Boston, MA, Dec. 2002.
39. J. Xiong. ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), Fairfax, VA, Oct. 2004.
40. V. Yegneswaran, P. Barford, and D. Plonka. On the Design and Use of Internet Sinks for Network Abuse Monitoring. In Proceedings of Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2004.