Universal Honeyfarm Containment

The growing sophistication of self-propagating worms and botnets presents a significant challenge for investigators to understand. While honeyfarms have emerged as a powerful tool for capturing and analyzing rapid malware, the size and complexity of large scale, high fidelity honeyfarms make them problematic to operate in a simultaneously safe and effective manner. This paper introduces a universe abstraction that guarantees isolation between multiple malware infestations in a single honeyfarm while maximizing the realism of the honeyfarm as observed by a propagating worm. We demonstrate that each malware strain can be completely isolated without distorting malware spreading behavior, and that this can in fact increase the scalability of honeyfarms.

[1]  Clifford Stoll,et al.  The Cuckoo's Egg , 1989 .

[2]  B. Cheswick An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied , 1997 .

[3]  Paul Francis,et al.  The IP Network Address Translator (NAT) , 1994, RFC.

[4]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[5]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[6]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[7]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[8]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[9]  HarrisTim,et al.  Xen and the art of virtualization , 2003 .

[10]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[11]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[12]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[13]  Jintao Xiong,et al.  ACT: attachment chain tracing scheme for email virus detection and control , 2004, WORM '04.

[14]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[15]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[16]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[17]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[18]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[19]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[20]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[21]  J. Crowcroft,et al.  Honeycomb: creating intrusion detection signatures using honeypots , 2004, Comput. Commun. Rev..

[22]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM '04.

[23]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[24]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[25]  Vern Paxson,et al.  Proceedings of the 13th USENIX Security Symposium , 2022 .

[26]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[27]  Helen J. Wang,et al.  Virtual Playgrounds for Worm Behavior Investigation , 2005, RAID.

[28]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[29]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[30]  Randy H. Katz,et al.  Protocol-Independent Adaptive Replay of Application Dialog , 2006, NDSS.

[31]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[32]  V. Paxson,et al.  GQ : Realizing a System to Catch Worms in a Quarter Million Places , 2006 .

[33]  Felix C. Freiling,et al.  The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.

[34]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.