HoneyCloud: Elastic Honeypots - On-attack Provisioning of High-interaction Honeypots

This paper presents HoneyCloud: a large-scale high-interaction honeypots architecture based on a cloud infrastructure. The paper shows how to setup and deploy on-demand virtualized honeypot hosts on a private cloud. Each attacker is elastically assigned to a new virtual honeypot instance. HoneyCloud offers a high scalability. With a small number of public IP addresses, HoneyCloud can multiplex thousands of attackers. The attacker can perform malicious activities on the honeypot and launch new attacks from the compromised host. The HoneyCloud architecture is designed to collect operating system logs about attacks, from various IDS, tools and sensors. Each virtual honeypot instance includes network and especially system sensors that gather more useful information than traditional network oriented honeypots. The paper shows how are collected the activities of attackers into the cloud storage mechanism for further forensics. HoneyCloud also addresses efficient attacker's session storage, long term session management, isolation between attackers and fidelity of hosts.

[1]  Richard Wolski,et al.  The Eucalyptus Open-Source Cloud-Computing System , 2009, 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid.

[2]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[3]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[4]  Shigeki Goto,et al.  Sensor in the Dark: Building Untraceable Large-Scale Honeypots Using Virtualization Technologies , 2010, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet.

[5]  Felix C. Freiling,et al.  The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.

[6]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[7]  Marc Dacier,et al.  SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models , 2008, 2008 Seventh European Dependable Computing Conference.

[8]  Sotiris Ioannidis,et al.  HoneyLab: Large-Scale Honeypot Deployment and Resource Sharing , 2009, 2009 Third International Conference on Network and System Security.

[9]  Patrice Clemente,et al.  SYNEMA: Visual monitoring of network and system security sensors , 2011, Proceedings of the International Conference on Security and Cryptography.

[10]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[11]  Patrice Clemente,et al.  Honeypot forensics for system and network SIEM design , 2013 .