Collapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention

The honeypot has emerged as an effective tool to provide insights into new attacks and exploitation trends. However, a single honeypot or multiple independently operated honeypots only provide limited local views of network attacks. Coordinated deployment of honeypots in different network domains not only provides broader views, but also create opportunities of early network anomaly detection, attack correlation, and global network status inference. Unfortunately, coordinated honeypot operation require close collaboration and uniform security expertise across participating network domains. The conflict between distributed presence and uniform management poses a major challenge in honeypot deployment and operation. To address this challenge, we present Collapsar, a virtual machine-based architecture for network attack capture and detention. A Collapsar center hosts and manages a large number of high-interaction virtual honeypots in a local dedicated network. To attackers, these honeypots appear as real systems in their respective production networks. Decentralized logical presence of honeypots provides a wide diverse view of network attacks, while the centralized operation enables dedicated administration and convenient event correlation, eliminating the need for honeypot expertise in every production network domain. Collapsar realizes the traditional honeyfarm vision as well as our new reverse honeyfarm vision, where honeypots act as vulnerable clients exploited by real-world malicious servers. We present the design, implementation, and evaluation of a Collapsar prototype. Our experiments with a number of real-world attacks demonstrate the effectiveness and practicality of Collapsar.

[1]  Volkmar Sieh,et al.  Implementing a User-Mode Linux with Minimal Changes from Original Kernel , 2002 .

[2]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[3]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[4]  Jeff Dike,et al.  User-mode Linux , 2006, Annual Linux Showcase & Conference.

[5]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[6]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[7]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[8]  Matthew M. Williamson,et al.  Implementing and Testing a Virus Throttle , 2003, USENIX Security Symposium.

[9]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[10]  Xuxian Jiang,et al.  Protection mechanisms for application service hosting platforms , 2004, IEEE International Symposium on Cluster Computing and the Grid, 2004. CCGrid 2004..

[11]  Dino Farinacci,et al.  Generic Routing Encapsulation (GRE) , 2000, RFC.

[12]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[13]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[14]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[15]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[16]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[17]  Dino Farinacci,et al.  Generic Routing Encapsulation over IPv4 networks , 1994, RFC.

[18]  Hakim Weatherspoon,et al.  Netbait: a Distributed Worm Detection Service , 2003 .

[19]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[20]  Wu-chi Feng,et al.  Forensix: a robust, high-performance reconstruction system , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.