Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex C. Snoeren,

Published bySuzan Nicholson Modified over 8 years ago

Similar presentations

Presentation on theme: "Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex C. Snoeren,"— Presentation transcript:

1 Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses Department of Computer Science and Engineering Univsersty of California, San Diego

2 Background Info Network Telescope Theory HoneyPots – A system of Intrusion/Threat Detection where the value lies in that all traffic in system is not legitimate High Interaction or Low Interaction? Benefit of Low Interaction is large number of IPs can be covered Benefit of Low Interaction is large number of IPs can be covered Benefit of High Interaction is you can gain better insight into the methods used and possible outcomes of attacks Benefit of High Interaction is you can gain better insight into the methods used and possible outcomes of attacks

3 Bottom Line You can have one a system that represents a larger net so you have better odds of finding something malicious Or, you can have a system that monitors a smaller set of IPs because there is more overhead in providing kernel and system access to the potential threat, and not just mimicking network presence.

4 Bottom Line ? So why cant you have your cake and eat it too? Is it possible to provide a system that will allow you to combine the best of both worlds. Can you provide a Honeyfarm solution that allows you monitor a large IP set, and provide a valid system for each threat to incubate so analysis can be in-depth? Can you do it with out throwing large amounts of money at it?

5 Basis of Paper This is the aim of this paper. Utilize VM technology and custom software design to create a system which has high fidelity, and can scale well to monitor a large environment if the need arises. Don’t break the bank doing it either!

6 Problems Resources Memory Memory CPU CPU HD Space HD SpaceRouting How do we route the packets so Honeyfarm is invisible? How do we route the packets so Honeyfarm is invisible? How do we route packets so as not to cause an outbound attack? How do we route packets so as not to cause an outbound attack?Latency How do we provide interaction so that the attacker does not know he is in a virtual environment? How do we provide interaction so that the attacker does not know he is in a virtual environment?

7 Solutions! Flash Cloning Allow Farm to scale as need arises Allow Farm to scale as need arises Delta Virtualization (Copy-On-Write) Addresses timing and resource use of each clone Addresses timing and resource use of each clone Creative Routing Limits farm to only dealing with IPs that solicit communication. Limits farm to only dealing with IPs that solicit communication.

8 Flash Cloning VM Machine instantiation can have high overhead and latency, especially when VM needs to boot and load devices. To work around this, provide a “Reference Image”. An Image of an already loaded O/S is kept frozen and unchanged. When need arises for a new VM, clone this one. It is already to run, just change IPs.

9 Flash Cloning Benefits Quicker Load time Quicker Load time New VMs can react to each new outside probe/threat New VMs can react to each new outside probe/threat Allows a pristine VM to be examined after compromise. You have a baseline to compare a compromised VM to. Allows a pristine VM to be examined after compromise. You have a baseline to compare a compromised VM to. Clone can be created and threat will only receive initial delay between first packet and response. Clone can be created and threat will only receive initial delay between first packet and response.

10 Flash Cloning Courtesy of the paper and its authors

11 Delta Virtualization Essentially an optimized Copy-on-Write technique. For each VM Cloned, the entire image need not be copied. There will always be static parts of the OS memory that does not change. If need for that specific VM to alter memory tables arise, then copy memory for that location and change memory table for VM to point to new location

12 Delta Virtualization Courtesy of the paper and its authors

13 Creative Routing Each Incoming Packet is Mirrored at Edge Router to HoneyFarm The farm has it’s own machine dedicated to routing packets. For each packet destined for an IP known to be unused, the gateway notifies Cloning Manager on least busy machine to allocate new clone with specific IP.

14 Creative Routing After initial lag from cloning, clone is ready and notifies Clone Manager. Clone Manager tells gateway which then flushes buffer of packets waiting for clone and adds routing rule to push all future communication for that IP address to that clone. To prevent horizontal port scans from overwhelming farm, all future unused attempts from that IP are ignored to keep clone numbers in check.

15 Here is where the creativity comes in What about threats that spread like worms? Viruses that call home? Rootkits that update themselves? Each communication between an outside IP and an Internal IP is considered a Universe and the route reflects it. If compromised clone attempts outside communication, the communication is reflected back toward another clone inside the farm.

16 Here is where the creativity comes in Thus, the farm can also serve as a ‘incubator’, providing a microcosm for the threat to grow. Also allows for the possibility of cross contamination. You could setup rules to allow to uniquely infected clones to communicate with each other and create hybrid compromises. Another unseen benefit is you can provide a concrete spread rate of a new threat. Thus, providing some reliable scale to rate new threats on.

17 The numbers don’t lie The largest HoneyFarm known to the authors was Symantec’s DeepSight using 40 servers with VMware to mimic 2000 IP addresses. During Potemkin’s ‘Live Deployment’, the max they were able to simulate was 2100 VMs using one gateway and 9 servers. All using 2.8 GHZ Xeons’s with 2GB of memory and a gigabit NIC. Roughly $10,000 total by current market value.

18 Performance Numbers Right hand side represents possible future enhancements by recycling data structures and tables of VMs that were tore down. Tables Courtesy of the Paper and it’s Authors.

19 Strengths Provides some real good ideas to maximize performance with limited hardware. Incubator idea is real interesting. Infection rate idea is real interesting. Considered legalities of HoneyFarm infecting external IPs and also considered Hybrid Infections.

20 Weaknesses Live testing did not last longer then 10 minutes. A lot of bugs still left to work out before the solution could be considered stable enough for long term deployment. System can be exploited by attacker to exhuast amount of resources in system. Time characteristics can be used against HoneyFarm to signal virtual environment.

21 Weaknesses Threat could be able to look at limited devices available and conclude in virtual environment. Threat could also reference outside IP to determine if in virtual environment. Could only be useful in examining malicious programs that are not designed to look for virtual environments, as an actual attacker worth their salt could determine it is virtual environment.

22 Extensions Elaborate on the idea of incubation more. Improve multiple OS support. Enable packet analysis at gateway to determine which OS to clone to provide ‘best fit’ for attack. Stabilize system and introduce VM HD support so each clone can get access to swap space.

Download ppt "Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex C. Snoeren,"

Similar presentations

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Michael Bailey*, Evan Cooke*, Farnam Jahanian* †, Jose Nazario †, David Watson* Presenter:

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Michael Bailey*, Evan Cooke*, Farnam Jahanian* †, Jose Nazario †, David Watson* Presenter:
Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
Chapter 6: Memory Management

Chapter 6: Memory Management
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
IP Masquerading Homes and Businesses: When you only have one IP but you have LOTS of machines.

IP Masquerading Homes and Businesses: When you only have one IP but you have LOTS of machines.
Radhika Niranjan Mysore, Andreas Pamboris, Nathan Farrington, Nelson Huang, Pardis Miri, Sivasankar Radhakrishnan, Vikram Subramanya, and Amin Vahdat Department.

Radhika Niranjan Mysore, Andreas Pamboris, Nathan Farrington, Nelson Huang, Pardis Miri, Sivasankar Radhakrishnan, Vikram Subramanya, and Amin Vahdat Department.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).

Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.

Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Scaling Service Requests Linux: ipvsadm & iptoip.

Scaling Service Requests Linux: ipvsadm & iptoip.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.

Similar presentations

Ads by Google