Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.

Slides:



Advertisements
Similar presentations
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Michael Bailey*, Evan Cooke*, Farnam Jahanian* †, Jose Nazario †, David Watson* Presenter:
Advertisements

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Xen , Linux Vserver , Planet Lab
Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Dec, Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.
Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).
Xen and the Art of Virtualization A paper from the University of Cambridge, presented by Charlie Schluting For CS533 at Portland State University.
Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
Towards Application Security On Untrusted OS
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.
Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine,
UCSD Potemkin Honeyfarm Jay Chen, Ranjit Jhala, Chris Kanich, Erin Kenneally, Justin Ma, David Moore, Stefan Savage, Colleen Shannon, Alex Snoeren, Amin.
Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage Presenter: Martin Krogel.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Introduction to Honeypot, Botnet, and Security Measurement
Zen and the Art of Virtualization Paul Barham, et al. University of Cambridge, Microsoft Research Cambridge Published by ACM SOSP’03 Presented by Tina.
Remus: VM Replication Jeff Chase Duke University.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
October 15, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision.
An example of how you can host your own Wordpress sites, or any other web applications, with a minimum of fuss or clashes between sites.
Othman Othman M.M., Koji Okamura Kyushu University 1.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
INTRODUCTION TO VIRTUALIZATION KRISTEN WILLIAMS MOSES IKE.
1 Chapter 7: NAT in Internet and Intranet Designs Designs That Include NAT Essential NAT Design Concepts Data Protection in NAT Designs NAT Design Optimization.
1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
LAN Devices  Purposes: Dividing the network into subnets Dividing the network into subnets Joining two networks together Joining two networks together.
A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Chapter 2 The Internet Underlying Architecture. How the DNS works? DNS: Domain Name System Visiting a website: - Write the address - IP will use the address.
Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.
Internet Protocol: Routing IP Datagrams Chapter 8.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
AutoFocus: A Tool for Automatic Traffic Analysis Cristian Estan, University of California, San Diego.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex C. Snoeren,
Virtualization One computer can do the job of multiple computers, by sharing the resources of a single computer across multiple environments. Turning hardware.
Networking Components William Isakson LTEC 4550 October 7, 2012 Module 3.
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using.
Microsoft Virtual Academy Module 12 Managing Services with VMM and App Controller.
Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish:
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited and encouraged to use.
01/27/10 What is PlanetLab? A planet-wide testbed for the R & D of network applications and distributed computing Over 1068 nodes at 493 sites, primarily.
VMware Solutions To Access EXSi Server & Virtual Machine Consoles Presented By: Opvizor
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Firewall Techniques Matt Cupp.
Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft,
Jonas Pfoh, Daniel Angermeier
Firewalls.
Group 8 Virtualization of the Cloud
Aled Edwards, Anna Fischer, Antonio Lain HP Labs
6.6 Firewalls Packet Filter (=filtering router)
Chapter 2. Malware Analysis in VMs
Local Worm Detection using Honeypots Justin Miller Jan 25, 2007
Firewalls Jiang Long Spring 2002.
Managing Services with VMM and App Controller
Presentation transcript:

Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage University of California, San Diego Proceedings of the ACM Symposium on Operating System Principles (SOSP), Brighton, UK, October 2005 Presented By: Dan DeBlasio for CAP 6133, Spring 2008

Outline Architectural Overview Implementation Results Commentary/Conclusion

Overview when a packet comes in, routed it to an existing VM, else makes a new one with that address makes a copy of a template system to cary out interaction only keeps track of differences from template contains infection data to keep it from infecting others

Honeyfarm Architecture Packet Comes In IP Already A VM Outbound Packet Safe To Internet Yes VM Create VM No Forward Packet Yes No

Honeyfarm Architecture

Containment until now only seen low interaction honeyfarms how to keep honeyfarm from becoming worm incubator relies on gateway router to “scrub” the outgoing traffic emulates destination addresses if needed on internal network

Gateway Router incoming packets to inactive IP are sent to a non-overloaded physical server so it can be emulated choice is random, or calculated packets directed to an active IP pass to the machine where a VM has been created filters out “known” attacks so they don’t over-emulate the same worm

Gateway Router must prevent a worm or outbreak from starving honeyfarm of resources due to reflection decides when a VM should be reclaimed due to inactivity and not being successfully compromised also decides when a compromised machine should be reclaimed to reallocate resources

Virtual Machine Monitor at startup the system boots guest OS, and lets it warm up and start server services takes snapshot if system (like hibernate) use this snapshot to create new VMs on the fly leaves it running so it will update memory

passed to clone manager’s queue “clone VM” cloned VM’s response forward to cloned VM packets flushed from queue “okay” “change to IP A” “okay” VMM - Flash Cloning time Domain Network StackXen Management Daemon Cloned VM Clone Manager New packet for address A queues packets until clone is ready

Delta Virtualization At copy, each VM maps all it memory to the reference VM on write a private copy is stored in its own memory memory sharing to further reduce the amount of memory needed

Delta Virtualization

Results /16 == Class B ~65,536 addresses ~2 16

Results

Contributions Show that you can make a large scale high interaction honeyfarm gives proof (in simulation) that it can improve efficiency of a honeyfarm

Weaknesses only tested in simulation only used linux based server VMs only tried at a /16 level

Improvements use windows PC as well as Linux Servers use honeyd type first response so that you don’t have to clone for scanning packets

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.