scalability fidelity and containment in the potemkin
play

Scalability, Fidelity, and Containment in the Potemkin Virtual - PowerPoint PPT Presentation

Nov 12, 2023 •29 likes •379 views

Introduction Design Architecture & Evaluation Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm Michael Vrable , Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, Stefan Savage

  1. Introduction Design Architecture & Evaluation Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm Michael Vrable , Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) University of California, San Diego The Potemkin Virtual Honeyfarm 1 / 20

  2. Introduction Design Architecture & Evaluation Background ◮ Large-scale host exploitation a serious problem ◮ Worms, viruses, bots, spyware. . . ◮ Supports an emerging economic criminal enterprise ◮ SPAM, DDoS, phishing, piracy, ID theft. . . ◮ Two weeks ago, one group arrested—controlled 1.5 M hosts! ◮ Quality and sophistication of malware increasing rapidly The Potemkin Virtual Honeyfarm 2 / 20

  3. Introduction Design Architecture & Evaluation Motivation ◮ Intelligence about new threats is critical for defenders ◮ Principal tool is the network honeypot ◮ Monitored system deployed for the purpose of being attacked ◮ Honeyfarm : Collection of honeypots ◮ Provide early warning, accurate inference of global activity, cover wide range of software ◮ Design issues ◮ Scalability: How many honeypots can be deployed ◮ Fidelity: How accurately systems are emulated ◮ Containment: How well innocent third parties are protected ◮ Challenge: tension between scalability and fidelity The Potemkin Virtual Honeyfarm 3 / 20

  4. Introduction Design Architecture & Evaluation Honeyfarm Scalability/Fidelity Tradeoff High Scalability High Fidelity The Potemkin Virtual Honeyfarm 4 / 20

  5. Introduction Design Architecture & Evaluation Honeyfarm Scalability/Fidelity Tradeoff Physical Honeypots (Honeynet Project) VM-based Honeyfarms (Collapsar, Symantec) High Scalability High Fidelity Execute real code The Potemkin Virtual Honeyfarm 4 / 20

  6. Introduction Design Architecture & Evaluation Honeyfarm Scalability/Fidelity Tradeoff Lightweight Responders Physical Honeypots (iSink, IMS, honeyd) (Honeynet Project) Network Telescopes VM-based Honeyfarms (Collapsar, Symantec) High Scalability High Fidelity Millions of addresses Execute real code The Potemkin Virtual Honeyfarm 4 / 20

  7. Introduction Design Architecture & Evaluation Honeyfarm Scalability/Fidelity Tradeoff Lightweight Responders Physical Honeypots (iSink, IMS, honeyd) (Honeynet Project) Network Telescopes VM-based Honeyfarms (Collapsar, Symantec) High Scalability High Fidelity Millions of addresses Execute real code Our Goal: Both The Potemkin Virtual Honeyfarm 4 / 20

  8. Introduction Approach Design Network-Level Multiplexing Architecture & Evaluation Host-Level Multiplexing Approach ◮ Dedicated honeypot systems are overkill ◮ Can provide the illusion of dedicated systems via aggressive resource multiplexing at network and host levels The Potemkin Virtual Honeyfarm 5 / 20

  9. Introduction Approach Design Network-Level Multiplexing Architecture & Evaluation Host-Level Multiplexing Network-Level Multiplexing ◮ Most addresses don’t receive traffic most of the time ⇒ Apply late binding of IP addresses to honeypots ◮ Most traffic that is received causes no interesting effects ⇒ Allocate honeypots only long enough to identify interesting behavior ⇒ Recycle honeypots as soon as possible ◮ How many honeypots are required? ◮ For a given request rate, depends upon recycling rate The Potemkin Virtual Honeyfarm 6 / 20

  10. Introduction Approach Design Network-Level Multiplexing Architecture & Evaluation Host-Level Multiplexing Effectiveness of Network-Level Multiplexing 1 Active Machines / Total Addresses 0.1 0.01 0.001 1 10 100 Recycling Time (s) The Potemkin Virtual Honeyfarm 7 / 20

  11. Introduction Approach Design Network-Level Multiplexing Architecture & Evaluation Host-Level Multiplexing Effectiveness of Network-Level Multiplexing 1 Active Machines / Total Addresses 0.1 0.01 0.001 1 10 100 Recycling Time (s) 2–3 orders of magnitude improvement! The Potemkin Virtual Honeyfarm 7 / 20

  12. Introduction Approach Design Network-Level Multiplexing Architecture & Evaluation Host-Level Multiplexing Host-Level Multiplexing ◮ CPU utilization in each honeypot quite low (milliseconds to process traffic) ⇒ Use VMM to multiplex honeypots on a single physical machine ◮ Few memory pages actually modified when handling network data ⇒ Share unmodified pages among honeypots within a machine ◮ How many virtual machines can we support? ◮ Limited by unique memory required per VM The Potemkin Virtual Honeyfarm 8 / 20

  13. Introduction Approach Design Network-Level Multiplexing Architecture & Evaluation Host-Level Multiplexing Effectiveness of Host-Level Multiplexing 4 Telnet 3.5 Memory Pages Modified (MB) 3 HTTP 2.5 2 Ping 1.5 1 0.5 0 0 20 40 60 80 100 Time (s) The Potemkin Virtual Honeyfarm 9 / 20

  14. Introduction Approach Design Network-Level Multiplexing Architecture & Evaluation Host-Level Multiplexing Effectiveness of Host-Level Multiplexing 4 Telnet 3.5 Memory Pages Modified (MB) 3 HTTP 2.5 2 Ping 1.5 1 0.5 0 0 20 40 60 80 100 Time (s) Further 2–3 orders of magnitude improvement The Potemkin Virtual Honeyfarm 9 / 20

  15. Overview Introduction Potemkin VMM Design Containment Architecture & Evaluation Challenges The Potemkin Honeyfarm Architecture ◮ Two components: ◮ Gateway ◮ VMM The Potemkin Virtual Honeyfarm 10 / 20

  16. Overview Introduction Potemkin VMM Design Containment Architecture & Evaluation Challenges The Potemkin Honeyfarm Architecture ◮ Two components: ◮ Gateway ◮ VMM ◮ Basic operation: ◮ Packet received by gateway The Potemkin Virtual Honeyfarm 10 / 20

  17. Overview Introduction Potemkin VMM Design Containment Architecture & Evaluation Challenges The Potemkin Honeyfarm Architecture ◮ Two components: ◮ Gateway ◮ VMM ◮ Basic operation: ◮ Packet received by gateway ◮ Dispatched to honeyfarm server The Potemkin Virtual Honeyfarm 10 / 20

  18. Overview Introduction Potemkin VMM Design Containment Architecture & Evaluation Challenges The Potemkin Honeyfarm Architecture ◮ Two components: ◮ Gateway ◮ VMM ◮ Basic operation: ◮ Packet received by gateway ◮ Dispatched to honeyfarm server ◮ VM instantiated ◮ Adopts IP address The Potemkin Virtual Honeyfarm 10 / 20

  19. Overview Introduction Potemkin VMM Design Containment Architecture & Evaluation Challenges Potemkin VMM Requirements ◮ VMs created on demand ◮ VM creation must be fast enough to maintain illusion The Potemkin Virtual Honeyfarm 11 / 20

  20. Overview Introduction Potemkin VMM Design Containment Architecture & Evaluation Challenges Potemkin VMM Requirements ◮ VMs created on demand ◮ VM creation must be fast enough to maintain illusion ◮ Many VMs created ◮ Must be resource-efficient The Potemkin Virtual Honeyfarm 11 / 20

  21. Overview Introduction Potemkin VMM Design Containment Architecture & Evaluation Challenges Potemkin VMM Overview ◮ Modified version of Xen 3.0 (pre-release) ◮ Flash cloning ◮ Fork copies from a reference honeypot VM ◮ Reduces VM creation time—no need to boot ◮ Applications all ready to run ◮ Delta virtualization ◮ Copy-on-write sharing (between VMs) ◮ Reduces per-VM state—only stores unique data ◮ Further reduces VM creation time The Potemkin Virtual Honeyfarm 12 / 20

  22. Overview Introduction Potemkin VMM Design Containment Architecture & Evaluation Challenges Flash Cloning Performance Time required to clone a 128 MB honeypot: Control tools overhead 124 ms Low-level clone 11 ms Device setup 149 ms Other management overhead 79 ms Networking setup & overhead 158 ms Total 521 ms 0.5 s already imperceptible to external observers unless looking for delay, but we can do even better The Potemkin Virtual Honeyfarm 13 / 20

  23. Overview Introduction Potemkin VMM Design Containment Architecture & Evaluation Challenges Flash Cloning Performance Time required to clone a 128 MB honeypot: Control tools overhead 124 ms Low-level clone 11 ms Device setup 149 ms Other management overhead 79 ms Networking setup & overhead 158 ms Total 521 ms 0.5 s already imperceptible to external observers unless looking for delay, but we can do even better The Potemkin Virtual Honeyfarm 13 / 20

  24. Overview Introduction Potemkin VMM Design Containment Architecture & Evaluation Challenges Delta Virtualization Performance ◮ Deployed using 128 MB Linux honeypots ◮ Using servers with 2 GB RAM, have memory available to support ≈ 1000 VMs per physical host ◮ Currently tested with ≈ 100 VMs per host ◮ Hits artificial resource limit in Xen, but this can be fixed The Potemkin Virtual Honeyfarm 14 / 20

  25. Overview Introduction Potemkin VMM Design Containment Architecture & Evaluation Challenges Containment Policies ◮ Must also care about traffic going out ◮ We deliberately run unpatched, insecure software in honeypots ◮ Containment: Should not permit attacks on third parties ◮ As with scalability, there is a tension between containment and fidelity ◮ Various containment policies we support: ◮ Allow no traffic out ◮ Allow traffic over established connections ◮ Allow traffic back to original host ◮ . . . The Potemkin Virtual Honeyfarm 15 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Spill Containment and Commerce www.containmentcorp.com (800) 235-7421 Executive Summary -What

Spill Containment and Commerce www.containmentcorp.com (800) 235-7421 Executive Summary -What

Spill Containment and Commerce www.containmentcorp.com (800) 235-7421 Executive Summary -What is Spill Containment, Secondary Containment and a Spill Prevention Plan -Marine Containment vs. Above-Ground Containment -Dangers of Spills, Costs,

636 views • 19 slides
Scalability and Replication Marco Serafini COMPSCI 532 Lecture 13 Scalability 2 Scalability

Scalability and Replication Marco Serafini COMPSCI 532 Lecture 13 Scalability 2 Scalability

Scalability and Replication Marco Serafini COMPSCI 532 Lecture 13 Scalability 2 Scalability Ideal world Linear scalability Speedup Reality Ideal Bottlenecks For example: central coordinator When do we stop

938 views • 36 slides
ACHIEVING HIGH FIDELITY ASSERTIVE COMMUNITY TREATMENT THROUGH THE IMPLEMENTATION OF FIDELITY

ACHIEVING HIGH FIDELITY ASSERTIVE COMMUNITY TREATMENT THROUGH THE IMPLEMENTATION OF FIDELITY

ACHIEVING HIGH FIDELITY ASSERTIVE COMMUNITY TREATMENT THROUGH THE IMPLEMENTATION OF FIDELITY EVALUATION AND TECHNICAL ASSISTANCE Lorna Moser, Ph.D. ACT TA Center Center for Excellence in Community Mental Health, UNC Department of Psychiatry

691 views • 46 slides
Tier 2 Fidelity Data: Strengthening your Tier 2 PBIS Implementation: Using Fidelity Measures to

Tier 2 Fidelity Data: Strengthening your Tier 2 PBIS Implementation: Using Fidelity Measures to

Tier 2 Fidelity Data: Strengthening your Tier 2 PBIS Implementation: Using Fidelity Measures to Promote Growth in Tier 2 Implementation March 2020 Celeste Rossetto Dickey, M.Ed. University of Oregon Introductions and Welcome School Staff

865 views • 55 slides
Scalability of web applications CSCI 470: Web Science Keith Vertanen Overview Scalability

Scalability of web applications CSCI 470: Web Science Keith Vertanen Overview Scalability

Scalability of web applications CSCI 470: Web Science Keith Vertanen Overview Scalability questions What's important in order to build scalable web sites? High availability vs. load balancing Approaches to scaling

600 views • 26 slides
Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model

Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model

Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model Introduction Development of the model by TNO as part of the Root Scalability Study Team Why quantify? Scalability is a quantitative topic

674 views • 18 slides
Performance and Scalability (Chapter 11) Performance and Scalability Performance: How long

Performance and Scalability (Chapter 11) Performance and Scalability Performance: How long

Performance and Scalability (Chapter 11) Performance and Scalability Performance: How long is the latency? Scalability: Do we get higher throughput if we add more resources? Performance and Scalability Performance: How long is the

210 views • 17 slides
Fidelity Bank Presentation Non-Deal Roadshow May Jun 2018 www.fidelitybank.ng Profile of

Fidelity Bank Presentation Non-Deal Roadshow May Jun 2018 www.fidelitybank.ng Profile of

Fidelity Bank Presentation Non-Deal Roadshow May Jun 2018 www.fidelitybank.ng Profile of Fidelity Bank Road-Show Team Nnamdi Okonkwo Managing Director / Chief Executive Officer Appointed Managing Director of Fidelity Bank PLC in January

601 views • 38 slides
What You Need to Know The importance of Up-Front and Multi-Fidelity simulation

What You Need to Know The importance of Up-Front and Multi-Fidelity simulation

www.cd-adapco.com Flow Assurance By Design Multi-Fidelity Simulation for Improved Design, Development, and Validation of Subsea Pipelines and Equipment What You Need to Know The importance of Up-Front and Multi-Fidelity

780 views • 38 slides
Versioning of Topic Map Templates Structuring Versioning and Scalability Scalability Proc.

Versioning of Topic Map Templates Structuring Versioning and Scalability Scalability Proc.

Versioning of TM Templates and Scalability M. Ueberall, O. Drobnik Introduction Versioning of Topic Map Templates Structuring Versioning and Scalability Scalability Proc. Model Ongoing Work M. Ueberall, O. Drobnik Telematics Group,

550 views • 28 slides
Wireless Fidelity with bwfm(4) Patrick Wildt September 22, 2019 Patrick Wildt Wireless Fidelity

Wireless Fidelity with bwfm(4) Patrick Wildt September 22, 2019 Patrick Wildt Wireless Fidelity

Why? How? What now? Wireless Fidelity with bwfm(4) Patrick Wildt September 22, 2019 Patrick Wildt Wireless Fidelity with bwfm(4) Why? Personally How? Hardware What now? Milestones Who am I? OpenBSD developer ARM64-subtree maintainer

413 views • 29 slides
Evaluate non-destructive methods to assess the condition of the secondary containment liners in

Evaluate non-destructive methods to assess the condition of the secondary containment liners in

1/23/19 Valdez Marine Terminal Secondary Containment Liner Integrity Evaluation Jay L. Griffin, P .E. Project Engineer 25 January 2019 Purpose Evaluate non-destructive methods to assess the condition of the secondary containment liners in

402 views • 12 slides
Study of Cost Containment Models and Recommendations for Connecticut Discussion of

Study of Cost Containment Models and Recommendations for Connecticut Discussion of

Study of Cost Containment Models and Recommendations for Connecticut Discussion of Recommendations Megan Burns, Marge Houy & Michael Bailit September 13, 2016 The Healthcare Cabinet Cost Containment Study is a Partnership Funded by a

614 views • 37 slides
Study of Cost Containment Models and Recommendations for Connecticut Review of Washington and

Study of Cost Containment Models and Recommendations for Connecticut Review of Washington and

Study of Cost Containment Models and Recommendations for Connecticut Review of Washington and Stakeholder Feedback Marge Houy and Megan Burns May 10, 2016 The Healthcare Cabinet Cost Containment Study is a Partnership Funded by a grant from

880 views • 84 slides
Informal/formal sector partnerships: Fidelity Bank Ghana BUSINESS UNIT: MICROFINANCE DATE: 22 nd

Informal/formal sector partnerships: Fidelity Bank Ghana BUSINESS UNIT: MICROFINANCE DATE: 22 nd

Informal/formal sector partnerships: Fidelity Bank Ghana BUSINESS UNIT: MICROFINANCE DATE: 22 nd February 2013 Dr. William Derban Director, Financial Inclusion, CSR & PMO Fidelity Bank Ghana Fidelity Bank - a growing local bank in Ghana

1.2k views • 16 slides
EVALUATION OF ULTIMATE LOAD BEARING CAPACITY OF CONTAINMENT STRUCTURES OF NPPs Raghupati Roy,

EVALUATION OF ULTIMATE LOAD BEARING CAPACITY OF CONTAINMENT STRUCTURES OF NPPs Raghupati Roy,

EVALUATION OF ULTIMATE LOAD BEARING CAPACITY OF CONTAINMENT STRUCTURES OF NPPs Raghupati Roy, Addl.Chief Engineer(Civil) Nuclear Power Corporation of India Limited Mumbai Salient Features of Containment System of Indian NPPs Double

752 views • 23 slides
WINERY PRESENTATION ALY nt IT Piedmo LU di Monf errato O ne of the oldest wineries in

WINERY PRESENTATION ALY nt IT Piedmo LU di Monf errato O ne of the oldest wineries in

WINERY PRESENTATION ALY nt IT Piedmo LU di Monf errato O ne of the oldest wineries in Monferrato, Casalone started operations officially in 1734 and today is still owned by t he same family on the same land. The first bottles of wine

389 views • 3 slides
Material in the Lower Coastal Plain Travis Norman MSc in Forestry Department of Forestry &

Material in the Lower Coastal Plain Travis Norman MSc in Forestry Department of Forestry &

Impacts on Growth and Quality of Interplanting Loblolly Pine ( Pinus taeda L.) Seedlings with Clonal Material in the Lower Coastal Plain Travis Norman MSc in Forestry Department of Forestry & Environmental Resources North Carolina State

307 views • 30 slides
Alpha Presentation AutoHook Creative Tool The Capstone Experience Team Urban Science Jeff

Alpha Presentation AutoHook Creative Tool The Capstone Experience Team Urban Science Jeff

Alpha Presentation AutoHook Creative Tool The Capstone Experience Team Urban Science Jeff Fallon Ben LaFleur Zach Lewis Jon Stover Daiwei Zhang Department of Computer Science and Engineering Michigan State University From Students

300 views • 9 slides
SATA Series y Introduction w w w .easyRAID.com - 1 - Innovative Innovative SMART Correction

SATA Series y Introduction w w w .easyRAID.com - 1 - Innovative Innovative SMART Correction

SATA Series y Introduction w w w .easyRAID.com - 1 - Innovative Innovative SMART Correction SMART Correction Functions Functions Disk Self Test Disk Scrubbing SMART/Disk clone w w w .easyRAID.com - 2 - SMARTCor. Functions -1

225 views • 10 slides
Employment for Tribals - presentation to NCST June 25, 2018 OP Shukla/ V Kumaraswamy OP

Employment for Tribals - presentation to NCST June 25, 2018 OP Shukla/ V Kumaraswamy OP

Employment for Tribals - presentation to NCST June 25, 2018 OP Shukla/ V Kumaraswamy OP Shukla/V Kumaraswamy Author Credentials O P Shukla V Kumaraswamy Growing Plantations in Myanmar. Championed the New U 283 Extensive

311 views • 15 slides
A Crash Course on Git Sean Payne Temecula Valley Software Developers Meetup What is Git?

A Crash Course on Git Sean Payne Temecula Valley Software Developers Meetup What is Git?

A Crash Course on Git Sean Payne Temecula Valley Software Developers Meetup What is Git? Distributed Version Control System (DVCS) Built from 2005 onwards by the Linux kernel dev team Like CVS, SVN & others, allows historical

759 views • 32 slides
Presentation 1 Disclaimer Certain statements in this presentation may constitute forward-looking

Presentation 1 Disclaimer Certain statements in this presentation may constitute forward-looking

Presentation 1 Disclaimer Certain statements in this presentation may constitute forward-looking statements. Such statements are subject to known and unknown risks and uncertainties that could cause the Companys actual results to differ

458 views • 43 slides
W W W . S A B R I C . C O . Z A 1 4 N O V E M B E R 2 0 1 9 W W W . S A B R I C . C O . Z A 1

W W W . S A B R I C . C O . Z A 1 4 N O V E M B E R 2 0 1 9 W W W . S A B R I C . C O . Z A 1

W W W . S A B R I C . C O . Z A 1 4 N O V E M B E R 2 0 1 9 W W W . S A B R I C . C O . Z A 1 4 N O V E M B E R 2 0 1 9 F E S T I V E AWA R E N E S S 1 4 N O V E M B E R 2 0 1 9 Todays agenda 11AM 11:30 11:35AM 11:40AM

766 views • 48 slides

More recommend