ACM Transactions on Computer Systems (TOCS)
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
IEEE Security and Privacy
Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Detection of injected, dynamically generated, and obfuscated malicious code
Proceedings of the 2003 ACM workshop on Rapid malcode
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
ACT: attachment chain tracing scheme for email virus detection and control
Proceedings of the 2004 ACM workshop on Rapid malcode
A behavioral approach to worm detection
Proceedings of the 2004 ACM workshop on Rapid malcode
Memory resource management in VMware ESX server
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Scale and performance in the Denali isolation kernel
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Detecting past and present intrusions through vulnerability-specific predicates
Proceedings of the twentieth ACM symposium on Operating systems principles
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
Data reduction for the scalable automated analysis of distributed darknet traffic
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Parallax: managing storage for a million machines
HOTOS'05 Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10
Live migration of virtual machines
NSDI'05 Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation - Volume 2
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Collapsar: a VM-based architecture for network attack detention center
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Using VMM-based sensors to monitor honeypots
Proceedings of the 2nd international conference on Virtual execution environments
Temporal search: detecting hidden malware timebombs with virtual machines
Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Practical taint-based protection using demand emulation
Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Journal of Parallel and Distributed Computing - Special issue: Security in grid and distributed systems
Towards a dependable architecture for internet-scale sensing
HOTDEP'06 Proceedings of the 2nd conference on Hot Topics in System Dependability - Volume 2
Data reduction for the scalable automated analysis of distributed darknet traffic
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Cloneable JVM: a new approach to start isolated java applications faster
Proceedings of the 3rd international conference on Virtual execution environments
FoxyTechnique: tricking operating system policies with a virtual machine monitor
Proceedings of the 3rd international conference on Virtual execution environments
Splitting interfaces: making trust between applications and operating systems configurable
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Renovo: a hidden code extractor for packed executables
Proceedings of the 2007 ACM workshop on Recurring malcode
Design and implementation of an isolated sandbox with mimetic internet used to analyze malwares
DETER Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Virtual machine time travel using continuous data protection and checkpointing
ACM SIGOPS Operating Systems Review
Parallax: virtual disks for virtual machines
Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Compatibility is not transparency: VMM detection myths and realities
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Rethinking antivirus: executable analysis in the network cloud
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
Boundary detection and containment of local worm infections
SRUTI'07 Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet
Remote detection of virtual machine monitors with fuzzy benchmarking
ACM SIGOPS Operating Systems Review
Spamulator: the Internet on a laptop
Proceedings of the 13th annual conference on Innovation and technology in computer science education
Spectator: detection and containment of JavaScript worms
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
Learning and Classification of Malware Behavior
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Vigilante: End-to-end containment of Internet worm epidemics
ACM Transactions on Computer Systems (TOCS)
Improving coherency of runtime integrity measurement
Proceedings of the 3rd ACM workshop on Scalable trusted computing
Efficiently tracking application interactions using lightweight virtualization
Proceedings of the 1st ACM workshop on Virtual machine security
Evaluating the utility of anonymized network traces for intrusion detection
Proceedings of the 4th international conference on Security and privacy in communication netowrks
Hiding "real" machine from attackers and malware with a minimal virtual machine monitor
Proceedings of the 4th international conference on Security and privacy in communication netowrks
SnowFlock: rapid virtual machine cloning for cloud computing
Proceedings of the 4th ACM European conference on Computer systems
Adding the easy button to the cloud with SnowFlock and MPI
Proceedings of the 3rd ACM Workshop on System-level Virtualization for High Performance Computing
Simulating cyber-attacks for fun and profit
Proceedings of the 2nd International Conference on Simulation Tools and Techniques
Studying spamming botnets using Botlab
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Virtualized recomposition: Cloudy or clear?
CLOUD '09 Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing
An Attacker-Defender Game for Honeynets
COCOON '09 Proceedings of the 15th Annual International Conference on Computing and Combinatorics
Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering
Proceedings of the 16th ACM conference on Computer and communications security
Discovery and prevention of attack episodes by frequent episodes mining and finite state machines
Journal of Network and Computer Applications
Honeypot detection in advanced botnet attacks
International Journal of Information and Computer Security
"Out-of-the-Box" monitoring of VM-based high-interaction honeypots
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Vortex: enabling cooperative selective wormholing for network security systems
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Design issues of an isolated sandbox used to analyze malwares
IWSEC'07 Proceedings of the Security 2nd international conference on Advances in information and computer security
Collecting autonomous spreading malware using high-interaction honeypots
ICICS'07 Proceedings of the 9th international conference on Information and communications security
Dependability metrics
Difference engine: harnessing memory redundancy in virtual machines
Communications of the ACM
Difference engine: harnessing memory redundancy in virtual machines
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Satori: enlightened page sharing
USENIX'09 Proceedings of the 2009 conference on USENIX Annual technical conference
SnowFlock: Virtual Machine Cloning as a First-Class Cloud Primitive
ACM Transactions on Computer Systems (TOCS)
Rethink the virtual machine template
Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Fast and space-efficient virtual machine checkpointing
Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Jump-start cloud: efficient deployment framework for large-scale cloud applications
ICDCIT'11 Proceedings of the 7th international conference on Distributed computing and internet technology
Kaleidoscope: cloud micro-elasticity via VM state coloring
Proceedings of the sixth conference on Computer systems
Set-up and deployment of a high-interaction honeypot: experiment and lessons learned
Journal in Computer Virology
Towards a dependable architecture for internetscale
HotDep'06 Proceedings of the Second conference on Hot topics in system dependability
Repair from a chair: computer repair as an untrusted cloud service
HotOS'13 Proceedings of the 13th USENIX conference on Hot topics in operating systems
Honeynet games: a game theoretic approach to defending network monitors
Journal of Combinatorial Optimization
GQ: practical containment for measuring modern malware systems
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Traveling forward in time to newer operating systems using ShadowReboot
Proceedings of the Second Asia-Pacific Workshop on Systems
The nepenthes platform: an efficient approach to collect malware
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Fast and evasive attacks: highlighting the challenges ahead
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Enhancing the performance of high availability lightweight live migration
OPODIS'11 Proceedings of the 15th international conference on Principles of Distributed Systems
DarkNOC: dashboard for honeypot management
LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
Proceedings of the 6th international workshop on Virtualization Technologies in Distributed Computing Date
Cloud terminal: secure access to sensitive applications from untrusted systems
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
An empirical study of memory sharing in virtual machines
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
Virtual machine introspection in a hybrid honeypot architecture
CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
Jump-start cloud: efficient deployment framework for large-scale cloud applications
Concurrency and Computation: Practice & Experience
Dealer: application-aware request splitting for interactive cloud applications
Proceedings of the 8th international conference on Emerging networking experiments and technologies
Towards network containment in malware analysis systems
Proceedings of the 28th Annual Computer Security Applications Conference
Traveling forward in time to newer operating systems using ShadowReboot
Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Resource virtualization methodology for on-demand allocation in cloud computing systems
Service Oriented Computing and Applications
XLH: more effective memory deduplication scanners through cross-layer hints
USENIX ATC'13 Proceedings of the 2013 USENIX conference on Annual Technical Conference
Group-based memory oversubscription for virtualized clouds
Journal of Parallel and Distributed Computing
| Hi-index | 0.02 |
The rapid evolution of large-scale worms, viruses and bot-nets have made Internet malware a pressing concern. Such infections are at the root of modern scourges including DDoS extortion, on-line identity theft, SPAM, phishing, and piracy. However, the most widely used tools for gathering intelligence on new malware -- network honeypots -- have forced investigators to choose between monitoring activity at a large scale or capturing behavior with high fidelity. In this paper, we describe an approach to minimize this tension and improve honeypot scalability by up to six orders of magnitude while still closely emulating the execution behavior of individual Internet hosts. We have built a prototype honeyfarm system, called Potemkin, that exploits virtual machines, aggressive memory sharing, and late binding of resources to achieve this goal. While still an immature implementation, Potemkin has emulated over 64,000 Internet honeypots in live test runs, using only a handful of physical servers.