Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies

Akihiro Shimoda, Tatsuya Mori, Shigeki Goto

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

A Honeypot is a system that aims to detect and analyze malicious attacks attempted on a network in an interactive manner. Because the primary objective of a honeypot is to detect enemies without being known to them, it is important to hide its existence. However, as several studies have reported, exploiting the unique characteristics of hosts working on a consecutive IP addresses range easily reveals the existence of honeypots. In fact, there exist some anti-honeypot tools that intelligently probe IP address space to locate Internet security sensors including honeypots. In order to tackle this problem, we propose a system called DarkPots, that consists of a large number of virtualized honeypots using unused and nonconsecutive IP addresses in a production network. DarkPots enables us to deploy a large number of honeypots within an active IP space used for a production network; thus detection is difficult using existing probing techniques. In addition, by virtually classifying the unused IP addresses into several groups, DarkPots enables us to perform several monitoring schemes simultaneously. This function is meaningful because we can adopt more than one monitoring schemes and compare their results in an operating network. We design and implement a prototype of DarkPots and empirically evaluate its effectiveness and feasibility by concurrently performing three independent monitoring schemes in a high-speed campus network. The system successfully emulated 7,680 of virtualized honeypots on a backbone link that carries 500 Mbps - 1 Gbps of traffic without affecting legitimate traffic. Our key findings suggest: (1) active and interactive monitoring schemes provide more in-depth insights of malicious attacks, compared to passive monitoring approach in a quantitative way, and (2) randomly distributed allocation of IP addresses has an advantage over the concentrated allocation in that it can collect more information from malwares. These features are crucial in monitoring the security threats.

Original languageEnglish
Title of host publicationProceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010
Pages22-30
Number of pages9
DOIs
Publication statusPublished - 2010 Nov 29
Externally publishedYes
Event2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010 - Seoul, Korea, Republic of
Duration: 2010 Jul 192010 Jul 23

Publication series

NameProceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010

Conference

Conference2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010
CountryKorea, Republic of
CitySeoul
Period10/7/1910/7/23

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications

Fingerprint Dive into the research topics of 'Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies'. Together they form a unique fingerprint.

  • Cite this

    Shimoda, A., Mori, T., & Goto, S. (2010). Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies. In Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010 (pp. 22-30). [5598179] (Proceedings - 2010 10th Annual International Symposium on Applications and the Internet, SAINT 2010). https://doi.org/10.1109/SAINT.2010.42