Collapsar: a VM-based Architecture for Network Attack Detention Center

Project Overview ( full version)

The honeypot has emerged as an effective tool to provide insights into new attacks and current exploitation trends. Though effective, a single honeypot or multiple independently operated honeypots only provide a limited local view of network attacks. Deploying and managing a large number of coordinating honeypots in different network domains will not only provide a broader and more diverse view, but also create potentials in global network status inference, early network anomaly detection, and attack correlation in large scale. However, coordinated honeypot deployment and operation require close and consistent collaboration across participating network domains, in order to mitigate potential security risks associated with each honeypot and the non-uniform level of security expertise in different network domains. It is challenging, yet desirable, to provide the two conflicting features of decentralized presence and uniform management in honeypot deployment and operation.
To address these challenges, we propose Collapsar, a VM-based centralized network attack detention center. A Collapsar hosts and manages a large number of high-interaction virtual honeypots in a local and dedicated network, while these honeypots appear to potential attackers as regular systems in different production networks. The decentralized presence of honeypots provides a wide and diverse view of network attacks, while the centralized operation enables convenient attack co-monitoring and event correlation, and eliminates the need for security experts in every production network. We present the design, implementation, performance, and operation of a Collapsar testbed. Our experiments with a number of real-world attack incidents demonstrate its effectiveness and practicality.