HoneyLab: Large-Scale Honeypot Deployment and Resource Sharing

Honeypots are valuable tools for detecting and analyzing malicious activity on the Internet. Successful and time-critical detection of such activity often depends on large-scale deployment. However, commercial organizations usually do not share honeypot data, and large, open honeypot initiatives only provide read-only alert feeds. As a result, while large and resourceful organizations can afford the high cost of this technology, smaller security firms and security researchers are fundamentally constrained. We propose and build a shared infrastructure for deploying and monitoring honeypots, called HoneyLab, that is similar in spirit to PlanetLab. With an overlay and distributed structure of address space and computing resources, HoneyLab increases coverage and accelerates innovation among security researchers as well as security industry experts relying on honeypot-based attack detection technology. Unlike current honeypot infrastructures, HoneyLab allows security firms and security researchers to deploy their own honeypot services, instrumentation code, and detection algorithms, dispensing the need for setting up a separate honeypot infrastructure whenever a new attack detection method needs to be deployed or tested.