Dynamic On Demand Decoy Deployment Using MicroVMs

Honeypots remain a key defensive technique for engaging intruders and gathering intelligence, yet existing designs struggle to balance interaction realism, resource efficiency, and security isolation. Low-interaction systems, which emulate services rather than running them, are lightweight but easily fingerprinted, while container-based approaches offer convenience but expose kernel-sharing risks. Recent deception frameworks such as CATCH have proposed dynamic decoy deployment, where high-interaction environments are instantiated only when attacker behaviour warrants it. However, CATCH does not prescribe a concrete mechanism capable of delivering safe, high-fidelity decoys with sub-second responsiveness. This paper provides that missing mechanism by introducing a microVM-based on-demand isolation architecture for SSH-initiated deception. When suspicious activity is detected—via honeytokens in our prototype—sessions are transparently redirected into dedicated Firecracker microVMs restored from snapshots. This approach operationalises the dynamic deployment concept proposed by CATCH by offering a lightweight execution substrate capable of spawning realistic, strongly isolated, per-attacker environments at the moment of detection. We implement a PostgreSQL protocol handler as a case study and demonstrate median microVM startup latency of 242 ms—comparable to Docker container startup (300 ms) but with full VM-level isolation rather than shared-kernel containment—with 106 MB memory usage per attacker and zero overhead for legitimate users. Timing analysis shows that fingerprinting is limited to a brief first-query window; subsequent interactions are indistinguishable from real systems. These results indicate that microVMs provide a practical foundation for scalable, high-interaction deception and represent a viable dynamic deployment backend for CATCH-style active-defence architectures.