Detecting Targeted Attacks Using Shadow Honeypots

K.G. Anagnostakis et al

Presented by: Rui Peng

Outline

Honeypots & anomaly detection systems

Design of shadow honeypots

Implementation of a shadow honeypot

Performance evaluation

Discussion and conclusion

Basic Concepts

IPS: Intrusion Prevention SystemsIDS: Intrusion Detection Systems

Rule-based Limited for known attacks

For previously unknown attacks Honeypots Anomaly detection systems (ADS)

A Simple Classification

What is a shadow honeypot?

An instance of the protected application

Shares all internal state with the normal

instance

Attacks will be detected

Legitimate traffic misclassified as attacks

will be validated

Key components

Filtering: blocks known attacks Drops certain requests before processing

ADS: labels traffic as malicious or benign Malicious traffic directed to shadow honeypot Benign traffic to normal application

Shadow honeypot: detects attacks State changes by attacks discarded State changes by misclassified traffic preserved

Implementation

Distributed Anomaly Detector Network Processor for load balancing An array of anomaly detector sensors Payload sifting and abstract payload execution

Shadow honeypot Focuses on memory-violation attacks Code transformation tool takes original source

code and generates shadow honeypot code

Creating a shadow honeypot

Move all static memory buffers to the heap

Dynamically allocate memory using pmalloc()

Two additional write-protected pages to bracket the allocated buffer

Code transformation

Performance results

Capable of processing all false-positives and detecting attacks.

Instrumentation is expensive: 20% - 50% overhead.

Still, overhead is within the processing budget.

Benefits

Allow AD be tuned towards high sensitivity Less undetected attacks More false positives, but still ok because they will

be processed as normal

Self-train and fine-tune Attacks detected by shadow honeypot is used to

train filtering component Benign traffic validated by shadow honeypot is

used to train anomaly detectors

Limitations

Creating a shadow honeypot requires source code transformation.

Can only detect memory-violation attacks.Apache web server and Mozilla Firefox are

the only tested applications.No mention of how filtering component an

d anomaly detectors can be trained.

Thank you!

Questions?