Detecting Targeted Attacks Using Shadow Honeypots
-
Upload
dennis-donovan -
Category
Documents
-
view
17 -
download
2
description
Transcript of Detecting Targeted Attacks Using Shadow Honeypots
Detecting Targeted Attacks Using Shadow Honeypots
K.G. Anagnostakis et al
Presented by: Rui Peng
Outline
Honeypots & anomaly detection systems
Design of shadow honeypots
Implementation of a shadow honeypot
Performance evaluation
Discussion and conclusion
Basic Concepts
IPS: Intrusion Prevention SystemsIDS: Intrusion Detection Systems
Rule-based Limited for known attacks
For previously unknown attacks Honeypots Anomaly detection systems (ADS)
A Simple Classification
What is a shadow honeypot?
An instance of the protected application
Shares all internal state with the normal
instance
Attacks will be detected
Legitimate traffic misclassified as attacks
will be validated
Key components
Filtering: blocks known attacks Drops certain requests before processing
ADS: labels traffic as malicious or benign Malicious traffic directed to shadow honeypot Benign traffic to normal application
Shadow honeypot: detects attacks State changes by attacks discarded State changes by misclassified traffic preserved
Implementation
Distributed Anomaly Detector Network Processor for load balancing An array of anomaly detector sensors Payload sifting and abstract payload execution
Shadow honeypot Focuses on memory-violation attacks Code transformation tool takes original source
code and generates shadow honeypot code
Creating a shadow honeypot
Move all static memory buffers to the heap
Dynamically allocate memory using pmalloc()
Two additional write-protected pages to bracket the allocated buffer
Code transformation
Performance results
Capable of processing all false-positives and detecting attacks.
Instrumentation is expensive: 20% - 50% overhead.
Still, overhead is within the processing budget.
Benefits
Allow AD be tuned towards high sensitivity Less undetected attacks More false positives, but still ok because they will
be processed as normal
Self-train and fine-tune Attacks detected by shadow honeypot is used to
train filtering component Benign traffic validated by shadow honeypot is
used to train anomaly detectors
Limitations
Creating a shadow honeypot requires source code transformation.
Can only detect memory-violation attacks.Apache web server and Mozilla Firefox are
the only tested applications.No mention of how filtering component an
d anomaly detectors can be trained.
Thank you!
Questions?