Detecting targeted attacks using shadow honeypots
Download
1 / 16

Detecting Targeted Attacks Using Shadow Honeypots - PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on

Detecting Targeted Attacks Using Shadow Honeypots. K.G. Anagnostakis et al Presented by: Rui Peng. Outline. Honeypots & anomaly detection systems Design of shadow honeypots Implementation of a shadow honeypot Performance evaluation Discussion and conclusion. Basic Concepts.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Detecting Targeted Attacks Using Shadow Honeypots' - dennis-donovan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Detecting targeted attacks using shadow honeypots

Detecting Targeted Attacks Using Shadow Honeypots

K.G. Anagnostakis et al

Presented by: Rui Peng


Outline
Outline

  • Honeypots & anomaly detection systems

  • Design of shadow honeypots

  • Implementation of a shadow honeypot

  • Performance evaluation

  • Discussion and conclusion


Basic concepts
Basic Concepts

  • IPS: Intrusion Prevention Systems

  • IDS: Intrusion Detection Systems

    • Rule-based

    • Limited for known attacks

  • For previously unknown attacks

    • Honeypots

    • Anomaly detection systems (ADS)



What is a shadow honeypot
What is a shadow honeypot?

  • An instance of the protected application

  • Shares all internal state with the normal instance

  • Attacks will be detected

  • Legitimate traffic misclassified as attacks will be validated


Key components
Key components

  • Filtering: blocks known attacks

    • Drops certain requests before processing

  • ADS: labels traffic as malicious or benign

    • Malicious traffic directed to shadow honeypot

    • Benign traffic to normal application

  • Shadow honeypot: detects attacks

    • State changes by attacks discarded

    • State changes by misclassified traffic preserved


Implementation
Implementation

  • Distributed Anomaly Detector

    • Network Processor for load balancing

    • An array of anomaly detector sensors

    • Payload sifting and abstract payload execution

  • Shadow honeypot

    • Focuses on memory-violation attacks

    • Code transformation tool takes original source code and generates shadow honeypot code


Creating a shadow honeypot
Creating a shadow honeypot

  • Move all static memory buffers to the heap

  • Dynamically allocate memory using pmalloc()

  • Two additional write-protected pages to bracket the allocated buffer



Performance results
Performance results

  • Capable of processing all false-positives and detecting attacks.

  • Instrumentation is expensive: 20% - 50% overhead.

  • Still, overhead is within the processing budget.


Benefits
Benefits

  • Allow AD be tuned towards high sensitivity

    • Less undetected attacks

    • More false positives, but still ok because they will be processed as normal

  • Self-train and fine-tune

    • Attacks detected by shadow honeypot is used to train filtering component

    • Benign traffic validated by shadow honeypot is used to train anomaly detectors


Limitations
Limitations

  • Creating a shadow honeypot requires source code transformation.

  • Can only detect memory-violation attacks.

  • Apache web server and Mozilla Firefox are the only tested applications.

  • No mention of how filtering component and anomaly detectors can be trained.


Thank you
Thank you!

  • Questions?


ad