detecting targeted attacks using shadow honeypots
Download
Skip this Video
Download Presentation
Detecting Targeted Attacks Using Shadow Honeypots

Loading in 2 Seconds...

play fullscreen
1 / 16

Detecting Targeted Attacks Using Shadow Honeypots - PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on

Detecting Targeted Attacks Using Shadow Honeypots. K.G. Anagnostakis et al Presented by: Rui Peng. Outline. Honeypots & anomaly detection systems Design of shadow honeypots Implementation of a shadow honeypot Performance evaluation Discussion and conclusion. Basic Concepts.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Detecting Targeted Attacks Using Shadow Honeypots' - dennis-donovan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
detecting targeted attacks using shadow honeypots

Detecting Targeted Attacks Using Shadow Honeypots

K.G. Anagnostakis et al

Presented by: Rui Peng

outline
Outline
  • Honeypots & anomaly detection systems
  • Design of shadow honeypots
  • Implementation of a shadow honeypot
  • Performance evaluation
  • Discussion and conclusion
basic concepts
Basic Concepts
  • IPS: Intrusion Prevention Systems
  • IDS: Intrusion Detection Systems
    • Rule-based
    • Limited for known attacks
  • For previously unknown attacks
    • Honeypots
    • Anomaly detection systems (ADS)
what is a shadow honeypot
What is a shadow honeypot?
  • An instance of the protected application
  • Shares all internal state with the normal instance
  • Attacks will be detected
  • Legitimate traffic misclassified as attacks will be validated
key components
Key components
  • Filtering: blocks known attacks
    • Drops certain requests before processing
  • ADS: labels traffic as malicious or benign
    • Malicious traffic directed to shadow honeypot
    • Benign traffic to normal application
  • Shadow honeypot: detects attacks
    • State changes by attacks discarded
    • State changes by misclassified traffic preserved
implementation
Implementation
  • Distributed Anomaly Detector
    • Network Processor for load balancing
    • An array of anomaly detector sensors
    • Payload sifting and abstract payload execution
  • Shadow honeypot
    • Focuses on memory-violation attacks
    • Code transformation tool takes original source code and generates shadow honeypot code
creating a shadow honeypot
Creating a shadow honeypot
  • Move all static memory buffers to the heap
  • Dynamically allocate memory using pmalloc()
  • Two additional write-protected pages to bracket the allocated buffer
performance results
Performance results
  • Capable of processing all false-positives and detecting attacks.
  • Instrumentation is expensive: 20% - 50% overhead.
  • Still, overhead is within the processing budget.
benefits
Benefits
  • Allow AD be tuned towards high sensitivity
    • Less undetected attacks
    • More false positives, but still ok because they will be processed as normal
  • Self-train and fine-tune
    • Attacks detected by shadow honeypot is used to train filtering component
    • Benign traffic validated by shadow honeypot is used to train anomaly detectors
limitations
Limitations
  • Creating a shadow honeypot requires source code transformation.
  • Can only detect memory-violation attacks.
  • Apache web server and Mozilla Firefox are the only tested applications.
  • No mention of how filtering component and anomaly detectors can be trained.
thank you
Thank you!
  • Questions?
ad