1 / 16

Detecting Targeted Attacks Using Shadow Honeypots

This paper discusses the design and implementation of shadow honeypots as a method for detecting targeted attacks on applications. Shadow honeypots replicate the internal state of normal application instances, helping to validate traffic misidentified as attacks. Key components include filtering mechanisms and anomaly detection systems. The study evaluates performance, noting a capacity for effective attack detection coupled with a tolerance for false positives. The limitations are outlined, including the requirement for source code transformation and the focus on memory-violation attacks.

dennis-donovan
Télécharger la présentation

Detecting Targeted Attacks Using Shadow Honeypots

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Targeted Attacks Using Shadow Honeypots K.G. Anagnostakis et al Presented by: Rui Peng

  2. Outline • Honeypots & anomaly detection systems • Design of shadow honeypots • Implementation of a shadow honeypot • Performance evaluation • Discussion and conclusion

  3. Basic Concepts • IPS: Intrusion Prevention Systems • IDS: Intrusion Detection Systems • Rule-based • Limited for known attacks • For previously unknown attacks • Honeypots • Anomaly detection systems (ADS)

  4. A Simple Classification

  5. What is a shadow honeypot? • An instance of the protected application • Shares all internal state with the normal instance • Attacks will be detected • Legitimate traffic misclassified as attacks will be validated

  6. Key components • Filtering: blocks known attacks • Drops certain requests before processing • ADS: labels traffic as malicious or benign • Malicious traffic directed to shadow honeypot • Benign traffic to normal application • Shadow honeypot: detects attacks • State changes by attacks discarded • State changes by misclassified traffic preserved

  7. Implementation • Distributed Anomaly Detector • Network Processor for load balancing • An array of anomaly detector sensors • Payload sifting and abstract payload execution • Shadow honeypot • Focuses on memory-violation attacks • Code transformation tool takes original source code and generates shadow honeypot code

  8. Creating a shadow honeypot • Move all static memory buffers to the heap • Dynamically allocate memory using pmalloc() • Two additional write-protected pages to bracket the allocated buffer

  9. Code transformation

  10. Performance results • Capable of processing all false-positives and detecting attacks. • Instrumentation is expensive: 20% - 50% overhead. • Still, overhead is within the processing budget.

  11. Benefits • Allow AD be tuned towards high sensitivity • Less undetected attacks • More false positives, but still ok because they will be processed as normal • Self-train and fine-tune • Attacks detected by shadow honeypot is used to train filtering component • Benign traffic validated by shadow honeypot is used to train anomaly detectors

  12. Limitations • Creating a shadow honeypot requires source code transformation. • Can only detect memory-violation attacks. • Apache web server and Mozilla Firefox are the only tested applications. • No mention of how filtering component and anomaly detectors can be trained.

  13. Thank you! • Questions?

More Related