Detecting Targeted Attacks Using Shadow Honeypots

Slides:



Advertisements
Similar presentations
Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.
Advertisements

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
By Hiranmayi Pai Neeraj Jain
Application of Bayesian Network in Computer Networks Raza H. Abedi.
Prime’ Senior Project. Presentation Outline What is Our Project? Problem Definition What does our system do? How does the system work? Implementation.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Anomaly Based Intrusion Detection System
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
Host Intrusion Prevention Systems & Beyond
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.
Distributed Denial of Service Attack and Prevention Andrew Barkley Quoc Thong Le Gia Matt Dingfield Yashodhan Gokhale.
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Address Space Layout Permutation
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.
ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and.
SafetyNet: improving the availability of shared memory multiprocessors with global checkpoint/recovery Daniel J. Sorin, Milo M. K. Martin, Mark D. Hill,
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:
By Jim White WiredCity, Div. of OSIsoft Copyright c 2004 OSIsoft Inc. All rights reserved. Cyber Security Tools.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
A System for Denial-of- Service Attack Detection Based on Multivariate Correlation Analysis.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Security System for KOREN/APII-Testbed
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford.
Role Of Network IDS in Network Perimeter Defense.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
Some Great Open Source Intrusion Detection Systems (IDSs)
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Shellcode COSC 480 Presentation Alison Buben.
Snort – IDS / IPS.
Intrusion Detection using Deep Neural Networks
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Techniques, Tools, and Research Issues
Self Healing and Dynamic Construction Framework:
Web Server Protection against Application Layer DDoS Attacks using Machine Learning and Traffic Authentication Jema David Nidbwile*, Kazuya Okada**, Youki.
Outline Introduction Characteristics of intrusion detection systems
TriggerScope Towards Detecting Logic Bombs in Android Applications
Emerging Cyber Tech for Evolving Cyber Threats Chris Hankin
TriggerScope Towards detecting logic bombs in android applications
Automatic and Precise Client-Side Protection against CSRF Attacks
Analyzing WebView Vulnerabilities in Android Applications
Intrusion Detection & Prevention
IS4680 Security Auditing for Compliance
Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan
Presentation transcript:

Detecting Targeted Attacks Using Shadow Honeypots K.G. Anagnostakis et al Presented by: Rui Peng

Outline Honeypots & anomaly detection systems Design of shadow honeypots Implementation of a shadow honeypot Performance evaluation Discussion and conclusion

Basic Concepts IPS: Intrusion Prevention Systems IDS: Intrusion Detection Systems Rule-based Limited for known attacks For previously unknown attacks Honeypots Anomaly detection systems (ADS)

A Simple Classification

What is a shadow honeypot? An instance of the protected application Shares all internal state with the normal instance Attacks will be detected Legitimate traffic misclassified as attacks will be validated

Key components Filtering: blocks known attacks Drops certain requests before processing ADS: labels traffic as malicious or benign Malicious traffic directed to shadow honeypot Benign traffic to normal application Shadow honeypot: detects attacks State changes by attacks discarded State changes by misclassified traffic preserved

Implementation Distributed Anomaly Detector Shadow honeypot Network Processor for load balancing An array of anomaly detector sensors Payload sifting and abstract payload execution Shadow honeypot Focuses on memory-violation attacks Code transformation tool takes original source code and generates shadow honeypot code

Creating a shadow honeypot Move all static memory buffers to the heap Dynamically allocate memory using pmalloc() Two additional write-protected pages to bracket the allocated buffer

Code transformation

Performance results Capable of processing all false-positives and detecting attacks. Instrumentation is expensive: 20% - 50% overhead. Still, overhead is within the processing budget.

Benefits Allow AD be tuned towards high sensitivity Less undetected attacks More false positives, but still ok because they will be processed as normal Self-train and fine-tune Attacks detected by shadow honeypot is used to train filtering component Benign traffic validated by shadow honeypot is used to train anomaly detectors

Limitations Creating a shadow honeypot requires source code transformation. Can only detect memory-violation attacks. Apache web server and Mozilla Firefox are the only tested applications. No mention of how filtering component and anomaly detectors can be trained.

Thank you! Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.