Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Targeted Attacks Using Shadow Honeypots

Similar presentations


Presentation on theme: "Detecting Targeted Attacks Using Shadow Honeypots"— Presentation transcript:

1 Detecting Targeted Attacks Using Shadow Honeypots
K.G. Anagnostakis et al Presented by: Rui Peng

2 Outline Honeypots & anomaly detection systems
Design of shadow honeypots Implementation of a shadow honeypot Performance evaluation Discussion and conclusion

3 Basic Concepts IPS: Intrusion Prevention Systems
IDS: Intrusion Detection Systems Rule-based Limited for known attacks For previously unknown attacks Honeypots Anomaly detection systems (ADS)

4 A Simple Classification

5 What is a shadow honeypot?
An instance of the protected application Shares all internal state with the normal instance Attacks will be detected Legitimate traffic misclassified as attacks will be validated

6

7 Key components Filtering: blocks known attacks
Drops certain requests before processing ADS: labels traffic as malicious or benign Malicious traffic directed to shadow honeypot Benign traffic to normal application Shadow honeypot: detects attacks State changes by attacks discarded State changes by misclassified traffic preserved

8

9 Implementation Distributed Anomaly Detector Shadow honeypot
Network Processor for load balancing An array of anomaly detector sensors Payload sifting and abstract payload execution Shadow honeypot Focuses on memory-violation attacks Code transformation tool takes original source code and generates shadow honeypot code

10

11 Creating a shadow honeypot
Move all static memory buffers to the heap Dynamically allocate memory using pmalloc() Two additional write-protected pages to bracket the allocated buffer

12 Code transformation

13 Performance results Capable of processing all false-positives and detecting attacks. Instrumentation is expensive: 20% - 50% overhead. Still, overhead is within the processing budget.

14 Benefits Allow AD be tuned towards high sensitivity
Less undetected attacks More false positives, but still ok because they will be processed as normal Self-train and fine-tune Attacks detected by shadow honeypot is used to train filtering component Benign traffic validated by shadow honeypot is used to train anomaly detectors

15 Limitations Creating a shadow honeypot requires source code transformation. Can only detect memory-violation attacks. Apache web server and Mozilla Firefox are the only tested applications. No mention of how filtering component and anomaly detectors can be trained.

16 Thank you! Questions?


Download ppt "Detecting Targeted Attacks Using Shadow Honeypots"

Similar presentations


Ads by Google