Presentation is loading. Please wait.

Presentation is loading. Please wait.

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

Published byCleopatra Benson Modified over 9 years ago

Similar presentations

Presentation on theme: "DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz."— Presentation transcript:

1 DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz PUBLICATION: USENIX Security Symposium, 2007. PRESENTATION BY: Bharat Soundararajan

2 OUTLINE SHADOW HONEYPOT SHADOW HONEYPOT Architecture SHADOW HONEYPOT IMPLEMENTATION ADVANTAGES WEAKNESSES

3 HONEYPOTS  A fake system installed using VMware for fooling the attackers, where the attackers will do everything in the fake system assuming that it’s the original system  This is most effective only incase of scanning/Random attacks. It has high accuracy  It has low false positives because of high accuracy

4 ANOMALY DETECTION SYSTEMS  This detects malware only based upon common activities and doesn’t detect based upon signatures.  It offers the possibility of detecting previously unknown attacks  This is effective against all attacks but it has low accuracy.  It has high false positives. This problem has been solved by giving all suspected false positives to shadow honey pot for processing.

5 INTRODUCTION TO SHADOW HONEYPOT A novel approach which uses shadow honey pot for processing false positives  Honey pot: Advantages: less false positives Disadvantages: It can detect only scan/random attacks  Anomaly Detection Systems(ADS): Advantages: It can detect all types of attacks (Random + Directed attacks) Disadvantages: many false positives

6 COMPARISON BETWEEN DIFFERENT SYSTEMS Random/scanning attacks All attacks (Random + targeted)

7 SHADOW HONEYPOT STEPS There are three steps of security process where the incoming packets pass by 1)Filtering: This blocking is based upon previously known signatures. Firewall is used for filtering it. 2)ADS: This detects if there is any malware infection and sends the packet to either shadow or original system.TXL is used for converting from original to shadow 3)SHADOW HONEYPOT: The suspect from the ADS is sent to the shadow to check for malware infection. Rollback : It is used for bringing back the process after malware infection

8 SHADOW HONEYPOT ARCHITECHTURE

9 Rules on ADS  If there is a Suspect: Use the shadow honey pot for malware infection detection Indicate it as a false positive and Update the filters  No Suspect: If malware found by random usage of shadow honey pots indicate false negative. Handle the request normally. Use the normal service

10 FILTERS ADS SHADOW HONEYPOT MalwareBlock Forward Suspect Yes Use shadow Indicate False positive Update ADS and FILTERS Yes Attack Random Use yes Use shadow Attack yes Indicate False Negative No Handle Normally No SYSTEM WORKFLOW

11 TYPES OF ADS USED Payload Sifting:  Derives fingerprint of the worms by detecting common and popular substrings in the network traffic  This ADS has detected many worms but unlikely some system has been compromised. Buffer Overflow Detection via Abstract Payload  Searches for long sequences of valid instructions  Used together with shadow honeypot for reducing false positives

12 TYPES OF COUPLING  Tight Coupling: User extracts the shadow from the code and use it in the same address and share the same state and processes with the original code Advantages: exploit from the attacker shows no difference because shadow and the original share the same address.  Loose Coupling: User have the shadow version in the different address and doesn’t share same state and process. Advantages: Management of shadows can be done by a third entity.

13 SHADOW HONEYPOT IMPLEMENTATION sensors

14 Pmalloc() for creating Shadows  Dynamically allocates a buffer for each shadow  It assigns two read only guard pages for that dynamic buffer  Pointer is used for reallocation of buffers and is controlled by the Anomaly Detection Systems

15 Pmalloc() for creating Shadows If(Shadow is enabled) { use pmalloc for dynamic allocation and test for buffer overflows } Else { Static allocation } If (Shadow is enabled) { Free the allocated memory }

16 Transaction( )  Signal handler reports when a buffer overflow occurs  The signal handler simply notifies the operating system to abort all state changes made by the process while processing this request. Transaction () uses:  It notifies successful completion of transaction inside the main loop.  It notifies the operating system that a attack has been detected from inside the signal handler

17

18 ADVANTAGES  First, it allows anomaly Detectors to tune towards low false negatives because false positives are handled by the shadow honey pots  It has both server and client side architecture.

19 WEAKNESSES IN THIS PAPER  Improper placements of transaction() will lead to vulnerability  They have not explored in depth the use of feedback from the shadow honey pot to tune the anomaly detection components

20 THANK YOU

Download ppt "DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz."

Similar presentations

By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.

Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.

Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.

Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

Similar presentations

Ads by Google