Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:

Slides:

Advertisements

Similar presentations

By Hiranmayi Pai Neeraj Jain

Advertisements

Authenticated Validity for M2M devices IEEE Presentation Submission Template (Rev. 9) Document Number: IEEE S802.16p-11/0251 Date Submitted:

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Study of Hurricane and Tornado Operating Systems By Shubhanan Bakre.

Attacking Session Management Juliette Lessing

Using DSVM to Implement a Distributed File System Ramon Lawrence Dept. of Computer Science

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Intrusion Detection and Containment in Database Systems Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.

Lecture 11 Intrusion Detection (cont)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Prevent Cross-Site Scripting (XSS) attack

Computer Security and Penetration Testing

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.

Clay Brockman ITK 478 Fall Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Operating system Security By Murtaza K. Madraswala.

The Functions of Operating Systems Interrupts. Learning Objectives Explain how interrupts are used to obtain processor time. Explain how processing of.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Chapter 5: Implementing Intrusion Prevention

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

Module 7: Advanced Application and Web Filtering.

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.

Operating Systems 1 K. Salah Module 1.2: Fundamental Concepts Interrupts System Calls.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Computer Organization Instruction Set Architecture (ISA) Instruction Set Architecture (ISA), or simply Architecture, of a computer is the.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Chapter 8 System Management Semester 2. Objectives  Evaluating an operating system  Cooperation among components  The role of memory, processor,

Information Systems Design and Development Security Precautions Computing Science.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

Unit 20 - Client Side Customisation of Web Pages

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

Operating system Security

Detecting Targeted Attacks Using Shadow Honeypots

Intrusion Detection system

Interrupt handling Explain how interrupts are used to obtain processor time and how processing of interrupted jobs may later be resumed, (typical.

Buffer Overflow Slide Set #7 Textbook Chapter 10 Clicker Questions

Operating System Concepts

Presentation transcript:

Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published: Usenix Security Symposium 2005 Presenter: Brian Shoeman

Topics to Be Covered Why Shadow Honeypots? Why Shadow Honeypots? Shadow Honeypot Architecture Shadow Honeypot Architecture Shadow Honeypot Implementation Shadow Honeypot Implementation Contributions Contributions Weaknesses Weaknesses Future Considerations Future Considerations

Current Detection Mechanisms Intrusion Detection Systems (IDS’s) Intrusion Detection Systems (IDS’s) Limited to protecting against previously known attacks Limited to protecting against previously known attacks Anomaly Detection Systems (ADS’s) Anomaly Detection Systems (ADS’s) Pros: Large Scope (can detect scan based as well as targeted attacks) Pros: Large Scope (can detect scan based as well as targeted attacks) Cons: Low Accuracy (false positives vs. false negatives) Cons: Low Accuracy (false positives vs. false negatives)

Current Detection Mechanisms (Cont.) Honeypots Honeypots Pros: High degree of accuracy Pros: High degree of accuracy Cons: Low degree of scope (most useful against scan based or random attacks) Cons: Low degree of scope (most useful against scan based or random attacks)

Shadow Honeypots: Increasing Accuracy Shadow Honeypot only looks at traffic that is flagged by the ADS Shadow Honeypot only looks at traffic that is flagged by the ADS Shadow Honeypot checks flagged traffic and allows false positives from the ADS to be handled correctly by the application Shadow Honeypot checks flagged traffic and allows false positives from the ADS to be handled correctly by the application Decreasing of false positives through the shadow honeypot allows system designers to increase the sensitivity of the ADS to minimize false negatives Decreasing of false positives through the shadow honeypot allows system designers to increase the sensitivity of the ADS to minimize false negatives

Shadow Honeypots: Increasing Scope Shadow Honeypots can be adapted to both server side and client side applications Shadow Honeypots can be adapted to both server side and client side applications Detects random/scan anomalies as the traffic enters the application Detects random/scan anomalies as the traffic enters the application Detects passive attacks (e.g. one where a user downloads malicious attacks) Detects passive attacks (e.g. one where a user downloads malicious attacks) Detects attacks that target a specific site with a specific internal state Detects attacks that target a specific site with a specific internal state

Shadow Honeypot Architecture

Steps in the Shadow Honeypot Architecture 1. Traffic enters the filter. Known threats are filtered out. 2. Anomaly detection system checks the traffic. Possible threats are forwarded to the shadow honeypot code. 3. Regular traffic is randomly sent to the shadow honeypot to check for false negatives. Otherwise, it is handled normally by the application

Steps in the Shadow Honeypot Code 1. Shadow application accepts the traffic and checks for specific types of failures from malicious code. 2. If traffic is determined to be malicious, the filter is updated to block further attacks, and the state of the application is rolled back to its initial state. 3. If traffic is not malicious, it is handled normally, but at a higher latency.

Steps in the Shadow Honeypot Code (cont.) 4. If the traffic passed the ADS and was randomly sent to the shadow honeypot and is determined to be malicious, the ADS is updated to protect against future false negatives.

Shadow Honeypot Implementation Utilized two anomaly detection heuristics Utilized two anomaly detection heuristics Payload Sifting Payload Sifting Derives fingerprints of worms Derives fingerprints of worms If used outside of a shadow honeypot, many systems would be compromised before a fingerprint is developed. If used outside of a shadow honeypot, many systems would be compromised before a fingerprint is developed. Buffer Overflow Detection via Abstract Payload Execution Buffer Overflow Detection via Abstract Payload Execution Searches for long sequences of valid instructions Searches for long sequences of valid instructions Usage within a shadow honeypot architecture reduces risk of false positives. Usage within a shadow honeypot architecture reduces risk of false positives.

pmalloc( ) Allocates two read-only memory pages around each requested buffer Allocates two read-only memory pages around each requested buffer Protects against buffer overflow Protects against buffer overflow Ptr can be adjusted to protect against buffer overflow. Ptr can be adjusted to protect against buffer overflow.

transaction( ) Called in the main processing loop Called in the main processing loop Indicates to the OS that a new transaction has begun Indicates to the OS that a new transaction has begun Called in the main processing loop after an event has been handled Called in the main processing loop after an event has been handled Indicates successful completion of a non-malicious transaction Indicates successful completion of a non-malicious transaction Called within the signal handler Called within the signal handler Indicates that an attack has been detected. OS restores all original pages. Indicates that an attack has been detected. OS restores all original pages.

Contributions Customizable architecture can be set up to detect specific types of attacks or many types of attacks at the cost of higher latency. Customizable architecture can be set up to detect specific types of attacks or many types of attacks at the cost of higher latency. Can be tightly coupled to a client to protect against passive attacks (e.g. buffer overflow vulnerability in IE JPEG handling). Can be tightly coupled to a client to protect against passive attacks (e.g. buffer overflow vulnerability in IE JPEG handling).

Weaknesses in the Architecture High overhead (found to be up to 50% on Mozilla Firefox with scrolling page load mechanisms) High overhead (found to be up to 50% on Mozilla Firefox with scrolling page load mechanisms) Can be made vulnerable by improper placements of transaction( ) function. Can be made vulnerable by improper placements of transaction( ) function. Potential for high memory overhead Potential for high memory overhead Does not work when the process must communicate with another process not included in the transaction definition while servicing a request. Does not work when the process must communicate with another process not included in the transaction definition while servicing a request.

Weaknesses in the paper Did not discuss any specifics involving updates to the filter and ADS from shadow honeypot results. Did not discuss any specifics involving updates to the filter and ADS from shadow honeypot results. Attempted to explain away weaknesses in the architecture. Attempted to explain away weaknesses in the architecture.

Future Work Experiment with signals to the filter and ADS to reduce latency of the system. Experiment with signals to the filter and ADS to reduce latency of the system. Fine tuning of system to increase performance Fine tuning of system to increase performance Experiment with different design methodologies. Experiment with different design methodologies.