Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Targeted Attacks Using Shadow Honeypots

Published byKelly Lloyd Modified over 5 years ago

Similar presentations

Presentation on theme: "Detecting Targeted Attacks Using Shadow Honeypots"— Presentation transcript:

1 Detecting Targeted Attacks Using Shadow Honeypots
K.G. Anagnostakis et al Presented by: Rui Peng

2 Outline Honeypots & anomaly detection systems
Design of shadow honeypots Implementation of a shadow honeypot Performance evaluation Discussion and conclusion

3 Basic Concepts IPS: Intrusion Prevention Systems
IDS: Intrusion Detection Systems Rule-based Limited for known attacks For previously unknown attacks Honeypots Anomaly detection systems (ADS)

4 A Simple Classification

5 What is a shadow honeypot?
An instance of the protected application Shares all internal state with the normal instance Attacks will be detected Legitimate traffic misclassified as attacks will be validated

6

7 Key components Filtering: blocks known attacks
Drops certain requests before processing ADS: labels traffic as malicious or benign Malicious traffic directed to shadow honeypot Benign traffic to normal application Shadow honeypot: detects attacks State changes by attacks discarded State changes by misclassified traffic preserved

8

9 Implementation Distributed Anomaly Detector Shadow honeypot
Network Processor for load balancing An array of anomaly detector sensors Payload sifting and abstract payload execution Shadow honeypot Focuses on memory-violation attacks Code transformation tool takes original source code and generates shadow honeypot code

10

11 Creating a shadow honeypot
Move all static memory buffers to the heap Dynamically allocate memory using pmalloc() Two additional write-protected pages to bracket the allocated buffer

12 Code transformation

13 Performance results Capable of processing all false-positives and detecting attacks. Instrumentation is expensive: 20% - 50% overhead. Still, overhead is within the processing budget.

14 Benefits Allow AD be tuned towards high sensitivity
Less undetected attacks More false positives, but still ok because they will be processed as normal Self-train and fine-tune Attacks detected by shadow honeypot is used to train filtering component Benign traffic validated by shadow honeypot is used to train anomaly detectors

15 Limitations Creating a shadow honeypot requires source code transformation. Can only detect memory-violation attacks. Apache web server and Mozilla Firefox are the only tested applications. No mention of how filtering component and anomaly detectors can be trained.

16 Thank you! Questions?

Download ppt "Detecting Targeted Attacks Using Shadow Honeypots"

Similar presentations

Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.

Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Application of Bayesian Network in Computer Networks Raza H. Abedi.

Application of Bayesian Network in Computer Networks Raza H. Abedi.
Prime’ Senior Project. Presentation Outline What is Our Project? Problem Definition What does our system do? How does the system work? Implementation.

Prime’ Senior Project. Presentation Outline What is Our Project? Problem Definition What does our system do? How does the system work? Implementation.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.

TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Anomaly Based Intrusion Detection System

Anomaly Based Intrusion Detection System
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.

Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.
Distributed Denial of Service Attack and Prevention Andrew Barkley Quoc Thong Le Gia Matt Dingfield Yashodhan Gokhale.

Distributed Denial of Service Attack and Prevention Andrew Barkley Quoc Thong Le Gia Matt Dingfield Yashodhan Gokhale.
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.

Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.

Similar presentations

Ads by Google