Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:

Published byDina Barnett Modified over 8 years ago

Similar presentations

Presentation on theme: "Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:"— Presentation transcript:

1 Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published: Usenix Security Symposium 2005 Presenter: Brian Shoeman

2 Topics to Be Covered Why Shadow Honeypots? Why Shadow Honeypots? Shadow Honeypot Architecture Shadow Honeypot Architecture Shadow Honeypot Implementation Shadow Honeypot Implementation Contributions Contributions Weaknesses Weaknesses Future Considerations Future Considerations

3 Current Detection Mechanisms Intrusion Detection Systems (IDS’s) Intrusion Detection Systems (IDS’s) Limited to protecting against previously known attacks Limited to protecting against previously known attacks Anomaly Detection Systems (ADS’s) Anomaly Detection Systems (ADS’s) Pros: Large Scope (can detect scan based as well as targeted attacks) Pros: Large Scope (can detect scan based as well as targeted attacks) Cons: Low Accuracy (false positives vs. false negatives) Cons: Low Accuracy (false positives vs. false negatives)

4 Current Detection Mechanisms (Cont.) Honeypots Honeypots Pros: High degree of accuracy Pros: High degree of accuracy Cons: Low degree of scope (most useful against scan based or random attacks) Cons: Low degree of scope (most useful against scan based or random attacks)

5 Shadow Honeypots: Increasing Accuracy Shadow Honeypot only looks at traffic that is flagged by the ADS Shadow Honeypot only looks at traffic that is flagged by the ADS Shadow Honeypot checks flagged traffic and allows false positives from the ADS to be handled correctly by the application Shadow Honeypot checks flagged traffic and allows false positives from the ADS to be handled correctly by the application Decreasing of false positives through the shadow honeypot allows system designers to increase the sensitivity of the ADS to minimize false negatives Decreasing of false positives through the shadow honeypot allows system designers to increase the sensitivity of the ADS to minimize false negatives

6 Shadow Honeypots: Increasing Scope Shadow Honeypots can be adapted to both server side and client side applications Shadow Honeypots can be adapted to both server side and client side applications Detects random/scan anomalies as the traffic enters the application Detects random/scan anomalies as the traffic enters the application Detects passive attacks (e.g. one where a user downloads malicious attacks) Detects passive attacks (e.g. one where a user downloads malicious attacks) Detects attacks that target a specific site with a specific internal state Detects attacks that target a specific site with a specific internal state

7 Shadow Honeypot Architecture

8 Steps in the Shadow Honeypot Architecture 1. Traffic enters the filter. Known threats are filtered out. 2. Anomaly detection system checks the traffic. Possible threats are forwarded to the shadow honeypot code. 3. Regular traffic is randomly sent to the shadow honeypot to check for false negatives. Otherwise, it is handled normally by the application

9 Steps in the Shadow Honeypot Code 1. Shadow application accepts the traffic and checks for specific types of failures from malicious code. 2. If traffic is determined to be malicious, the filter is updated to block further attacks, and the state of the application is rolled back to its initial state. 3. If traffic is not malicious, it is handled normally, but at a higher latency.

10 Steps in the Shadow Honeypot Code (cont.) 4. If the traffic passed the ADS and was randomly sent to the shadow honeypot and is determined to be malicious, the ADS is updated to protect against future false negatives.

11 Shadow Honeypot Implementation Utilized two anomaly detection heuristics Utilized two anomaly detection heuristics Payload Sifting Payload Sifting Derives fingerprints of worms Derives fingerprints of worms If used outside of a shadow honeypot, many systems would be compromised before a fingerprint is developed. If used outside of a shadow honeypot, many systems would be compromised before a fingerprint is developed. Buffer Overflow Detection via Abstract Payload Execution Buffer Overflow Detection via Abstract Payload Execution Searches for long sequences of valid instructions Searches for long sequences of valid instructions Usage within a shadow honeypot architecture reduces risk of false positives. Usage within a shadow honeypot architecture reduces risk of false positives.

12 pmalloc( ) Allocates two read-only memory pages around each requested buffer Allocates two read-only memory pages around each requested buffer Protects against buffer overflow Protects against buffer overflow Ptr can be adjusted to protect against buffer overflow. Ptr can be adjusted to protect against buffer overflow.

13 transaction( ) Called in the main processing loop Called in the main processing loop Indicates to the OS that a new transaction has begun Indicates to the OS that a new transaction has begun Called in the main processing loop after an event has been handled Called in the main processing loop after an event has been handled Indicates successful completion of a non-malicious transaction Indicates successful completion of a non-malicious transaction Called within the signal handler Called within the signal handler Indicates that an attack has been detected. OS restores all original pages. Indicates that an attack has been detected. OS restores all original pages.

14 Contributions Customizable architecture can be set up to detect specific types of attacks or many types of attacks at the cost of higher latency. Customizable architecture can be set up to detect specific types of attacks or many types of attacks at the cost of higher latency. Can be tightly coupled to a client to protect against passive attacks (e.g. buffer overflow vulnerability in IE JPEG handling). Can be tightly coupled to a client to protect against passive attacks (e.g. buffer overflow vulnerability in IE JPEG handling).

15 Weaknesses in the Architecture High overhead (found to be up to 50% on Mozilla Firefox with scrolling page load mechanisms) High overhead (found to be up to 50% on Mozilla Firefox with scrolling page load mechanisms) Can be made vulnerable by improper placements of transaction( ) function. Can be made vulnerable by improper placements of transaction( ) function. Potential for high memory overhead Potential for high memory overhead Does not work when the process must communicate with another process not included in the transaction definition while servicing a request. Does not work when the process must communicate with another process not included in the transaction definition while servicing a request.

16 Weaknesses in the paper Did not discuss any specifics involving updates to the filter and ADS from shadow honeypot results. Did not discuss any specifics involving updates to the filter and ADS from shadow honeypot results. Attempted to explain away weaknesses in the architecture. Attempted to explain away weaknesses in the architecture.

17 Future Work Experiment with signals to the filter and ADS to reduce latency of the system. Experiment with signals to the filter and ADS to reduce latency of the system. Fine tuning of system to increase performance Fine tuning of system to increase performance Experiment with different design methodologies. Experiment with different design methodologies.

Download ppt "Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:"

Similar presentations

By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Authenticated Validity for M2M devices IEEE 802.16 Presentation Submission Template (Rev. 9) Document Number: IEEE S802.16p-11/0251 Date Submitted: 2011-09-09.

Authenticated Validity for M2M devices IEEE Presentation Submission Template (Rev. 9) Document Number: IEEE S802.16p-11/0251 Date Submitted:
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Study of Hurricane and Tornado Operating Systems By Shubhanan Bakre.

Study of Hurricane and Tornado Operating Systems By Shubhanan Bakre.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Using DSVM to Implement a Distributed File System Ramon Lawrence Dept. of Computer Science

Using DSVM to Implement a Distributed File System Ramon Lawrence Dept. of Computer Science
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Intrusion Detection and Containment in Database Systems Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur.

Intrusion Detection and Containment in Database Systems Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley.

Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.

Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Similar presentations

Ads by Google