Detecting Targeted Attacks Using Shadow Honeypots - PowerPoint PPT Presentation

About This Presentation
Title:

Detecting Targeted Attacks Using Shadow Honeypots

Description:

Detecting Targeted Attacks Using Shadow Honeypots K.G. Anagnostakis et al Presented by: Rui Peng Outline Honeypots & anomaly detection systems Design of shadow ... – PowerPoint PPT presentation

Number of Views:361
Avg rating:3.0/5.0
Slides: 17
Provided by: csUcfEdu67
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: Detecting Targeted Attacks Using Shadow Honeypots


1
Detecting Targeted Attacks Using Shadow Honeypots
  • K.G. Anagnostakis et al
  • Presented by Rui Peng

2
Outline
  • Honeypots anomaly detection systems
  • Design of shadow honeypots
  • Implementation of a shadow honeypot
  • Performance evaluation
  • Discussion and conclusion

3
Basic Concepts
  • IPS Intrusion Prevention Systems
  • IDS Intrusion Detection Systems
  • Rule-based
  • Limited for known attacks
  • For previously unknown attacks
  • Honeypots
  • Anomaly detection systems (ADS)

4
A Simple Classification
5
What is a shadow honeypot?
  • An instance of the protected application
  • Shares all internal state with the normal
    instance
  • Attacks will be detected
  • Legitimate traffic misclassified as attacks will
    be validated

6
(No Transcript)
7
Key components
  • Filtering blocks known attacks
  • Drops certain requests before processing
  • ADS labels traffic as malicious or benign
  • Malicious traffic directed to shadow honeypot
  • Benign traffic to normal application
  • Shadow honeypot detects attacks
  • State changes by attacks discarded
  • State changes by misclassified traffic preserved

8
(No Transcript)
9
Implementation
  • Distributed Anomaly Detector
  • Network Processor for load balancing
  • An array of anomaly detector sensors
  • Payload sifting and abstract payload execution
  • Shadow honeypot
  • Focuses on memory-violation attacks
  • Code transformation tool takes original source
    code and generates shadow honeypot code

10
(No Transcript)
11
Creating a shadow honeypot
  • Move all static memory buffers to the heap
  • Dynamically allocate memory using pmalloc()
  • Two additional write-protected pages to bracket
    the allocated buffer

12
Code transformation
13
Performance results
  • Capable of processing all false-positives and
    detecting attacks.
  • Instrumentation is expensive 20 - 50 overhead.
  • Still, overhead is within the processing budget.

14
Benefits
  • Allow AD be tuned towards high sensitivity
  • Less undetected attacks
  • More false positives, but still ok because they
    will be processed as normal
  • Self-train and fine-tune
  • Attacks detected by shadow honeypot is used to
    train filtering component
  • Benign traffic validated by shadow honeypot is
    used to train anomaly detectors

15
Limitations
  • Creating a shadow honeypot requires source code
    transformation.
  • Can only detect memory-violation attacks.
  • Apache web server and Mozilla Firefox are the
    only tested applications.
  • No mention of how filtering component and anomaly
    detectors can be trained.

16
Thank you!
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com