Detecting Targeted Attacks Using Shadow Honeypots

1
Detecting Targeted Attacks Using Shadow Honeypots

• K.G. Anagnostakis et al
• Presented by Rui Peng

2
Outline

• Honeypots anomaly detection systems
• Design of shadow honeypots
• Implementation of a shadow honeypot
• Performance evaluation
• Discussion and conclusion

3
Basic Concepts

• IPS Intrusion Prevention Systems
• IDS Intrusion Detection Systems
• Rule-based
• Limited for known attacks
• For previously unknown attacks
• Honeypots
• Anomaly detection systems (ADS)

4
A Simple Classification
5
What is a shadow honeypot?

• An instance of the protected application
• Shares all internal state with the normal
  instance
• Attacks will be detected
• Legitimate traffic misclassified as attacks will
  be validated

6
(No Transcript)
7
Key components

• Filtering blocks known attacks
• Drops certain requests before processing
• ADS labels traffic as malicious or benign
• Malicious traffic directed to shadow honeypot
• Benign traffic to normal application
• Shadow honeypot detects attacks
• State changes by attacks discarded
• State changes by misclassified traffic preserved

8
(No Transcript)
9
Implementation

• Distributed Anomaly Detector
• Network Processor for load balancing
• An array of anomaly detector sensors
• Payload sifting and abstract payload execution
• Shadow honeypot
• Focuses on memory-violation attacks
• Code transformation tool takes original source
  code and generates shadow honeypot code

10
(No Transcript)
11
Creating a shadow honeypot

• Move all static memory buffers to the heap
• Dynamically allocate memory using pmalloc()
• Two additional write-protected pages to bracket
  the allocated buffer

12
Code transformation
13
Performance results

• Capable of processing all false-positives and
  detecting attacks.
• Instrumentation is expensive 20 - 50 overhead.
• Still, overhead is within the processing budget.

14
Benefits

• Allow AD be tuned towards high sensitivity
• Less undetected attacks
• More false positives, but still ok because they
  will be processed as normal
• Self-train and fine-tune
• Attacks detected by shadow honeypot is used to
  train filtering component
• Benign traffic validated by shadow honeypot is
  used to train anomaly detectors

15
Limitations

• Creating a shadow honeypot requires source code
  transformation.
• Can only detect memory-violation attacks.
• Apache web server and Mozilla Firefox are the
  only tested applications.
• No mention of how filtering component and anomaly
  detectors can be trained.

16
Thank you!

• Questions?