DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS

1
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS
AUTHORSK. G. Anagnostakisy, S. Sidiroglouz, P.
Akritidis, K. Xinidis, E. Markatos, A. D.
Keromytisz PUBLICATION USENIX Security
Symposium, 2007. PRESENTATION BY Bharat
Soundararajan
2
OUTLINE SHADOW
HONEYPOT SHADOW HONEYPOT Architecture SHADOW
HONEYPOT IMPLEMENTATION ADVANTAGES WEAKNESSES

3
HONEYPOTS

• A fake system installed using VMware for fooling
  the attackers, where the attackers will do
  everything in the fake system assuming that its
  the original system
• This is most effective only incase of
  scanning/Random attacks. It has high accuracy
• It has low false positives because of high
  accuracy

4
ANOMALY DETECTION SYSTEMS

• This detects malware only based upon common
  activities and
• doesnt detect based upon signatures.
• It offers the possibility of detecting previously
  unknown attacks
• This is effective against all attacks but it has
  low accuracy.
• It has high false positives. This problem has
  been solved by giving all
• suspected false positives to shadow honey pot
  for processing.

5
INTRODUCTION TO SHADOW HONEYPOT

• A novel approach which uses shadow honey pot for
  processing false positives
• Honey pot
• Advantages less false positives
• Disadvantages It can detect only scan/random
  attacks
• Anomaly Detection Systems(ADS)
• Advantages It can detect all types of
  attacks
• (Random Directed
  attacks)
• Disadvantages many false positives

6
COMPARISON BETWEEN DIFFERENT SYSTEMS
Random/scanning attacks
All attacks (Random targeted)
7
SHADOW HONEYPOT STEPS

• There are three steps of security process where
  the incoming packets pass by
• 1)Filtering This blocking is based upon
  previously known
• signatures. Firewall is used for filtering
  it.
• 2)ADS This detects if there is any malware
  infection and
• sends the packet to either shadow or
  original system.TXL
• is used for converting from original to
  shadow
• 3)SHADOW HONEYPOT The suspect from the ADS
  is sent to the
• shadow to check for malware infection.
• Rollback It is used for bringing back the
  process after malware infection

8
SHADOW HONEYPOT ARCHITECHTURE

9
Rules on ADS

• If there is a Suspect
• Use the shadow honey pot for malware
  infection detection
• Indicate it as a false positive and Update the
  filters
• No Suspect
• If malware found by random usage of shadow
  honey pots indicate
• false negative.
• Handle the request normally. Use the normal
  service

10
FILTERS
Malware
Block

Indicate False positive
Forward
Yes
Update ADS and FILTERS
Yes
ADS
Suspect
Attack
Use shadow
SHADOW HONEYPOT
Random
yes
yes
Attack
Use shadow
Indicate False Negative
Use
No
No
Handle Normally
SYSTEM WORKFLOW
11
TYPES OF ADS USED

• Payload Sifting
• Derives fingerprint of the worms by detecting
  common and
• popular substrings in the network traffic
• This ADS has detected many worms but unlikely
  some system
• has been compromised.
• Buffer Overflow Detection via Abstract Payload
• Searches for long sequences of valid instructions
  
• Used together with shadow honeypot for reducing
  false positives

12
TYPES OF COUPLING

• Tight Coupling
• User extracts the shadow from the code and use
  it in the same
• address and share the same state and processes
  with the original
• code
• Advantages exploit from the attacker shows no
  difference because
• shadow and the original share the same address.
• Loose Coupling
• User have the shadow version in the different
  address and doesnt
• share same state and process.
• Advantages Management of shadows can be done
  by a third entity.

13
SHADOW HONEYPOT IMPLEMENTATION
sensors
14
Pmalloc() for creating Shadows

• Dynamically allocates a
• buffer for each shadow
• It assigns two read only
• guard pages for that
• dynamic buffer
• Pointer is used for
• reallocation of buffers and
• is controlled by the
• Anomaly Detection
• Systems

15
Pmalloc() for creating Shadows
If(Shadow is enabled) use pmalloc for dynamic
allocation and test for buffer overflows
Else Static allocation If (Shadow is
enabled) Free the allocated memory
16
Transaction( )

• Signal handler reports when a buffer overflow
  occurs
• The signal handler simply notifies the operating
  system to
• abort all state changes made by the process
  while
• processing this request.
• Transaction () uses
• It notifies successful completion of transaction
  inside
• the main loop.
• It notifies the operating system that a attack
  has been
• detected from inside the signal handler

17

18
ADVANTAGES

• First, it allows anomaly Detectors to tune
  towards low
• false negatives because false positives are
  handled by
• the shadow honey pots
• It has both server and client side architecture.

19
WEAKNESSES IN THIS PAPER

• Improper placements of transaction() will lead to
  vulnerability
• They have not explored in depth the use of
  feedback
• from the shadow honey pot to tune the anomaly
  detection
• components

20
THANK YOU