1 / 20

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS. AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz PUBLICATION: USENIX Security Symposium, 2007. PRESENTATION BY : Bharat Soundararajan. OUTLINE SHADOW HONEYPOT

phuc
Download Presentation

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS:K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz PUBLICATION: USENIX Security Symposium, 2007. PRESENTATION BY: Bharat Soundararajan

  2. OUTLINE SHADOW HONEYPOT SHADOW HONEYPOT Architecture SHADOW HONEYPOT IMPLEMENTATION ADVANTAGES WEAKNESSES

  3. HONEYPOTS • A fake system installed using VMware for fooling the attackers, where the attackers will do everything in the fake system assuming that it’s the original system • This is most effective only incase of scanning/Random attacks. It has high accuracy • It has low false positives because of high accuracy

  4. ANOMALY DETECTION SYSTEMS • This detects malware only based upon common activities and • doesn’t detect based upon signatures. • It offers the possibility of detecting previously unknown attacks • This is effective against all attacks but it has low accuracy. • It has high false positives. This problem has been solved by giving all • suspected false positives to shadow honey pot for processing.

  5. INTRODUCTION TO SHADOW HONEYPOT • A novel approach which uses shadow honey pot for processing false positives • Honey pot: • Advantages: less false positives • Disadvantages: It can detect only scan/random attacks • Anomaly Detection Systems(ADS): • Advantages: It can detect all types of attacks • (Random + Directed attacks) • Disadvantages: many false positives

  6. COMPARISON BETWEEN DIFFERENT SYSTEMS Random/scanning attacks All attacks (Random + targeted)

  7. SHADOW HONEYPOT STEPS • There are three steps of security process where the incoming packets pass by • 1)Filtering: This blocking is based upon previously known • signatures. Firewall is used for filtering it. • 2)ADS: This detects if there is any malware infection and • sends the packet to either shadow or original system.TXL • is used for converting from original to shadow • 3)SHADOW HONEYPOT: The suspect from the ADS is sent to the • shadow to check for malware infection. • Rollback : It is used for bringing back the process after malware infection

  8. SHADOW HONEYPOT ARCHITECHTURE

  9. Rules on ADS • If there is a Suspect: • Use the shadow honey pot for malware infection detection • Indicate it as a false positive and Update the filters • No Suspect: • If malware found by random usage of shadow honey pots indicate • false negative. • Handle the request normally. Use the normal service

  10. FILTERS Malware Block Indicate False positive Forward Yes Yes Update ADS and FILTERS ADS Suspect Attack Use shadow SHADOW HONEYPOT Random yes yes Attack Use shadow Indicate False Negative Use No No Handle Normally SYSTEM WORKFLOW

  11. TYPES OF ADS USED • Payload Sifting: • Derives fingerprint of the worms by detecting common and • popular substrings in the network traffic • This ADS has detected many worms but unlikely some system • has been compromised. • Buffer Overflow Detection via Abstract Payload • Searches for long sequences of valid instructions • Used together with shadow honeypot for reducing false positives

  12. TYPES OF COUPLING • Tight Coupling: • User extracts the shadow from the code and use it in the same • address and share the same state and processes with the original • code • Advantages: exploit from the attacker shows no difference because • shadow and the original share the same address. • Loose Coupling: • User have the shadow version in the different address and doesn’t • share same state and process. • Advantages: Management of shadows can be done by a third entity.

  13. SHADOW HONEYPOT IMPLEMENTATION sensors

  14. Pmalloc() for creating Shadows • Dynamically allocates a • buffer for each shadow • It assigns two read only • guard pages for that • dynamic buffer • Pointer is used for • reallocation of buffers and • is controlled by the • Anomaly Detection • Systems

  15. Pmalloc() for creating Shadows If(Shadow is enabled) { use pmalloc for dynamic allocation and test for buffer overflows } Else { Static allocation } If (Shadow is enabled) { Free the allocated memory }

  16. Transaction( ) • Signal handler reports when a buffer overflow occurs • The signal handler simply notifies the operating system to • abort all state changes made by the process while • processing this request. • Transaction () uses: • It notifies successful completion of transaction inside • the main loop. • It notifies the operating system that a attack has been • detected from inside the signal handler

  17. ADVANTAGES • First, it allows anomaly Detectors to tune towards low • false negatives because false positives are handled by • the shadow honey pots • It has both server and client side architecture.

  18. WEAKNESSES IN THIS PAPER • Improper placements of transaction() will lead to vulnerability • They have not explored in depth the use of feedback • from the shadow honey pot to tune the anomaly detection • components

  19. THANK YOU

More Related