200 likes | 410 Views
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS. AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz PUBLICATION: USENIX Security Symposium, 2007. PRESENTATION BY : Bharat Soundararajan. OUTLINE SHADOW HONEYPOT
E N D
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS:K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz PUBLICATION: USENIX Security Symposium, 2007. PRESENTATION BY: Bharat Soundararajan
OUTLINE SHADOW HONEYPOT SHADOW HONEYPOT Architecture SHADOW HONEYPOT IMPLEMENTATION ADVANTAGES WEAKNESSES
HONEYPOTS • A fake system installed using VMware for fooling the attackers, where the attackers will do everything in the fake system assuming that it’s the original system • This is most effective only incase of scanning/Random attacks. It has high accuracy • It has low false positives because of high accuracy
ANOMALY DETECTION SYSTEMS • This detects malware only based upon common activities and • doesn’t detect based upon signatures. • It offers the possibility of detecting previously unknown attacks • This is effective against all attacks but it has low accuracy. • It has high false positives. This problem has been solved by giving all • suspected false positives to shadow honey pot for processing.
INTRODUCTION TO SHADOW HONEYPOT • A novel approach which uses shadow honey pot for processing false positives • Honey pot: • Advantages: less false positives • Disadvantages: It can detect only scan/random attacks • Anomaly Detection Systems(ADS): • Advantages: It can detect all types of attacks • (Random + Directed attacks) • Disadvantages: many false positives
COMPARISON BETWEEN DIFFERENT SYSTEMS Random/scanning attacks All attacks (Random + targeted)
SHADOW HONEYPOT STEPS • There are three steps of security process where the incoming packets pass by • 1)Filtering: This blocking is based upon previously known • signatures. Firewall is used for filtering it. • 2)ADS: This detects if there is any malware infection and • sends the packet to either shadow or original system.TXL • is used for converting from original to shadow • 3)SHADOW HONEYPOT: The suspect from the ADS is sent to the • shadow to check for malware infection. • Rollback : It is used for bringing back the process after malware infection
Rules on ADS • If there is a Suspect: • Use the shadow honey pot for malware infection detection • Indicate it as a false positive and Update the filters • No Suspect: • If malware found by random usage of shadow honey pots indicate • false negative. • Handle the request normally. Use the normal service
FILTERS Malware Block Indicate False positive Forward Yes Yes Update ADS and FILTERS ADS Suspect Attack Use shadow SHADOW HONEYPOT Random yes yes Attack Use shadow Indicate False Negative Use No No Handle Normally SYSTEM WORKFLOW
TYPES OF ADS USED • Payload Sifting: • Derives fingerprint of the worms by detecting common and • popular substrings in the network traffic • This ADS has detected many worms but unlikely some system • has been compromised. • Buffer Overflow Detection via Abstract Payload • Searches for long sequences of valid instructions • Used together with shadow honeypot for reducing false positives
TYPES OF COUPLING • Tight Coupling: • User extracts the shadow from the code and use it in the same • address and share the same state and processes with the original • code • Advantages: exploit from the attacker shows no difference because • shadow and the original share the same address. • Loose Coupling: • User have the shadow version in the different address and doesn’t • share same state and process. • Advantages: Management of shadows can be done by a third entity.
SHADOW HONEYPOT IMPLEMENTATION sensors
Pmalloc() for creating Shadows • Dynamically allocates a • buffer for each shadow • It assigns two read only • guard pages for that • dynamic buffer • Pointer is used for • reallocation of buffers and • is controlled by the • Anomaly Detection • Systems
Pmalloc() for creating Shadows If(Shadow is enabled) { use pmalloc for dynamic allocation and test for buffer overflows } Else { Static allocation } If (Shadow is enabled) { Free the allocated memory }
Transaction( ) • Signal handler reports when a buffer overflow occurs • The signal handler simply notifies the operating system to • abort all state changes made by the process while • processing this request. • Transaction () uses: • It notifies successful completion of transaction inside • the main loop. • It notifies the operating system that a attack has been • detected from inside the signal handler
ADVANTAGES • First, it allows anomaly Detectors to tune towards low • false negatives because false positives are handled by • the shadow honey pots • It has both server and client side architecture.
WEAKNESSES IN THIS PAPER • Improper placements of transaction() will lead to vulnerability • They have not explored in depth the use of feedback • from the shadow honey pot to tune the anomaly detection • components