detecting targeted attacks using shadow honeypots authors: k. g. anagnostakisy, s. sidiroglouz, p....
TRANSCRIPT
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS
AUTHORS:K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz
PUBLICATION: USENIX Security Symposium, 2007.
PRESENTATION BY: Bharat Soundararajan
OUTLINE
SHADOW HONEYPOT
SHADOW HONEYPOT Architecture
SHADOW HONEYPOT IMPLEMENTATION
ADVANTAGES
WEAKNESSES
HONEYPOTS
A fake system installed using VMware for fooling the attackers, where the attackers will do everything in the fake system assuming that it’s the original system
This is most effective only incase of scanning/Random attacks. It has high accuracy
It has low false positives because of high accuracy
ANOMALY DETECTION SYSTEMS
This detects malware only based upon common activities and doesn’t detect based upon signatures. It offers the possibility of detecting previously unknown attacks
This is effective against all attacks but it has low accuracy.
It has high false positives. This problem has been solved by giving all suspected false positives to shadow honey pot for processing.
INTRODUCTION TO SHADOW HONEYPOT
A novel approach which uses shadow honey pot for processing false positives
Honey pot:
Advantages: less false positives Disadvantages: It can detect only scan/random attacks
Anomaly Detection Systems(ADS):
Advantages: It can detect all types of attacks (Random + Directed attacks) Disadvantages: many false positives
SHADOW HONEYPOT STEPS
There are three steps of security process where the incoming packets pass by
1)Filtering: This blocking is based upon previously known signatures. Firewall is used for filtering it.
2)ADS: This detects if there is any malware infection and sends the packet to either shadow or original system.TXL is used for converting from original to shadow
3)SHADOW HONEYPOT: The suspect from the ADS is sent to the shadow to check for malware infection.
Rollback : It is used for bringing back the process after malware infection
Rules on ADS
If there is a Suspect:
Use the shadow honey pot for malware infection detection
Indicate it as a false positive and Update the filters
No Suspect:
If malware found by random usage of shadow honey pots indicate false negative.
Handle the request normally. Use the normal service
FILTERS
ADS
SHADOWHONEYPOT
Malware Block
Forward
Suspect YesUse shadow
Indicate False positive
Update ADS and FILTERS
YesAttack
RandomUse
yesUse shadow
Attack yesIndicate False Negative
No Handle NormallyNo
SYSTEM WORKFLOW
TYPES OF ADS USED
Payload Sifting:
Derives fingerprint of the worms by detecting common and popular substrings in the network traffic
This ADS has detected many worms but unlikely some system has been compromised.
Buffer Overflow Detection via Abstract Payload
Searches for long sequences of valid instructions
Used together with shadow honeypot for reducing false positives
TYPES OF COUPLINGTight Coupling:
User extracts the shadow from the code and use it in the same address and share the same state and processes with the original code
Advantages: exploit from the attacker shows no difference because shadow and the original share the same address.
Loose Coupling:
User have the shadow version in the different address and doesn’t share same state and process.
Advantages: Management of shadows can be done by a third entity.
Pmalloc() for creating Shadows
Dynamically allocates a buffer for each shadow
It assigns two read only guard pages for that dynamic buffer
Pointer is used for reallocation of buffers and is controlled by the Anomaly Detection Systems
Pmalloc() for creating Shadows
If(Shadow is enabled){use pmalloc for dynamic allocation and test for buffer overflows }Else{Static allocation}If (Shadow is enabled){Free the allocated memory}
Transaction( )
Signal handler reports when a buffer overflow occurs
The signal handler simply notifies the operating system to abort all state changes made by the process while processing this request.
Transaction () uses:
It notifies successful completion of transaction inside the main loop.
It notifies the operating system that a attack has been detected from inside the signal handler
ADVANTAGES
First, it allows anomaly Detectors to tune towards low false negatives because false positives are handled by the shadow honey pots
It has both server and client side architecture.
WEAKNESSES IN THIS PAPER
Improper placements of transaction() will lead to vulnerability
They have not explored in depth the use of feedbackfrom the shadow honey pot to tune the anomaly detectioncomponents