replay - Detecting Targeted Attacks Using Shadow Honeypots...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Detecting Targeted Attacks Using Shadow Honeypots K. G. Anagnostakis , S. Sidiroglou , P. Akritidis ? , K. Xinidis ? , E. Markatos ? , A. D. Keromytis CIS Department, Univ. of Pennsylvania ? Institute of Computer Science - FORTH anagnost@dsl.cis.upenn.edu { akritid,xinidis,markatos } @ics.forth.gr Department of Computer Science, Columbia University { stelios,angelos } @cs.columbia.edu Abstract We present Shadow Honeypots , a novel hybrid archi- tecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected net- work/service. Traffic that is considered anomalous is pro- cessed by a shadow honeypot to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular (production) instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled cor- rectly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector. Our architecture allows system designers to fine-tune systems for performance, since false positives will be fil- tered by the shadow. Contrary to regular honeypots, our architecture can be used both for server and client appli- cations. We demonstrate the feasibility of our approach in a proof-of-concept implementation of the Shadow Hon- eypot architecture for the Apache web server and the Mozilla Firefox browser. We show that despite a con- siderable overhead in the instrumentation of the shadow honeypot (up to 20% for Apache), the overall impact on the system is diminished by the ability to minimize the rate of false-positives. 1 Introduction Due to the increasing level of malicious activity seen on todays Internet, organizations are beginning to de- ploy mechanisms for detecting and responding to new at- tacks or suspicious activity, called Intrusion Prevention Systems (IPS). Since current IPSs use rule-based intru- sion detection systems (IDS) such as Snort [32] to detect attacks, they are limited to protecting, for the most part, against already known attacks. As a result, new detection mechanisms are being developed for use in more pow- erful reactive-defense systems. The two primary such mechanisms are honeypots [28, 13, 58, 40, 20, 9] and anomaly detection systems (ADS) [49, 53, 48, 10, 19]. In contrast with IDSs, honeypots and ADSs offer the pos- sibility of detecting (and thus responding to) previously unknown attacks, also referred to as zero-day attacks ....
View Full Document

This note was uploaded on 08/25/2011 for the course CDA 6938 taught by Professor Zou,c during the Fall '08 term at University of Central Florida.

Page1 / 16

replay - Detecting Targeted Attacks Using Shadow Honeypots...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online