{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

replay - Detecting Targeted Attacks Using Shadow Honeypots...

Info icon This preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Detecting Targeted Attacks Using Shadow Honeypots K. G. Anagnostakis , S. Sidiroglou , P. Akritidis ? , K. Xinidis ? , E. Markatos ? , A. D. Keromytis CIS Department, Univ. of Pennsylvania ? Institute of Computer Science - FORTH [email protected] { akritid,xinidis,markatos } @ics.forth.gr Department of Computer Science, Columbia University { stelios,angelos } @cs.columbia.edu Abstract We present Shadow Honeypots , a novel hybrid archi- tecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected net- work/service. Traffic that is considered anomalous is pro- cessed by a “shadow honeypot” to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular (“production”) instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled cor- rectly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector. Our architecture allows system designers to fine-tune systems for performance, since false positives will be fil- tered by the shadow. Contrary to regular honeypots, our architecture can be used both for server and client appli- cations. We demonstrate the feasibility of our approach in a proof-of-concept implementation of the Shadow Hon- eypot architecture for the Apache web server and the Mozilla Firefox browser. We show that despite a con- siderable overhead in the instrumentation of the shadow honeypot (up to 20% for Apache), the overall impact on the system is diminished by the ability to minimize the rate of false-positives. 1 Introduction Due to the increasing level of malicious activity seen on today’s Internet, organizations are beginning to de- ploy mechanisms for detecting and responding to new at- tacks or suspicious activity, called Intrusion Prevention Systems (IPS). Since current IPS’s use rule-based intru- sion detection systems (IDS) such as Snort [32] to detect attacks, they are limited to protecting, for the most part, against already known attacks. As a result, new detection mechanisms are being developed for use in more pow- erful reactive-defense systems. The two primary such mechanisms are honeypots [28, 13, 58, 40, 20, 9] and anomaly detection systems (ADS) [49, 53, 48, 10, 19]. In contrast with IDS’s, honeypots and ADS’s offer the pos- sibility of detecting (and thus responding to) previously unknown attacks, also referred to as zero-day attacks .
Image of page 1

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern