DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS

AUTHORS:K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz

PUBLICATION: USENIX Security Symposium, 2007.

PRESENTATION BY: Bharat Soundararajan

OUTLINE

SHADOW HONEYPOT

SHADOW HONEYPOT Architecture

SHADOW HONEYPOT IMPLEMENTATION

ADVANTAGES

WEAKNESSES

HONEYPOTS

A fake system installed using VMware for fooling the attackers, where the attackers will do everything in the fake system assuming that it’s the original system

This is most effective only incase of scanning/Random attacks. It has high accuracy

It has low false positives because of high accuracy

ANOMALY DETECTION SYSTEMS

This detects malware only based upon common activities and doesn’t detect based upon signatures. It offers the possibility of detecting previously unknown attacks

This is effective against all attacks but it has low accuracy.

It has high false positives. This problem has been solved by giving all suspected false positives to shadow honey pot for processing.

INTRODUCTION TO SHADOW HONEYPOT

A novel approach which uses shadow honey pot for processing false positives

Honey pot:

Advantages: less false positives Disadvantages: It can detect only scan/random attacks

Anomaly Detection Systems(ADS):

Advantages: It can detect all types of attacks (Random + Directed attacks) Disadvantages: many false positives

COMPARISON BETWEEN DIFFERENT SYSTEMS

Random/scanning attacks

All attacks(Random + targeted)

SHADOW HONEYPOT STEPS

There are three steps of security process where the incoming packets pass by

1)Filtering: This blocking is based upon previously known signatures. Firewall is used for filtering it.

2)ADS: This detects if there is any malware infection and sends the packet to either shadow or original system.TXL is used for converting from original to shadow

3)SHADOW HONEYPOT: The suspect from the ADS is sent to the shadow to check for malware infection.

Rollback : It is used for bringing back the process after malware infection

SHADOW HONEYPOT ARCHITECHTURE

Rules on ADS

If there is a Suspect:

Use the shadow honey pot for malware infection detection

Indicate it as a false positive and Update the filters

No Suspect:

If malware found by random usage of shadow honey pots indicate false negative.

Handle the request normally. Use the normal service

FILTERS

ADS

SHADOWHONEYPOT

Malware Block

Forward

Suspect YesUse shadow

Indicate False positive

Update ADS and FILTERS

YesAttack

RandomUse

yesUse shadow

Attack yesIndicate False Negative

No Handle NormallyNo

SYSTEM WORKFLOW

TYPES OF ADS USED

Payload Sifting:

Derives fingerprint of the worms by detecting common and popular substrings in the network traffic

This ADS has detected many worms but unlikely some system has been compromised.

Buffer Overflow Detection via Abstract Payload

Searches for long sequences of valid instructions

Used together with shadow honeypot for reducing false positives

TYPES OF COUPLINGTight Coupling:

User extracts the shadow from the code and use it in the same address and share the same state and processes with the original code

Advantages: exploit from the attacker shows no difference because shadow and the original share the same address.

Loose Coupling:

User have the shadow version in the different address and doesn’t share same state and process.

Advantages: Management of shadows can be done by a third entity.

SHADOW HONEYPOT IMPLEMENTATION

sensors

Pmalloc() for creating Shadows

Dynamically allocates a buffer for each shadow

It assigns two read only guard pages for that dynamic buffer

Pointer is used for reallocation of buffers and is controlled by the Anomaly Detection Systems

Pmalloc() for creating Shadows

If(Shadow is enabled){use pmalloc for dynamic allocation and test for buffer overflows }Else{Static allocation}If (Shadow is enabled){Free the allocated memory}

Transaction( )

Signal handler reports when a buffer overflow occurs

The signal handler simply notifies the operating system to abort all state changes made by the process while processing this request.

Transaction () uses:

It notifies successful completion of transaction inside the main loop.

It notifies the operating system that a attack has been detected from inside the signal handler

ADVANTAGES

First, it allows anomaly Detectors to tune towards low false negatives because false positives are handled by the shadow honey pots

It has both server and client side architecture.

WEAKNESSES IN THIS PAPER

Improper placements of transaction() will lead to vulnerability

They have not explored in depth the use of feedbackfrom the shadow honey pot to tune the anomaly detectioncomponents

THANK YOU