Summary
We investigate the use of hybrid techniques as a defensive mechanism against targeted attacks and introduce Shadow Honeypots, a novel hybrid architecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network/service. Traffic that is considered anomalous is processed by a ”shadow honeypot” to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular (”production”) instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled correctly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector.
Our architecture allows system designers to fine-tune systems for performance, since false positives will be filtered by the shadow. Contrary to regular honeypots, our architecture can be used both for server and client applications. We also explore the notion of using Shadow Honeypots in Application Communities in order to amortize the cost of instrumentation and detection across a number of autonomous hosts.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
..*. Using Network-Based Application Recognition and Access Control Lists for Blocking the ”Code Red” Worm at Network Ingress Points. Technical report, Cisco Systems, Inc., 2006.
P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis. STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis. In Proceedings of the 20 th IFIP International Information Security Conference (IFIP/SEC), June 2005.
K. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis. Detecting Targetted Attacks Using Shadow Honeypots. In Proceedings of the 14 th USENIX Security Symposium, pages 129–144, August 2005.
M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In Proceedings of the ISOC Symposium on Network and Distributed Systems Security (SNDSS), pages 167–179, February 2005.
J. Bethencourt, J. Franklin, and M. Vernon. Mapping Internet Sensors With Probe Response Attacks. In Proceedings of the 14 th USENIX Security Symposium, pages 193–208, August 2005.
M. Bhattacharyya, M. G. Schultz, E. Eskin, S. Hershkop, and S. J. Stolfo. MET: An Experimental System for Malicious Email Tracking. In Proceedings of the New Security Paradigms Workshop (NSPW), pages 1–12, September 2002.
M. Cai, K. Hwang, Y.-K. Kwok, S. Song, and Y. Chen. Collaborative Internet Worm Containment. IEEE Security & Privacy Magazine, 3(3):25–33, May/June 2005.
CERT Advisory CA-2001-19: ‘Code Red’ Worm Exploiting Buffer Overflow in IIS Indexing Service DLL. http://www.cert.org/advisories/CA-2001-19.html, July 2001.
Cert Advisory CA-2003-04: MS-SQL Server Worm. http://www.cert.org/advisories/CA-2003-04.html, January 2003.
S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and C. Verbowski. Defeating Memory Corruption Attacks via Pointer Taintedness Detection. In Proceedings of the International Conference on Dependable Systems and Networks (DSN), pages 378–387, June 2005.
E. Cook, M. Bailey, Z. M. Mao, and D. McPherson. Toward Understanding Distributed Blackhole Placement. In Proceedings of the ACM Workshop on Rapid Malcode (WORM),pages 54–64, October 2004.
J. R. Crandall, S. E Wu, and E T. Chong. Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA),July 2005.
D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen. Honeystat: Local Worm Detection Using Honepots. In Proceedings of the 7 th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 39–58, October 2004.
H. Dreger, C. Kreibich, V. Paxson, and R. Sommer. Enhancing the Accuracy of Networkbased Intrusion Detection with Host-based Context. In Proceedings of the Conference on Detection of Intrusions and Malware & iVulnerability Assessment (DZMKA), July 2005.
E. N. Elnozahy, L. Alvisi, Y-M. Wang, and D. B. Johnson. A survey of rollback-recovery protocols in message-passing systems. ACM Comput. Sum, 34(3):375–408,2002.
J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In Proceedings of the IEEE Symposium on Security and Privacy, May 2004.
J. E. Just, L. A. Clough, M. Danforth, K. N. Levitt, R. Maglich, J. C. Reynolds, and J. Rowe. Learning Unknown Attacks-A Start. In Proceedings of the 5 th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.
H. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proceedings of the USENIX Security Symposium, pages 271–286, August 2004.
C. Kruegel and G. Vigna. Anomaly Detection of Web-based Attacks. In Proceedings of the 10 th ACM Conference on Computer and Communications Security (CCS), pages 251–261, October 2003.
J. G. Levine, J. B. Grizzard, and H. L. Owen. Using Honeynets to Protect Large Enterprise Networks. IEEE Security & Privacy, 2(6):73–75, NovemberlDecember 2004.
M. Locasto, S. Sidiroglou, and A. D. Keromytis. Application Communities: Using Monoculture for Dependability. In Proceedings of the 1 st Workshop on Hot Topics in System Dependability (HotDep), pages 288–292, June 2005.
M. Locasto, K. Wang, A. Keromytis, and S. Stolfo. FLIPS: Hybrid Adaptive Intrusion Prevention. In Proceedings of the 8 th Symposium on Recent Advances in Intrusion Detection (RAID), September 2005.
D. Malkhi and M. K. Reiter. Secure Execution of Java Applets Using a Remote Playground. IEEE Trans. Softw. Eng., 26(12): 1197–1209,2000.
D. Moore, C. Shannon, G. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-propagating Code. In Proceedings of the IEEE Infocom Conference,April 2003.
D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10 th USENIX Security Symposium, pages 9–22, August 2001.
J. Newsome and D. Dong. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proceedings of the 12 th ISOC Symposium on Network and Distributed System Security (SNDSS), pages 221–237, February 2005.
J. Newsome, B. Karp, and D. Song. Polygraph: Automatically Generating Signatures for Polymorphic Worms. In Proceedings of the IEEE Security & Privacy Symposium, pages 226–241, May 2005.
A. Pasupulati, J. Coit, K. Levitt, S. E Wu, S. H. Li, J. C. Kuo, and K. P. Fan. Buttercup: On Network-based Detection of Polymorphic Buffer Overflow Vulnerabilities. In Proceedings of the Network Operations and Management Symposium (NOMS), pages 235–248, vol. 1, April 2004.
U. Payer, P. Teufl, and M. Lamberger. Hybrid Engine for Polymorphic Shellcode Detection. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2005.
J. Pincus and B. Baker. Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overflows. ZEEE Security & Privacy, 2(4):20–27, JulyIAugust 2004.
P. Porras, L. Briesemeister, K. Levitt, J. Rowe, and Y.-C. A. Ting. A Hybrid Quarantine Defense. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pages 73–82, October 2004.
N. Provos. A Virtual Honeypot Framework. In Proceedings of the 13 th USENIXSecurity Symposium, pages 1–14, August 2004.
M. A. Rajab, F, Monrose, and A. Terzis. On the Effectiveness of Distributed Worm Monitoring. In Proceedings of the 14 th USENIX Security Symposium, pages 225–237, August 2005.
J. Reynolds, J. Just, E. Lawson, L. Clough, and R. Maglich. On-line Intrusion Protection by Detecting Attacks with Diversity. In Proceedings of the 16 th Annual IFIP 11.3 Working Conference on Data and Application Security Conference, April 2002.
J. C. Reynolds, J. Just, L. Clough, and R. Maglich. On-Line Intrusion Detection and Attack Prevention Using Diversity, Generate-and-Test, and Generalization. In Proceedings of the 36 th Annual Hawaii International Conference on System Sciences (HICSS), January 2003.
J. C. Reynolds,.I. Just, E. Lawson, L. Clough, and R. Maglich. The Design and Implementation of an Intrusion Tolerant System. In Proceedings of the International Conference on Dependable Systems and Networks (DSN), June 2002.
M. Roesch. Snort: Lightweight intrusion detection for networks. In Proceedings of USENIX LISA, November 1999. (software available from http://www.snort.org/).
S. E. Schechter, J. Jung, and A. W. Berger. Fast Detection of Scanning Worm Infections. In Proceedings of the 7 th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 59–81, October 2004.
Y. Shinoda, K. Ikai, and M. Itoh. Vulnerabilities of Passive Internet Threat Monitors. In Proceedings of the 14 th USENIX Security Symposium, pages 209–224, August 2005.
S. Sidiroglou and A. D. Keromytis. A Network Worm Vaccine Architecture. In Proceedings of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pages 220–225, June 2003.
S. Sidiroglou, M. E. Locasto, S. W. Boyd, and A. D. K. omytis. Building A Reactive Immune System for Software Services. In Proceedings of the 11 th USENIX Annual Technical Conference, pages 149–161, April 2005.
S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Pmceedings of the 6 th Symposium on Operating Systems Design & Implementation (OSDI), December 2004.
A. Smirnov and T. Chiueh. DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks. In Proceedings of the 12 th ISOC Symposium on Network and Distributed System Security (SNDSS), February 2005.
D. Spinellis. Reliable identification of bounded-length viruses is NP-complete. IEEE Transactions on Information Theory, 49(1):280–284, January 2003.
L. Spitzner. Honeypots: Tracking Hackers. Addison-Wesley, 2003.
S. Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, 2005. (to appear).
S. Staniford, D. Moore, V. Paxson, and N. Weaver. The Top Speed of Flash Worms. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pages 33–42, October 2004.
S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11 th USENIX Security Symposium, pages 149–167, August 2002.
G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. SIGOPS Operating Systems Review, 38(5):85–96, 2004.
W. Sun, Z. Liang, R. Sekar, and V. N. Venkatakrishnan. One-way Isolation: An Effective Approach for Realizing Safe Execution Environments. In Proceedings of the 12 th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pages 265–278, February 2005.
P. Szor and P. Ferrie. Hunting for Metamorphic. Technical report, Symantec Corporation, June 2003.
T. Toth and C. Kruegel. Accurate Buffer Overflow Detection via Abstract Payload Execution. In Proceedings of the 5 th Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.
T. Toth and C. Kruegel. Connection-history Based Anomaly Detection. In Proceedings of the IEEE Workshop on Information Assurance and Security, June 2002.
S. Venkataraman, D. Song, P. B. Gibbons, and A. Blum. New Streaming Algorithms for Fast Detection of Superspreaders In Proceedings of the 12 th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pages 149–166, February 2005.
G. Vigna, W. Robertson, and D. Balzarotti. Testing Network-based Intrusion Detection Signatures Using Mutant Exploits. In Proceedings of the 11 th ACM Conference on Computer and Communications Security (CCS), pages 21–30, October 2004.
H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In Proceedings of the ACM SIGCOMM Conference, pages 193–204, August 2004.
K. Wang and S. J. Stolfo. Anomalous Payload-based Network Intrusion Detection. In Proceedings of the 7 th International Symposium on Recent Advanced in Intrusion Detection (RAID), pages 201–222, September 2004.
N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. In Proceedings of the 13 th USENIX Security Symposium, pages 29–44, August 2004.
D. Whyte, E. Kranakis, and P. van Oorschot. DNS-based Detection of Scanning Worms in an Enterprise Network. In Proceedings of the 12 th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pages 181–195, February 2005.
J. Wu, S. Vangala, L. Gao, and K. Kwiat. An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS), pages 143–156, February 2004.
V. Yegneswaran, P. Barford, and S. Jha. Global Intrusion Detection in the DOMINO Overlay System. In Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS), February 2004.
V. Yegneswaran, P. Barford, and D. Plonka. On the Design and Use of Internet Sinks for Network Abuse Monitoring. In Proceedings of the 7 th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 146–165, October 2004.
V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha. An Architecture for Generating Semantics-Aware Signatures. In Proceedings of the 14 th USENIX Security Symposium, pages 97–112, August 2005.
C. C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and Early Warning for Internet Worms. In Proceedings of the 10 th ACM International Conference on Computer and Communications Security (CCS), pages 190–199, October 2003.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer Science+Business Media, LLC.
About this paper
Cite this paper
Sidiroglou, S., Keromytis, A.D. (2007). Composite Hybrid Techniques For Defending Against Targeted Attacks. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds) Malware Detection. Advances in Information Security, vol 27. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-44599-1_10
Download citation
DOI: https://doi.org/10.1007/978-0-387-44599-1_10
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-32720-4
Online ISBN: 978-0-387-44599-1
eBook Packages: Computer ScienceComputer Science (R0)