Detecting Targeted Attacks Using Shadow Honeypots
Lead Inventors: Angelos Keromytis, Ph.D.; Stylianos Sidiroglou; Kostas G. AnagnostakisProblem or Unmet Need:Intrusion Prevention Systems (IPSs) are used to detect and respond to attacks on or suspicious activity targeting IT resources. Since most IPSs are rule-based, they are limited to protecting against known attacks. There is a need for intrustion detection mechanisms capable of detecting previously unknown types of attacks to counter the increasingly frequent occurrence of zero-day attacks. Two such approaches are honeypots and anomaly detection systems (ADSs). While honeypots can detect automatic attackers such as scanning worms, they can fail to detect manual intrusions or topological and hit-list worms. Although ADSs can theoretically detect both kinds of attacks, they often are less accurate than other detection methods.This technology is a novel hybrid architecture that combines the best features of honeypots and ADSs. Anomaly detectors are used to monitor traffic to a protected network; suspicious traffic is directed to a shadow honeypot that contains an instance of a protected resource instrumented to detect potential attacks. Traffic deemed to be legitimate by the shadow honeypot is validated and transparently passed on to the protected resource, while attacks are caught by the honeypot and discarded. This technology can be fine-tuned to balance the trade-off between performance and risk.
-- Despite the overhead of imposed by shadow honeypot processing, the overall impact on the protected system's performance is actually diminished by the ability to minimize the occurrence of false positive attack detections.
-- The technology can be used to protect a variety of server and client applications such as the Apache web server and the Mozilla web browser.
This technology is a novel hybrid architecture that combines the best features of honeypots and ADSs. Anomaly detectors are used to monitor traffic to a protected network; suspicious traffic is directed to a shadow honeypot that contains an ins...
美国
