Media.Player

Detecting Targeted Attacks Using Shadow Honeypots

總結

Lead Inventors: Angelos Keromytis, Ph.D.; Stylianos Sidiroglou; Kostas G. AnagnostakisProblem or Unmet Need:Intrusion Prevention Systems (IPSs) are used to detect and respond to attacks on or suspicious activity targeting IT resources. Since most IPSs are rule-based, they are limited to protecting against known attacks. There is a need for intrustion detection mechanisms capable of detecting previously unknown types of attacks to counter the increasingly frequent occurrence of zero-day attacks. Two such approaches are honeypots and anomaly detection systems (ADSs). While honeypots can detect automatic attackers such as scanning worms, they can fail to detect manual intrusions or topological and hit-list worms. Although ADSs can theoretically detect both kinds of attacks, they often are less accurate than other detection methods.This technology is a novel hybrid architecture that combines the best features of honeypots and ADSs. Anomaly detectors are used to monitor traffic to a protected network; suspicious traffic is directed to a shadow honeypot that contains an instance of a protected resource instrumented to detect potential attacks. Traffic deemed to be legitimate by the shadow honeypot is validated and transparently passed on to the protected resource, while attacks are caught by the honeypot and discarded. This technology can be fine-tuned to balance the trade-off between performance and risk.

技術優勢

-- Despite the overhead of imposed by shadow honeypot processing, the overall impact on the protected system's performance is actually diminished by the ability to minimize the occurrence of false positive attack detections.

技術應用

-- The technology can be used to protect a variety of server and client applications such as the Apache web server and the Mozilla web browser.

詳細技術說明

This technology is a novel hybrid architecture that combines the best features of honeypots and ADSs. Anomaly detectors are used to monitor traffic to a protected network; suspicious traffic is directed to a shadow honeypot that contains an ins...

*Abstract

None

*Inquiry

Calvin Chu Columbia Technology Ventures Tel: (212) 854-8444 Email: TechTransfer@columbia.edu

*IR

M05-069

*Principal Investigation

*Publications

Detecting targeted attacks using shadow honeypots, Proc. of 14th USENIX Security Symposium, 2005.

*Web Links

Patent pending: 11/870,043

國家/地區

美國