Skip to main content
SpringerLink
Log in

Composite Hybrid Techniques For Defending Against Targeted Attacks

  • Conference paper
Book cover Malware Detection

Part of the book series: Advances in Information Security ((ADIS,volume 27))

  • 1854 Accesses

Summary

We investigate the use of hybrid techniques as a defensive mechanism against targeted attacks and introduce Shadow Honeypots, a novel hybrid architecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network/service. Traffic that is considered anomalous is processed by a ”shadow honeypot” to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular (”production”) instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled correctly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector.

Our architecture allows system designers to fine-tune systems for performance, since false positives will be filtered by the shadow. Contrary to regular honeypots, our architecture can be used both for server and client applications. We also explore the notion of using Shadow Honeypots in Application Communities in order to amortize the cost of instrumentation and detection across a number of autonomous hosts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 259.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 329.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 329.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. ..*. Using Network-Based Application Recognition and Access Control Lists for Blocking the ”Code Red” Worm at Network Ingress Points. Technical report, Cisco Systems, Inc., 2006.

    Google Scholar 

  2. P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis. STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis. In Proceedings of the 20 th IFIP International Information Security Conference (IFIP/SEC), June 2005.

    Google Scholar 

  3. K. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis. Detecting Targetted Attacks Using Shadow Honeypots. In Proceedings of the 14 th USENIX Security Symposium, pages 129–144, August 2005.

    Google Scholar 

  4. M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In Proceedings of the ISOC Symposium on Network and Distributed Systems Security (SNDSS), pages 167–179, February 2005.

    Google Scholar 

  5. J. Bethencourt, J. Franklin, and M. Vernon. Mapping Internet Sensors With Probe Response Attacks. In Proceedings of the 14 th USENIX Security Symposium, pages 193–208, August 2005.

    Google Scholar 

  6. M. Bhattacharyya, M. G. Schultz, E. Eskin, S. Hershkop, and S. J. Stolfo. MET: An Experimental System for Malicious Email Tracking. In Proceedings of the New Security Paradigms Workshop (NSPW), pages 1–12, September 2002.

    Google Scholar 

  7. M. Cai, K. Hwang, Y.-K. Kwok, S. Song, and Y. Chen. Collaborative Internet Worm Containment. IEEE Security & Privacy Magazine, 3(3):25–33, May/June 2005.

    Article  Google Scholar 

  8. CERT Advisory CA-2001-19: ‘Code Red’ Worm Exploiting Buffer Overflow in IIS Indexing Service DLL. http://www.cert.org/advisories/CA-2001-19.html, July 2001.

    Google Scholar 

  9. Cert Advisory CA-2003-04: MS-SQL Server Worm. http://www.cert.org/advisories/CA-2003-04.html, January 2003.

    Google Scholar 

  10. S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and C. Verbowski. Defeating Memory Corruption Attacks via Pointer Taintedness Detection. In Proceedings of the International Conference on Dependable Systems and Networks (DSN), pages 378–387, June 2005.

    Google Scholar 

  11. E. Cook, M. Bailey, Z. M. Mao, and D. McPherson. Toward Understanding Distributed Blackhole Placement. In Proceedings of the ACM Workshop on Rapid Malcode (WORM),pages 54–64, October 2004.

    Google Scholar 

  12. J. R. Crandall, S. E Wu, and E T. Chong. Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA),July 2005.

    Google Scholar 

  13. D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen. Honeystat: Local Worm Detection Using Honepots. In Proceedings of the 7 th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 39–58, October 2004.

    Google Scholar 

  14. H. Dreger, C. Kreibich, V. Paxson, and R. Sommer. Enhancing the Accuracy of Networkbased Intrusion Detection with Host-based Context. In Proceedings of the Conference on Detection of Intrusions and Malware & iVulnerability Assessment (DZMKA), July 2005.

    Google Scholar 

  15. E. N. Elnozahy, L. Alvisi, Y-M. Wang, and D. B. Johnson. A survey of rollback-recovery protocols in message-passing systems. ACM Comput. Sum, 34(3):375–408,2002.

    Article  Google Scholar 

  16. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In Proceedings of the IEEE Symposium on Security and Privacy, May 2004.

    Google Scholar 

  17. J. E. Just, L. A. Clough, M. Danforth, K. N. Levitt, R. Maglich, J. C. Reynolds, and J. Rowe. Learning Unknown Attacks-A Start. In Proceedings of the 5 th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.

    Google Scholar 

  18. H. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proceedings of the USENIX Security Symposium, pages 271–286, August 2004.

    Google Scholar 

  19. C. Kruegel and G. Vigna. Anomaly Detection of Web-based Attacks. In Proceedings of the 10 th ACM Conference on Computer and Communications Security (CCS), pages 251–261, October 2003.

    Google Scholar 

  20. J. G. Levine, J. B. Grizzard, and H. L. Owen. Using Honeynets to Protect Large Enterprise Networks. IEEE Security & Privacy, 2(6):73–75, NovemberlDecember 2004.

    Article  Google Scholar 

  21. M. Locasto, S. Sidiroglou, and A. D. Keromytis. Application Communities: Using Monoculture for Dependability. In Proceedings of the 1 st Workshop on Hot Topics in System Dependability (HotDep), pages 288–292, June 2005.

    Google Scholar 

  22. M. Locasto, K. Wang, A. Keromytis, and S. Stolfo. FLIPS: Hybrid Adaptive Intrusion Prevention. In Proceedings of the 8 th Symposium on Recent Advances in Intrusion Detection (RAID), September 2005.

    Google Scholar 

  23. D. Malkhi and M. K. Reiter. Secure Execution of Java Applets Using a Remote Playground. IEEE Trans. Softw. Eng., 26(12): 1197–1209,2000.

    Article  Google Scholar 

  24. D. Moore, C. Shannon, G. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-propagating Code. In Proceedings of the IEEE Infocom Conference,April 2003.

    Google Scholar 

  25. D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10 th USENIX Security Symposium, pages 9–22, August 2001.

    Google Scholar 

  26. J. Newsome and D. Dong. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proceedings of the 12 th ISOC Symposium on Network and Distributed System Security (SNDSS), pages 221–237, February 2005.

    Google Scholar 

  27. J. Newsome, B. Karp, and D. Song. Polygraph: Automatically Generating Signatures for Polymorphic Worms. In Proceedings of the IEEE Security & Privacy Symposium, pages 226–241, May 2005.

    Google Scholar 

  28. A. Pasupulati, J. Coit, K. Levitt, S. E Wu, S. H. Li, J. C. Kuo, and K. P. Fan. Buttercup: On Network-based Detection of Polymorphic Buffer Overflow Vulnerabilities. In Proceedings of the Network Operations and Management Symposium (NOMS), pages 235–248, vol. 1, April 2004.

    Google Scholar 

  29. U. Payer, P. Teufl, and M. Lamberger. Hybrid Engine for Polymorphic Shellcode Detection. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2005.

    Google Scholar 

  30. J. Pincus and B. Baker. Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overflows. ZEEE Security & Privacy, 2(4):20–27, JulyIAugust 2004.

    Article  Google Scholar 

  31. P. Porras, L. Briesemeister, K. Levitt, J. Rowe, and Y.-C. A. Ting. A Hybrid Quarantine Defense. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pages 73–82, October 2004.

    Google Scholar 

  32. N. Provos. A Virtual Honeypot Framework. In Proceedings of the 13 th USENIXSecurity Symposium, pages 1–14, August 2004.

    Google Scholar 

  33. M. A. Rajab, F, Monrose, and A. Terzis. On the Effectiveness of Distributed Worm Monitoring. In Proceedings of the 14 th USENIX Security Symposium, pages 225–237, August 2005.

    Google Scholar 

  34. J. Reynolds, J. Just, E. Lawson, L. Clough, and R. Maglich. On-line Intrusion Protection by Detecting Attacks with Diversity. In Proceedings of the 16 th Annual IFIP 11.3 Working Conference on Data and Application Security Conference, April 2002.

    Google Scholar 

  35. J. C. Reynolds, J. Just, L. Clough, and R. Maglich. On-Line Intrusion Detection and Attack Prevention Using Diversity, Generate-and-Test, and Generalization. In Proceedings of the 36 th Annual Hawaii International Conference on System Sciences (HICSS), January 2003.

    Google Scholar 

  36. J. C. Reynolds,.I. Just, E. Lawson, L. Clough, and R. Maglich. The Design and Implementation of an Intrusion Tolerant System. In Proceedings of the International Conference on Dependable Systems and Networks (DSN), June 2002.

    Google Scholar 

  37. M. Roesch. Snort: Lightweight intrusion detection for networks. In Proceedings of USENIX LISA, November 1999. (software available from http://www.snort.org/).

    Google Scholar 

  38. S. E. Schechter, J. Jung, and A. W. Berger. Fast Detection of Scanning Worm Infections. In Proceedings of the 7 th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 59–81, October 2004.

    Google Scholar 

  39. Y. Shinoda, K. Ikai, and M. Itoh. Vulnerabilities of Passive Internet Threat Monitors. In Proceedings of the 14 th USENIX Security Symposium, pages 209–224, August 2005.

    Google Scholar 

  40. S. Sidiroglou and A. D. Keromytis. A Network Worm Vaccine Architecture. In Proceedings of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pages 220–225, June 2003.

    Google Scholar 

  41. S. Sidiroglou, M. E. Locasto, S. W. Boyd, and A. D. K. omytis. Building A Reactive Immune System for Software Services. In Proceedings of the 11 th USENIX Annual Technical Conference, pages 149–161, April 2005.

    Google Scholar 

  42. S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Pmceedings of the 6 th Symposium on Operating Systems Design & Implementation (OSDI), December 2004.

    Google Scholar 

  43. A. Smirnov and T. Chiueh. DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks. In Proceedings of the 12 th ISOC Symposium on Network and Distributed System Security (SNDSS), February 2005.

    Google Scholar 

  44. D. Spinellis. Reliable identification of bounded-length viruses is NP-complete. IEEE Transactions on Information Theory, 49(1):280–284, January 2003.

    Article  MATH  MathSciNet  Google Scholar 

  45. L. Spitzner. Honeypots: Tracking Hackers. Addison-Wesley, 2003.

    Google Scholar 

  46. S. Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, 2005. (to appear).

    Google Scholar 

  47. S. Staniford, D. Moore, V. Paxson, and N. Weaver. The Top Speed of Flash Worms. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pages 33–42, October 2004.

    Google Scholar 

  48. S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11 th USENIX Security Symposium, pages 149–167, August 2002.

    Google Scholar 

  49. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. SIGOPS Operating Systems Review, 38(5):85–96, 2004.

    Article  Google Scholar 

  50. W. Sun, Z. Liang, R. Sekar, and V. N. Venkatakrishnan. One-way Isolation: An Effective Approach for Realizing Safe Execution Environments. In Proceedings of the 12 th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pages 265–278, February 2005.

    Google Scholar 

  51. P. Szor and P. Ferrie. Hunting for Metamorphic. Technical report, Symantec Corporation, June 2003.

    Google Scholar 

  52. T. Toth and C. Kruegel. Accurate Buffer Overflow Detection via Abstract Payload Execution. In Proceedings of the 5 th Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.

    Google Scholar 

  53. T. Toth and C. Kruegel. Connection-history Based Anomaly Detection. In Proceedings of the IEEE Workshop on Information Assurance and Security, June 2002.

    Google Scholar 

  54. S. Venkataraman, D. Song, P. B. Gibbons, and A. Blum. New Streaming Algorithms for Fast Detection of Superspreaders In Proceedings of the 12 th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pages 149–166, February 2005.

    Google Scholar 

  55. G. Vigna, W. Robertson, and D. Balzarotti. Testing Network-based Intrusion Detection Signatures Using Mutant Exploits. In Proceedings of the 11 th ACM Conference on Computer and Communications Security (CCS), pages 21–30, October 2004.

    Google Scholar 

  56. H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In Proceedings of the ACM SIGCOMM Conference, pages 193–204, August 2004.

    Google Scholar 

  57. K. Wang and S. J. Stolfo. Anomalous Payload-based Network Intrusion Detection. In Proceedings of the 7 th International Symposium on Recent Advanced in Intrusion Detection (RAID), pages 201–222, September 2004.

    Google Scholar 

  58. N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. In Proceedings of the 13 th USENIX Security Symposium, pages 29–44, August 2004.

    Google Scholar 

  59. D. Whyte, E. Kranakis, and P. van Oorschot. DNS-based Detection of Scanning Worms in an Enterprise Network. In Proceedings of the 12 th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pages 181–195, February 2005.

    Google Scholar 

  60. J. Wu, S. Vangala, L. Gao, and K. Kwiat. An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS), pages 143–156, February 2004.

    Google Scholar 

  61. V. Yegneswaran, P. Barford, and S. Jha. Global Intrusion Detection in the DOMINO Overlay System. In Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS), February 2004.

    Google Scholar 

  62. V. Yegneswaran, P. Barford, and D. Plonka. On the Design and Use of Internet Sinks for Network Abuse Monitoring. In Proceedings of the 7 th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 146–165, October 2004.

    Google Scholar 

  63. V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha. An Architecture for Generating Semantics-Aware Signatures. In Proceedings of the 14 th USENIX Security Symposium, pages 97–112, August 2005.

    Google Scholar 

  64. C. C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and Early Warning for Internet Worms. In Proceedings of the 10 th ACM International Conference on Computer and Communications Security (CCS), pages 190–199, October 2003.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Columbia University, Columbia

    Stelios Sidiroglou & Angelos D. Keromytis

Authors
  1. Stelios Sidiroglou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 1210 W Dayton St, Madison, WI, 53706-1685

    Mihai Christodorescu  & Somesh Jha  & 

  2. Dept. of Homeland Security, Washington D.C., 20528

    Douglas Maughan

  3. Carnegie Mellon University, CIC 2122, 4720 Forbes Ave, Pittsburgh, PA, 15213

    Dawn Song

  4. Computing and Information Science Div., U.S. Army Research Office, P.O. Box 12211, Research Triangle Park, NC, 27709-2211

    Cliff Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer Science+Business Media, LLC.

About this paper

Cite this paper

Sidiroglou, S., Keromytis, A.D. (2007). Composite Hybrid Techniques For Defending Against Targeted Attacks. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds) Malware Detection. Advances in Information Security, vol 27. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-44599-1_10

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-44599-1_10

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-32720-4

  • Online ISBN: 978-0-387-44599-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation