BALTIMORE – Decoy servers known as honeypots are used to research new threats and to lure attackers away from "productive" enterprise networks. Now, a new hybrid of the popular devices may enhance the accuracy of anomaly detection.
Researchers at the University of Pennsylvania and Columbia University recently unveiled a new architecture that expands traditional intrusion prevention systems (IPS) and intrusion detection systems (IDS) by validating misclassified traffic with honeypots that "shadow" scans.
"This combines the best features of honeypots and anomaly detection systems," Stelirs Sidiroglou, a professor at Columbia University, told an audience last week at the Usenix Security Symposium in Baltimore.
Typically honeypots are used to flag attacks against known vulnerabilities on server applications, not unknown – or zero-day -- attacks. Anomaly detection systems (ADS), such as those in popular IPS software and appliances, offer broader scanning capabilities to detect both known and unknown attacks, but that breadth also creates more false readings.
"Shadow honeypots," as researchers call them, share all the same characteristics of protected applications running on both the server and client side of a network and operate in conjunction with an ADS. When sensors detect something suspicious, it's sent to the shadow honeypot for further analysis. This reduces the number of false positives immediately generated by the ADS. As a backup, the traffic sent through is randomly checked again by the shadow honeypot to increase accuracy and prevent actual attacks from getting into the network.
The computer scientists at the two universities have tested their technology against memory attacks, such as buffer overflows, using an Apache Web server and Mozilla Firefox browser (both for their popularity and source code availability) and anomaly detection techniques such as Abstract Payload Execution and the Earlybird algorithm. Initial results are promising: the shadow honeypots created far more accurate detection rates than using IPS or IDS alone. But such accuracy comes at a steep computing cost. The shadow honeypot monitoring traffic to the Apache server sucked up 20% to 50% more processing power, depending on use.
Still, academics consider the concept encouraging at expanding traditional honeypots' uses and reducing the number of false positives that clog network logs and false negatives that leave systems vulnerable to attacks. It also shows promise in better monitoring threats that target applications on the client side of computing systems.