Hybrid honeypots 'shadow' intrusion prevention systems

By Anne Saita, News Director 10 Aug 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

BALTIMORE – Decoy servers known as honeypots are used to research new threats and to lure attackers away from "productive" enterprise networks. Now, a new hybrid of the popular devices may enhance the accuracy of anomaly detection.

Researchers at the University of Pennsylvania and Columbia University recently unveiled a new architecture that expands traditional intrusion prevention systems (IPS) and intrusion detection systems (IDS) by validating misclassified traffic with honeypots that "shadow" scans.

"This combines the best features of honeypots and anomaly detection systems," Stelirs Sidiroglou, a professor at Columbia University, told an audience last week at the Usenix Security Symposium in Baltimore.

Typically honeypots are used to flag attacks against known vulnerabilities on server applications, not unknown – or zero-day -- attacks. Anomaly detection systems (ADS), such as those in popular IPS software and appliances, offer broader scanning capabilities to detect both known and unknown attacks, but that breadth also creates more false readings.

Other news from the Usenix Security Symposium New semantics-aware IDS reduces false positives Passing the conference 'sniff' test

"Shadow honeypots," as researchers call them, share all the same characteristics of protected applications running on both the server and client side of a network and operate in conjunction with an ADS. When sensors detect something suspicious, it's sent to the shadow honeypot for further analysis. This reduces the number of false positives immediately generated by the ADS. As a backup, the traffic sent through is randomly checked again by the shadow honeypot to increase accuracy and prevent actual attacks from getting into the network.

The computer scientists at the two universities have tested their technology against memory attacks, such as buffer overflows, using an Apache Web server and Mozilla Firefox browser (both for their popularity and source code availability) and anomaly detection techniques such as Abstract Payload Execution and the Earlybird algorithm. Initial results are promising: the shadow honeypots created far more accurate detection rates than using IPS or IDS alone. But such accuracy comes at a steep computing cost. The shadow honeypot monitoring traffic to the Apache server sucked up 20% to 50% more processing power, depending on use.

Still, academics consider the concept encouraging at expanding traditional honeypots' uses and reducing the number of false positives that clog network logs and false negatives that leave systems vulnerable to attacks. It also shows promise in better monitoring threats that target applications on the client side of computing systems.

Tags: Network Intrusion Detection (IDS),  Network Intrusion Prevention (IPS),  Network Behavior Anomaly Detection (NBAD),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research Network Intrusion Prevention (IPS) Aligning network security with business priorities Best Intrusion Prevention and Detection Products Port scan attack prevention best practices Lesson 4: How to use wireless IPS Lesson 1 quiz: Risky business Hacker attack techniques and tactics: Understanding hacking strategies SIMs tools and tactics for business intelligence IPS and IDS deployment strategies I'll be watching you: Wireless IPS Know when you need IDS, IPS or both Network Intrusion Prevention (IPS) Research Network Behavior Anomaly Detection (NBAD) Trend Micro to acquire Third Brigade for virtualization, cloud security Use BotHunter for botnet detection Is centralized logging worth all the effort? How helpful is the centralized logging of network flow data? Can reputation services be applied to network security? SIM and NBA product combination is powerful Can network behavior anomaly detection (NBAD) products stop rootkits? Sourcefire, Nmap deal to open vulnerability scanning Sourcefire expands strategy in effort to leverage its network real estate Combining NetFlow analysis with security information management systems

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary