Lead Inventors:
Angelos Keromytis, Ph.D.; Stylianos Sidiroglou; Kostas G. Anagnostakis
Honeypots and anomaly detection systems capable of detecting new types of cumputer attacks:
Intrusion Prevention Systems (IPSs) are used to detect and respond to attacks on or suspicious activity targeting IT resources. Since most IPSs are rule-based, they are limited to protecting against known attacks. There is a need for intrustion detection mechanisms capable of detecting previously unknown types of attacks to counter the increasingly frequent occurrence of zero-day attacks. Two such approaches are honeypots and anomaly detection systems (ADSs). While honeypots can detect automatic attackers such as scanning worms, they can fail to detect manual intrusions or topological and hit-list worms. Although ADSs can theoretically detect both kinds of attacks, they often are less accurate than other detection methods.
Intrustion detection mechanism also minimizes false positive attack detections:
This technology is a novel hybrid architecture that combines the best features of honeypots and ADSs. Anomaly detectors are used to monitor traffic to a protected network; suspicious traffic is directed to a shadow honeypot that contains an instance of a protected resource instrumented to detect potential attacks. Traffic deemed to be legitimate by the shadow honeypot is validated and transparently passed on to the protected resource, while attacks are caught by the honeypot and discarded. This technology can be fine-tuned to balance the trade-off between performance and risk.
Applications:
-- The technology can be used to protect a variety of server and client applications such as the Apache web server and the Mozilla web browser.
Advantages:
-- Despite the overhead of imposed by shadow honeypot processing, the overall impact on the protected system's performance is actually diminished by the ability to minimize the occurrence of false positive attack detections.
Patent Information:
Licensing Status: Available for Sponsored Research Support
Publications:
Detecting targeted attacks using shadow honeypots, Proc. of 14th USENIX Security Symposium, 2005.
