research-article

From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation

Authors:
Frederico Araujo

The University of Texas at Dallas, Richardson, TX, USA

The University of Texas at Dallas, Richardson, TX, USA
View Profile

,
Kevin W. Hamlen

The University of Texas at Dallas, Richardson, TX, USA

The University of Texas at Dallas, Richardson, TX, USA
View Profile

,
Sebastian Biedermann

Technische Universität Darmstadt, Darmstadt, Germany

Technische Universität Darmstadt, Darmstadt, Germany
View Profile

,
Stefan Katzenbeisser

Technische Universität Darmstadt, Darmstadt, Germany

Technische Universität Darmstadt, Darmstadt, Germany
View Profile

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2014Pages 942–953https://doi.org/10.1145/2660267.2660329

Published:03 November 2014Publication History

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 942–953

ABSTRACT

Traditional software security patches often have the unfortunate side-effect of quickly alerting attackers that their attempts to exploit patched vulnerabilities have failed. Attackers greatly benefit from this information; it expedites their search for unpatched vulnerabilities, it allows them to reserve their ultimate attack payloads for successful attacks, and it increases attacker confidence in stolen secrets or expected sabotage resulting from attacks. To overcome this disadvantage, a methodology is proposed for reformulating a broad class of security patches into honey-patches - patches that offer equivalent security but that frustrate attackers' ability to determine whether their attacks have succeeded or failed. When an exploit attempt is detected, the honey-patch transparently and efficiently redirects the attacker to an unpatched decoy, where the attack is allowed to succeed. The decoy may host aggressive software monitors that collect important attack information, and deceptive files that disinform attackers. An implementation for three production-level web servers, including Apache HTTP, demonstrates that honey-patching can be realized for large-scale, performance-critical software applications with minimal overheads.

References

K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, M. Polychronakis, A. D. Keromytis, and E. P. Markatos. Shadow honeypots. Int. J. Computer and Network Security (IJCNS), 2(9):1--15, 2010.Google Scholar
K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis. Detecting targeted attacks using shadow honeypots. In Proc. USENIX Security Sym., 2005. Google ScholarDigital Library
J. Ansel, K. Arya, and G. Cooperman. DMTCP: Transparent checkpointing for cluster computations and the desktop. In Proc. IEEE Int. Parallel and Distributed Processing Sym. (IPDPS), pages 1--12, 2009. Google ScholarDigital Library
Apache. Apache HTTP server project. http://httpd. apache.org, 2014.Google Scholar
W. A. Arbaugh, W. L. Fithen, and J. McHugh. Windows of vulnerability: A case study analysis. IEEE Computer, 33(12), 2000. Google ScholarDigital Library
T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. AEG: Automatic exploit generation. In Proc. Network & Distributed System Security Sym. (NDSS), 2011.Google Scholar
M. Beham, M. Vlad, and H. P. Reiser. Intrusion detection and honeypots in nested virtualization environments. In Proc. IEEE/IFIP Int. Conf. Dependable Systems and Networks (DSN), pages 1--6, 2013. Google ScholarDigital Library
S. Biedermann, M. Mink, and S. Katzenbeisser. Fast dynamic extracted honeypots in cloud computing. In Proc. ACM Cloud Computing Security Work. (CCSW), pages 13--18, 2012. Google ScholarDigital Library
L. Bilge and T. Dumitras. Before we knew it: An empirical study of zero-day attacks in the real world. In Proc. ACM Conf. Computer and Communications Security (CCS), pages 833--844, 2012. Google ScholarDigital Library
K. Borders, L. Falk, and A. Prakash. OpenFire: Using deception to reduce network attacks. In Proc. Int. Conf. Security and Privacy in Communications Networks (SecureComm), pages 224--233, 2007.Google ScholarCross Ref
B. M. Bowen, S. Hershkop, A. D. Keromytis, and S. J. Stolfo. Baiting inside attackers using decoy documents. In Proc. Int. ICST Conf. Security and Privacy in Communication Networks (SecureComm), pages 51--70, 2009.Google ScholarCross Ref
D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In Proc. IEEE Sym. Security & Privacy (S&P), pages 143--157, 2008. Google ScholarDigital Library
C. Clark, K. Fraser, S. Hand, J. G. Hansen, E. Jul, C. Limpach, I. Pratt, and A. Warfield. Live migration of virtual machines. In Proc. Sym. Networked Systems Design & Implementation (NSDI), volume 2, pages 273--286, 2005. Google ScholarDigital Library
Codenomicon. The Heartbleed bug. http://heartbleed.com, Apr. 2014.Google Scholar
B. Coppens, B. D. Sutter, and K. D. Bosschere. Protecting your software updates. IEEE Security & Privacy, 11(2):47--54, 2013. Google ScholarDigital Library
J. Corbet. TCP Connection Repair. http://lwn.net/ Articles/495304, 2012.Google Scholar
S. Crane, P. Larsen, S. Brunthaler, and M. Franz. Booby trapping software. In Proc. New Security Paradigms Work. (NSPW), pages 95--106, 2013. Google ScholarDigital Library
CRIU. Checkpoint/Restore In Userspace. http://criu.org, 2014.Google Scholar
D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen. Honeystat: Local worm detection using honeypots. In Proc. Int. Sym. Recent Advances in Intrusion Detection (RAID), pages 39--58, 2004.Google ScholarCross Ref
J. Duell. The design and implementation of Berkeley Lab's Linux checkpoint/restart. Technical Report LBNL-54941, U. California at Berkeley, 2002.Google Scholar
J. Finkle. U.S. government failed to secure Obamacare site -- experts. Reuters, Jan. 16, 2014.Google Scholar
G. H. Friedman. Evaluation report: The Department of Energy's unclassified cyber security program. Technical Report DOE/IG-0897, U.S. Dept. of Energy, Oct. 2013.Google Scholar
J. Fritz, C. Leita, and M. Polychronakis. Server-side code injection attacks: A historical perspective. In Proc. Int. Sym. Research in Attacks, Intrusions and Defenses (RAID), pages 41--61, 2013.Google ScholarDigital Library
X. Fu, W. Yu, D. Cheng, X. Tan, and S. Graham. On recognizing virtual honeypots and countermeasures. In Proc. IEEE Int. Sym. Dependable, Autonomic andSecure Computing (DASC), pages 211--218, 2006. Google ScholarDigital Library
Z. Gadot, M. Alon, L. Rozen, M. Atad, and Y. S. V. Shrivastava. Global application & network security report 2013. Technical report, Radware, 2014.Google Scholar
T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Network & Distributed Systems Security Sym. (NDSS), pages 191--206, 2003.Google Scholar
B. Geroff, H. Fujita, and Y. Ishikawa. An efficient process live migration mechanism for load balanced distributed virtual environments. In Proc. IEEE Int. Conf. Cluster Computing (CLUSTER), pages 197--206, 2010. Google ScholarDigital Library
Google. Protocol Buffers. https://code.google.com/p/protobuf, 2014.Google Scholar
Google. Web metrics. https://developers.google.com/speed/articles/web-metrics, 2014.Google Scholar
T. Jackson, B. Salamat, A. Homescu, K. Manivannan, G. Wagner, A. Gal, S. Brunthaler, C. Wimmer, and M. Franz. Compiler-generated software diversity. In S. Jajodia, A. K. Ghosh, V. Swarup, C. Wang, and X. S. Wang, editors, Moving Target Defense -- Creating Asymmetric Uncertainty for Cyber Threats, pages 77--98. Springer, 2011.Google Scholar
J. Jang, A. Agrawal, and D. Brumley. ReDeBug: Finding unpatched code clones in entire OS distributions. In Proc. IEEE Sym. Security & Privacy (S&P), pages 48--62, 2012. Google ScholarDigital Library
X. Jiang, D. Xu, and Y.-M. Wang. Collapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention. J. Parallel and Distributed Computing -- Special Issue on Security in Grid and Distributed Systems, 66(9):1165--1180, 2006. Google ScholarDigital Library
W. Kandek. Year closing { December 2013 patch Tuesday. Qualys: Laws of Vulnerabilities, Dec. 2013.Google Scholar
S. Kulkarni, M. Mutalik, P. Kulkarni, and T. Gupta. Honeydoop -- a system for on-demand virtual high interaction honeypots. In Proc. Int. Conf. for Internet Technology and Secured Transactions (ICITST), pages 743--747, 2012.Google Scholar
I. Kuwatly, M. Sraj, Z. A. Masri, and H. Artail. A dynamic honeypot design for intrusion detection. In Proc. IEEE/ACS Int. Conf. Pervasive Services (ICPS), pages 95--104, 2004. Google ScholarDigital Library
H. A. Lagar-Cavilla, J. A. Whitney, A. M. Scannell, P. Patchin, S. M. Rumble, E. de Lara, M. Brudno, and M. Satyanarayanan. SnowFlock: Rapid virtual machine cloning for cloud computing. In Proc. ACM European Conf. Computer Systems (EuroSys), pages 1--12, 2009. Google ScholarDigital Library
T. K. Lengyel, J. Neumann, S. Maresca, B. D. Payne, and A. Kiayias. Virtual machine introspection in a hybrid honeypot architecture. In Proc. USENIX Work. Cyber Security Experimentation and Test (CSET), 2012. Google ScholarDigital Library
Lighttpd. Lighttpd server project. http://www.lighttpd. net, 2014.Google Scholar
LXC. Linux containers. http://linuxcontainers.org, 2014.Google Scholar
M. Maurer and D. Brumley. Tachyon: Tandem execution for efficient live patch testing. In Proc. USENIX Security Sym., pages 617--630, 2012. Google ScholarDigital Library
D. S. Miloicic, F. Douglis, Y. Paindaveine, R. Wheeler, and S. Zhou. Process migration. ACM Computing Surveys, 32(3):241--299, 2000. Google ScholarDigital Library
Netcraft. Are there really lots of vulnerable Apache web servers? http://news.netcraft.com/archives/2014/02/07, 2014.Google Scholar
Nginx. Nginx server project. http://nginx.org, 2014.Google Scholar
Ohloh. Apache HTTP server statistics. http://www.ohloh.net/p/apache, 2014.Google Scholar
V. S. Pai, P. Druschel, and W. Zwaenepoel. Flash: An efficient and portable web server. In Proc. Conf. USENIX Annual Technical Conference (ATEC), pages 15--15, 1999. Google ScholarDigital Library
N. Provos and T. Holz. Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley Professional, 2007. Google ScholarDigital Library
A. Sabelfeld and A. C. Myers. Language-based information ow security. IEEE J. Selected Areas in Communications, 21(1):5--19, 2003. Google ScholarDigital Library
M. B. Salem and S. J. Stolfo. Decoy document deployment for effective masquerade attack detection. In Proc. Int. Conf. Detection of Intrusions and Malware, and Vulnerability Assessment, pages 35--54, 2011. Google ScholarDigital Library
S. Souders. The performance golden rule. http://www.stevesouders.com/blog/2012/02/10/the-performancegolden-rule, Feb. 2012.Google Scholar
L. Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Longman, 2002. Google ScholarDigital Library
Y. Sun, Y. Luo, X. Wang, Z. Wang, B. Zhang, H. Chen, and X. Li. Fast live cloning of virtual machine based on Xen. In Proc. IEEE Conf. High Performance Computing and Communications (HPCC), pages 392--399, 2009. Google ScholarDigital Library
The 111th United States Congress. An act entitled the patient protection and affordable care act. Public Law 111--148, 124 Stat. 119, Mar. 2010.Google Scholar
The Economic Times. New technique Red Herring fights 'Heartbleed' virus. The Times of India, Apr. 15, 2014.Google Scholar
J. Voris, N. Boggs, and S. J. Stolfo. Lost in translation: Improving decoy documents via automated translation. In Proc. IEEE Sym. Security & Privacy Workshops (S&PW), pages 129--133, 2012. Google ScholarDigital Library
J. Voris, J. Jermyn, A. D. Keromytis, and S. J. Stolfo. Bait and snitch: Defending computer systems with decoys. In Proc. Conf. Cyber Infrastructure Protection (CIP), 2012.Google Scholar
M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In Proc. ACM Sym. Operating Systems Principles (SOSP), pages 148--162, 2005. Google ScholarDigital Library
C. Wang, F. Mueller, C. Engelmann, and S. L. Scott. Proactive process-level live migration in HPC environments. In Proc. ACM/IEEE Conf. Supercomputing, 2008. Google ScholarDigital Library
J. Wang, X. Liu, and A. A. Chien. Empirical study of tolerating denial-of-service attacks with a proxy network.In Proc. USENIX Security Sym., pages 51--64, 2005. Google ScholarDigital Library
R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proc. ACM Conf. Computer and Communications Security (CCS), pages 157--168, 2012. Google ScholarDigital Library
A. Whitaker, R. S. Cox, M. Shaw, and S. D. Gribble. Constructing services with interposable virtual hardware. In Proc. Sym. Networked Systems Design and Implementation (NSDI), pages 169--182, 2004. Google ScholarDigital Library
V. Yegneswaran, P. Barford, and D. Plonka. On the design and use of internet sinks for network abuse monitoring. In Proc. Int. Sym. Recent Advances in Intrusion Detection (RAID), pages 146--165, 2004.Google ScholarCross Ref
J. Yuill, D. Denning, and F. Feer. Using deception to hide things from hackers: Processes, principles, and techniques. J. Information Warfare, 5(3):26--40, 2006.Google Scholar
W. Zheng, R. Bianchini, G. J. Janakiraman, J. R. Santos, and Y. Turner. JustRunIt: Experiment-based management of virtualized data centers. In Proc. USENIX Annual Technical Conf., 2009. Google ScholarDigital Library

Index Terms

From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation

Recommendations

Honeypot detection in advanced botnet attacks

Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Read More
Honey@home: A New Approach to Large-Scale Threat Monitoring
WISTDCS '08: Proceedings of the 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing

Honeypots have been proven to be very useful for accurately detecting attacks, including zero-day threats, at a reasonable cost and with zero false positives. However, there are two pressing problems with existing approaches. The first problem is that ...
Read More
Honeypot Baselining for Zero Day Attack Detection

Honeypots are the network sensors used for capturing the network attacks. As these sensors are solely deployed for the purpose of being attacked and compromised hence they have to be closely monitored and controlled. In the work presented in this paper ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
November 2014
1592 pages
ISBN:9781450329576
DOI:10.1145/2660267
General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 November 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
honeypots
intrusion detection and prevention
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '14 Paper Acceptance Rate114of585submissions,19%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 62
  Total Citations
  View Citations
- 948
  Total Downloads
- Downloads (Last 12 months)80
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Honeypot detection in advanced botnet attacks

Honey@home: A New Approach to Large-Scale Threat Monitoring

Honeypot Baselining for Zero Day Attack Detection