ABSTRACT
Traditional software security patches often have the unfortunate side-effect of quickly alerting attackers that their attempts to exploit patched vulnerabilities have failed. Attackers greatly benefit from this information; it expedites their search for unpatched vulnerabilities, it allows them to reserve their ultimate attack payloads for successful attacks, and it increases attacker confidence in stolen secrets or expected sabotage resulting from attacks. To overcome this disadvantage, a methodology is proposed for reformulating a broad class of security patches into honey-patches - patches that offer equivalent security but that frustrate attackers' ability to determine whether their attacks have succeeded or failed. When an exploit attempt is detected, the honey-patch transparently and efficiently redirects the attacker to an unpatched decoy, where the attack is allowed to succeed. The decoy may host aggressive software monitors that collect important attack information, and deceptive files that disinform attackers. An implementation for three production-level web servers, including Apache HTTP, demonstrates that honey-patching can be realized for large-scale, performance-critical software applications with minimal overheads.
- K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, M. Polychronakis, A. D. Keromytis, and E. P. Markatos. Shadow honeypots. Int. J. Computer and Network Security (IJCNS), 2(9):1--15, 2010.Google Scholar
- K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis. Detecting targeted attacks using shadow honeypots. In Proc. USENIX Security Sym., 2005. Google ScholarDigital Library
- J. Ansel, K. Arya, and G. Cooperman. DMTCP: Transparent checkpointing for cluster computations and the desktop. In Proc. IEEE Int. Parallel and Distributed Processing Sym. (IPDPS), pages 1--12, 2009. Google ScholarDigital Library
- Apache. Apache HTTP server project. http://httpd. apache.org, 2014.Google Scholar
- W. A. Arbaugh, W. L. Fithen, and J. McHugh. Windows of vulnerability: A case study analysis. IEEE Computer, 33(12), 2000. Google ScholarDigital Library
- T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. AEG: Automatic exploit generation. In Proc. Network & Distributed System Security Sym. (NDSS), 2011.Google Scholar
- M. Beham, M. Vlad, and H. P. Reiser. Intrusion detection and honeypots in nested virtualization environments. In Proc. IEEE/IFIP Int. Conf. Dependable Systems and Networks (DSN), pages 1--6, 2013. Google ScholarDigital Library
- S. Biedermann, M. Mink, and S. Katzenbeisser. Fast dynamic extracted honeypots in cloud computing. In Proc. ACM Cloud Computing Security Work. (CCSW), pages 13--18, 2012. Google ScholarDigital Library
- L. Bilge and T. Dumitras. Before we knew it: An empirical study of zero-day attacks in the real world. In Proc. ACM Conf. Computer and Communications Security (CCS), pages 833--844, 2012. Google ScholarDigital Library
- K. Borders, L. Falk, and A. Prakash. OpenFire: Using deception to reduce network attacks. In Proc. Int. Conf. Security and Privacy in Communications Networks (SecureComm), pages 224--233, 2007.Google ScholarCross Ref
- B. M. Bowen, S. Hershkop, A. D. Keromytis, and S. J. Stolfo. Baiting inside attackers using decoy documents. In Proc. Int. ICST Conf. Security and Privacy in Communication Networks (SecureComm), pages 51--70, 2009.Google ScholarCross Ref
- D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In Proc. IEEE Sym. Security & Privacy (S&P), pages 143--157, 2008. Google ScholarDigital Library
- C. Clark, K. Fraser, S. Hand, J. G. Hansen, E. Jul, C. Limpach, I. Pratt, and A. Warfield. Live migration of virtual machines. In Proc. Sym. Networked Systems Design & Implementation (NSDI), volume 2, pages 273--286, 2005. Google ScholarDigital Library
- Codenomicon. The Heartbleed bug. http://heartbleed.com, Apr. 2014.Google Scholar
- B. Coppens, B. D. Sutter, and K. D. Bosschere. Protecting your software updates. IEEE Security & Privacy, 11(2):47--54, 2013. Google ScholarDigital Library
- J. Corbet. TCP Connection Repair. http://lwn.net/ Articles/495304, 2012.Google Scholar
- S. Crane, P. Larsen, S. Brunthaler, and M. Franz. Booby trapping software. In Proc. New Security Paradigms Work. (NSPW), pages 95--106, 2013. Google ScholarDigital Library
- CRIU. Checkpoint/Restore In Userspace. http://criu.org, 2014.Google Scholar
- D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen. Honeystat: Local worm detection using honeypots. In Proc. Int. Sym. Recent Advances in Intrusion Detection (RAID), pages 39--58, 2004.Google ScholarCross Ref
- J. Duell. The design and implementation of Berkeley Lab's Linux checkpoint/restart. Technical Report LBNL-54941, U. California at Berkeley, 2002.Google Scholar
- J. Finkle. U.S. government failed to secure Obamacare site -- experts. Reuters, Jan. 16, 2014.Google Scholar
- G. H. Friedman. Evaluation report: The Department of Energy's unclassified cyber security program. Technical Report DOE/IG-0897, U.S. Dept. of Energy, Oct. 2013.Google Scholar
- J. Fritz, C. Leita, and M. Polychronakis. Server-side code injection attacks: A historical perspective. In Proc. Int. Sym. Research in Attacks, Intrusions and Defenses (RAID), pages 41--61, 2013.Google ScholarDigital Library
- X. Fu, W. Yu, D. Cheng, X. Tan, and S. Graham. On recognizing virtual honeypots and countermeasures. In Proc. IEEE Int. Sym. Dependable, Autonomic andSecure Computing (DASC), pages 211--218, 2006. Google ScholarDigital Library
- Z. Gadot, M. Alon, L. Rozen, M. Atad, and Y. S. V. Shrivastava. Global application & network security report 2013. Technical report, Radware, 2014.Google Scholar
- T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Network & Distributed Systems Security Sym. (NDSS), pages 191--206, 2003.Google Scholar
- B. Geroff, H. Fujita, and Y. Ishikawa. An efficient process live migration mechanism for load balanced distributed virtual environments. In Proc. IEEE Int. Conf. Cluster Computing (CLUSTER), pages 197--206, 2010. Google ScholarDigital Library
- Google. Protocol Buffers. https://code.google.com/p/protobuf, 2014.Google Scholar
- Google. Web metrics. https://developers.google.com/speed/articles/web-metrics, 2014.Google Scholar
- T. Jackson, B. Salamat, A. Homescu, K. Manivannan, G. Wagner, A. Gal, S. Brunthaler, C. Wimmer, and M. Franz. Compiler-generated software diversity. In S. Jajodia, A. K. Ghosh, V. Swarup, C. Wang, and X. S. Wang, editors, Moving Target Defense -- Creating Asymmetric Uncertainty for Cyber Threats, pages 77--98. Springer, 2011.Google Scholar
- J. Jang, A. Agrawal, and D. Brumley. ReDeBug: Finding unpatched code clones in entire OS distributions. In Proc. IEEE Sym. Security & Privacy (S&P), pages 48--62, 2012. Google ScholarDigital Library
- X. Jiang, D. Xu, and Y.-M. Wang. Collapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention. J. Parallel and Distributed Computing -- Special Issue on Security in Grid and Distributed Systems, 66(9):1165--1180, 2006. Google ScholarDigital Library
- W. Kandek. Year closing { December 2013 patch Tuesday. Qualys: Laws of Vulnerabilities, Dec. 2013.Google Scholar
- S. Kulkarni, M. Mutalik, P. Kulkarni, and T. Gupta. Honeydoop -- a system for on-demand virtual high interaction honeypots. In Proc. Int. Conf. for Internet Technology and Secured Transactions (ICITST), pages 743--747, 2012.Google Scholar
- I. Kuwatly, M. Sraj, Z. A. Masri, and H. Artail. A dynamic honeypot design for intrusion detection. In Proc. IEEE/ACS Int. Conf. Pervasive Services (ICPS), pages 95--104, 2004. Google ScholarDigital Library
- H. A. Lagar-Cavilla, J. A. Whitney, A. M. Scannell, P. Patchin, S. M. Rumble, E. de Lara, M. Brudno, and M. Satyanarayanan. SnowFlock: Rapid virtual machine cloning for cloud computing. In Proc. ACM European Conf. Computer Systems (EuroSys), pages 1--12, 2009. Google ScholarDigital Library
- T. K. Lengyel, J. Neumann, S. Maresca, B. D. Payne, and A. Kiayias. Virtual machine introspection in a hybrid honeypot architecture. In Proc. USENIX Work. Cyber Security Experimentation and Test (CSET), 2012. Google ScholarDigital Library
- Lighttpd. Lighttpd server project. http://www.lighttpd. net, 2014.Google Scholar
- LXC. Linux containers. http://linuxcontainers.org, 2014.Google Scholar
- M. Maurer and D. Brumley. Tachyon: Tandem execution for efficient live patch testing. In Proc. USENIX Security Sym., pages 617--630, 2012. Google ScholarDigital Library
- D. S. Miloicic, F. Douglis, Y. Paindaveine, R. Wheeler, and S. Zhou. Process migration. ACM Computing Surveys, 32(3):241--299, 2000. Google ScholarDigital Library
- Netcraft. Are there really lots of vulnerable Apache web servers? http://news.netcraft.com/archives/2014/02/07, 2014.Google Scholar
- Nginx. Nginx server project. http://nginx.org, 2014.Google Scholar
- Ohloh. Apache HTTP server statistics. http://www.ohloh.net/p/apache, 2014.Google Scholar
- V. S. Pai, P. Druschel, and W. Zwaenepoel. Flash: An efficient and portable web server. In Proc. Conf. USENIX Annual Technical Conference (ATEC), pages 15--15, 1999. Google ScholarDigital Library
- N. Provos and T. Holz. Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley Professional, 2007. Google ScholarDigital Library
- A. Sabelfeld and A. C. Myers. Language-based information ow security. IEEE J. Selected Areas in Communications, 21(1):5--19, 2003. Google ScholarDigital Library
- M. B. Salem and S. J. Stolfo. Decoy document deployment for effective masquerade attack detection. In Proc. Int. Conf. Detection of Intrusions and Malware, and Vulnerability Assessment, pages 35--54, 2011. Google ScholarDigital Library
- S. Souders. The performance golden rule. http://www.stevesouders.com/blog/2012/02/10/the-performancegolden-rule, Feb. 2012.Google Scholar
- L. Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Longman, 2002. Google ScholarDigital Library
- Y. Sun, Y. Luo, X. Wang, Z. Wang, B. Zhang, H. Chen, and X. Li. Fast live cloning of virtual machine based on Xen. In Proc. IEEE Conf. High Performance Computing and Communications (HPCC), pages 392--399, 2009. Google ScholarDigital Library
- The 111th United States Congress. An act entitled the patient protection and affordable care act. Public Law 111--148, 124 Stat. 119, Mar. 2010.Google Scholar
- The Economic Times. New technique Red Herring fights 'Heartbleed' virus. The Times of India, Apr. 15, 2014.Google Scholar
- J. Voris, N. Boggs, and S. J. Stolfo. Lost in translation: Improving decoy documents via automated translation. In Proc. IEEE Sym. Security & Privacy Workshops (S&PW), pages 129--133, 2012. Google ScholarDigital Library
- J. Voris, J. Jermyn, A. D. Keromytis, and S. J. Stolfo. Bait and snitch: Defending computer systems with decoys. In Proc. Conf. Cyber Infrastructure Protection (CIP), 2012.Google Scholar
- M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In Proc. ACM Sym. Operating Systems Principles (SOSP), pages 148--162, 2005. Google ScholarDigital Library
- C. Wang, F. Mueller, C. Engelmann, and S. L. Scott. Proactive process-level live migration in HPC environments. In Proc. ACM/IEEE Conf. Supercomputing, 2008. Google ScholarDigital Library
- J. Wang, X. Liu, and A. A. Chien. Empirical study of tolerating denial-of-service attacks with a proxy network.In Proc. USENIX Security Sym., pages 51--64, 2005. Google ScholarDigital Library
- R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proc. ACM Conf. Computer and Communications Security (CCS), pages 157--168, 2012. Google ScholarDigital Library
- A. Whitaker, R. S. Cox, M. Shaw, and S. D. Gribble. Constructing services with interposable virtual hardware. In Proc. Sym. Networked Systems Design and Implementation (NSDI), pages 169--182, 2004. Google ScholarDigital Library
- V. Yegneswaran, P. Barford, and D. Plonka. On the design and use of internet sinks for network abuse monitoring. In Proc. Int. Sym. Recent Advances in Intrusion Detection (RAID), pages 146--165, 2004.Google ScholarCross Ref
- J. Yuill, D. Denning, and F. Feer. Using deception to hide things from hackers: Processes, principles, and techniques. J. Information Warfare, 5(3):26--40, 2006.Google Scholar
- W. Zheng, R. Bianchini, G. J. Janakiraman, J. R. Santos, and Y. Turner. JustRunIt: Experiment-based management of virtualized data centers. In Proc. USENIX Annual Technical Conf., 2009. Google ScholarDigital Library
Index Terms
- From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation
Recommendations
Honeypot detection in advanced botnet attacks
Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Honey@home: A New Approach to Large-Scale Threat Monitoring
WISTDCS '08: Proceedings of the 2008 WOMBAT Workshop on Information Security Threats Data Collection and SharingHoneypots have been proven to be very useful for accurately detecting attacks, including zero-day threats, at a reasonable cost and with zero false positives. However, there are two pressing problems with existing approaches. The first problem is that ...
Honeypot Baselining for Zero Day Attack Detection
Honeypots are the network sensors used for capturing the network attacks. As these sensors are solely deployed for the purpose of being attacked and compromised hence they have to be closely monitored and controlled. In the work presented in this paper ...
Comments