The All Seeing Eye and Apate: Bridging the Gap between IDS and Honeypots

Pohl, Christoph; Hof, Hans-Joachim

Home // International Journal On Advances in Security, volume 9, numbers 1 and 2, 2016 // View article

The All Seeing Eye and Apate: Bridging the Gap between IDS and Honeypots

Authors:
Christoph Pohl
Hans-Joachim Hof

Keywords: intrusion detection; honeypot; virtualisation; sensor; brute force; timing

Abstract:
Timing attacks are a challenge for current intrusion detection solutions. Timing attacks are dangerous for web applications because they may leak information about side channel vulnerabilities. This paper presents a methodology that is especially good at detecting timing attacks. Unlike current solutions, the proposed Intrusion Detection System uses a huge number of sensors for vulnerability detection. Honeypots are used in IT Security to detect and gather information about ongoing intrusions by presenting an interactive system as attractive target to an attacker. The longer an attacker interacts with a honeypot, the more valuable information about the attack can be collected. Honeypots should appear like a valuable target to motivate an attacker. This paper presents, in addition to the possibilities of timing attack vulnerabilities, a novel way to inject honeypot and analysis capabilities in any software based on x64 or i386 architecture. It fulfills two basic requirements : it can be injected into machine code without the need of recompilation and it can be configured during runtime. This means the honeypot is able to change the behavior of any function during runtime. The concept uses sophisticated stealth technologies to provide stealthiness. In conclusion, the research presents a novel way to detect side channel vulnerabilities and an inbuilt hypervisor to provide configurable honeypot capabilities to explore these vulnerabilities to an attacker. The proposed solution in this paper offers a highly configurable injection technology which can change the behavior of any function without the need of recompilation or even reinstallation. It is able to provide these capabilities in the kernel or userland of actual *Nix systems.

Pages: 1 to 13

Publication date: June 30, 2016

Published in: journal

ISSN: 1942-2636