DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

B. Ramamurthy 4/17/ Overview of EC2 Components (fig. 2.1) 10..* /17/20152.
Snejina Lazarova Senior QA Engineer, Team Lead CRMTeam Dimo Mitev Senior QA Engineer, Team Lead SystemIntegrationTeam Telerik QA Academy SOAP-based Web.
TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Barracuda Web Application Firewall
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Department Of Computer Engineering
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Web Application Firewall (WAF) RSA ® Conference 2013.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.
Ontology-Driven Automatic Entity Disambiguation in Unstructured Text Jed Hassell.
XML Web Services Architecture Siddharth Ruchandani CS 6362 – SW Architecture & Design Summer /11/05.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.
Module 7: Advanced Application and Web Filtering.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
S imple O bject A ccess P rotocol Karthikeyan Chandrasekaran & Nandakumar Padmanabhan.
Kemal Baykal Rasim Ismayilov
SOAP-based Web Services Telerik Software Academy Software Quality Assurance.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Representational State Transfer (REST). What is REST? Network Architectural style Overview: –Resources are defined and addressed –Transmits domain-specific.
Machine Learning for Network Anomaly Detection Matt Mahoney.
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao.
Anomaly Detection. Network Intrusion Detection Techniques. Ştefan-Iulian Handra Dept. of Computer Science Polytechnic University of Timișoara June 2010.
Active Learning for Network Intrusion Detection ACM CCS 2009 Nico Görnitz, Technische Universität Berlin Marius Kloft, Technische Universität Berlin Konrad.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Some Great Open Source Intrusion Detection Systems (IDSs)
Database and Cloud Security
CS457 Introduction to Information Security Systems
Final Project: Advanced security blade
TMG Client Protection 6NPS – Session 7.
Web Application Protection Against Hackers and Vulnerabilities
Securing Your Web Application in Azure with a WAF
World Wide Web policy.
Database System Concepts and Architecture
Module Overview Installing and Configuring a Network Policy Server
API Security Auditing Be Aware,Be Safe
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
Securing the Network Perimeter with ISA 2004
Announcing DDoS Protection preview for Azure
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
Damiano Bolzoni, Sandro Etalle, Pieter H. Hartel
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 2 Database System Concepts and Architecture.
Flavio Toffalini, Ivan Homoliak, Athul Harilal,
Roland Kwitt & Tobias Strohmeier
Automatic and Precise Client-Side Protection against CSRF Attacks
Message Digest Cryptographic checksum One-way function Relevance
Detecting Targeted Attacks Using Shadow Honeypots
Unit 1.6 Systems security Lesson 2
Brute force attacks, DDOS, Botnet, Exploit, SQL injection
VNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems Hongda Li1, Hongxin Hu1, Guofei Gu2, Gail-Joon.
Testing RESTful Web APIs
Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.
Motivation and Problem Statement
Presentation transcript:

DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass

Overview 1.Motivation Web Services (SOAP and REST) Vulnerabilities Existing Mitigation Methods 2.Key Ideas of DOWeR Detection Proxy Outlier Detection N-Gram Tries as Feature Vectors 3.Testing Environment ROC vs. Precision and Recall Architecture of Evaluation Engine 4.Tested Properties and Potential Issues 5.Outlook and Conclusion 6.Demonstration of DOWeR

1. Motivation Rising Popularity of Web Services  Amazon, eBay, Google Hard to Develop Secure  Developers don’t have knowledge about security issues  Vulnerabilities on the application logic Aims of Attackers  Overloading service  Theft of private data  Compromising client machines Aims of Research  Securing existing Web Services  No insights to Web Service structure  No alteration of code  No deep understanding of security

Web Services and Protocols for Implementation Definition of Web Services  “A Web Service is a software system designed to support interoperable machine-to-machine interaction over a network.” (W3C) Protocols  SOAP XML based Envelope, header, body Attributes embedded to SOAP body  REST Based on HTTP commands Resources GET, POST, DELETE, … Search Securtiy

Vulnerabilities and Countermeasures Vulnerabilities  SOAP Vulnerabilities Exploiting XML parsers DTD Entity Reference Attack  SQL injection Malicious alteration of SQL query SELECT * FROM data WHERE user = ‘ ’ SELECT * FROM data WHERE user = ‘A’ or user = ‘B’  Cross Site Scripting Attacker forces execution of script on third party client Countermeasures  SOAP Standards like WS Security, WS Policy, and XML Schema  Intrusion detection

NetShield - Extension of Mitigator NetShield Mitigator  Monitors traffic (packet types) on network layer  Generates firewall rules  Can only react to attacks already in progress Extension  Network layer vs. application layer Attacks hide in payload Traffic on network layer normal  Proxy

2. Key Ideas of DOWeR Architecture Classifier Client Attacker Web Service DOWeR Classifier

Knn Outlier Detection Unlabeled (real) data ? Does a new document fit in the monitored pattern k-nearest (k=3) Compare to threshold computed from other documents Feature A Feature B

Language Models as Features Payload of REST request  Byte distribution (PAYL, NIDES)  Properties of certain Attributes  N-Grams Frequency Difference between 3-gram Frequencies of an IIS unicode attack and normal HTTP traffic

Storing N-grams in Trie Data Structure b a r n c a r d b a n d c a r d 5 k

Distance Between Two Tries b a r n c a b a n d c a r d 5 k m - (x,y) |4|+|8|

3. Testing Environment: Receiver Operating Characteristic (ROC) Score Threshold

ROC vs. Precision and Recall ROC and Area Under Curve (AUC)  Use all possible thresholds  Estimate the capability of a method of separating data  Good to compare methods with each other Precision and Recall  A certain threshold needs to be fixed  Estimate accuracy of classifier

Architecture of Testing Environment Traffic Generator Evaluation Corpus Training Corpus Label Checker Classifier Instance Label Training Attack Free Instances Mixed Instances Quality Measures Evaluation ROC, AUC, Precision, Recall

4. Tested Properties and Potential Issues

Tested Properties and Potential Issues Threshold estimation  Hard to find good thresholds as they depend on The used domain Configurations made  Thresholds might change over time as Instances in model change Distributions of requests might change

Tested Properties and Potential Issues Impact of Free Text Robustness to Changes Short terms with fixed syntaxLong terms with no constraints lower score higher score Monitored Instances Service A Service B New Service

Tested Properties and Potential Issues a) b)c) Possibility of slow alteration of model Intermediate instances close to normal instances and attack to be launched Example using k = 1 1.Red malicious instance further away from nearest neighbor as allowed by threshold 2.Orange specially crafted instance added to model 3.Orange instance becomes nearest neighbor of attack and the score of the attack drops below the threshold resulting in a successful attack

Tested Properties and Potential Issues Runtime  Purely memory based approach  New instances need to be matched against all instances in model  Critical as overloading the classifier might also result in DoS Model Size n=1n=2n=3n= Runtime in ms

5. Outlook and Conclusion Aim: Securing existing Web Services in-depth knowledge In general method works well  90% accuracy with no false positives  Manual tuning of attributes Possible improvements  Threshold estimation Adjustment to changes in domain Adaptive threshold  Outlier score and algorithm  Runtime Pre-clustering of model

6. Demo

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.