EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

Slides:

Advertisements

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

Advertisements

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

FIREWALLS Chapter 11.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Intrusion Detection Systems and Practices

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Worcester Polytechnic Institute 1 Web Tap: Detecting Covert Web Traffic Kevin Borders, Atul Prakash University of Michigan Department of Electrical Engineering.

Lesson 19: Configuring Windows Firewall

Course 201 – Administration, Content Inspection and SSL VPN

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

Lecture 11 Intrusion Detection (cont)

Department Of Computer Engineering

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

1 Pertemuan 13 IDS dan Firewall Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Chapter 13 Understanding E-Security. 2 OBJECTIVES What are security concerns (examples)? What are two types of threats (client/server) Virus – Computer.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

NS-H /11041 Intruder. NS-H /11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user.

CPT 123 Internet Skills Class Notes Internet Security Session A.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Module 10: Windows Firewall and Caching Fundamentals.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.

Role Of Network IDS in Network Perimeter Defense.

Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 4 Network Security Tools and Techniques.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Internet security for the home Paul Norton MEng(Hons) MIEE Electronic engineer working for Pascall Electronics Ltd. on the Isle of Wight A talk on Internet.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Top 5 Open Source Firewall Software for Linux User

Instructor Materials Chapter 7 Network Security

Prepared By : Pina Chhatrala

6.6 Firewalls Packet Filter (=filtering router)

Intrusion Prevention Systems

Presentation transcript:

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders

EECS Presentation Overview Target Environment Threat Model Web Tap Design Results Future Work Conclusion Questions Demo

EECS Presentation Target Environment High-security corporate or government network –Very concerned about information leaks and intruders –Mail server and (optionally) proxy server on network perimeter –Strict firewall settings Only allow outgoing http traffic on port 80 from workstations Or use proxy server and block all traffic

EECS Presentation Threat Model A highly-skilled hacker compromises a vulnerable workstation – a link to a web page that exploits the browser – with a trojan in attachment –Hard to prevent due to multitude of browser vulnerabilities

EECS Presentation Threat Model (Part Two) Hacker needs to communicate with the compromised machine –Traditional Trojans do not work (Back Orifice, etc.) Incoming TCP requests blocked –Only two paths available: and Web (http) – is risky Logged Rapid two-way communication from remote shell can be easily detected –Web is a better way of communicating with machine Hard to detect Significantly more bandwidth is available (Without being detected)

EECS Presentation Threat Model (Part Three) Attacker places a custom Trojan Horse program on the machine –Trojan calls back to the hacker’s machine on port 80 (http) at predetermined times –Two-way communication follows in the form of web transactions –If proxy server is used, transactions must appear to be legitimate Later on: Demo of callback Trojan through a proxy

EECS Presentation Web Tap Design Web Tap is a Network-Based Anomaly Detection IDS Why Network-Based? –Host-Based intrusion detection systems are easily disabled Why Anomaly Detection? –Highly-skilled hackers use tools with unknown signatures

EECS Presentation Web Tap Design: Implementation Web Tap implemented as proxy server extension –Records web requests from all users –Extracts important statistics –Builds profile of each user –Raises an alert when it detects non-human web browsing behavior Note: Web Tap also detects spyware and adware in addition to Trojan Horse programs

EECS Presentation Web Tap Design: Statistics Web Tap calculates statistics to characterize human web browsing patterns –Delay between requests for the same site –Size of requests (mean, variance, maximum) –Bandwidth usage (upload) per site per five minutes and per day for each user –Total bandwidth usage (upload) per user per five minutes and per day

EECS Presentation Experimental Setup Statistics were collected from a proxy server with over 30 users (currently have 8 days of data available) –The population group consists of college students, faculty, friends and family members –Home computers with browser configured to use remote proxy server

EECS Presentation Results: Delay Times Aggregate delay times between accesses to a specific site by a specific user follow a distribution Jumps can be seen at certain times (30 seconds, 4 minutes, 5 minutes, etc.) –“Spyware” and other programs use proxy and call back regularly Trojans (and other programs) which call back regularly can be detected by examining distribution of delay times

EECS Presentation

Results: Request Size Outbound HTTP request size alone does not follow a predictable pattern like delay time –Whether a site is being accessed by a program or a person cannot be determined File uploads of over 3-4 KB can be detected –Only ten hosts with a request over 4 KB (four over 10 KB) Useful for detecting data leaks and enforcing “no upload” policy

EECS Presentation

Results: Bandwidth Usage Total upload bandwidth usage for single user shows activity time profile –Traffic during times when user is never active can raise an alarm –Will detect any callbacks that occur when user is usually away Bandwidth usage per site can show regular callbacks Daily upload bandwidth usage per site can detect site receiving a lot of data –An http callback Trojan will need a lot of information per day from the compromised machine

EECS Presentation

Future Work Develop an algorithm to detect entropy in strings –Greatly reduce the number of outbound bytes measured per request English words contain much less information than random bytes –Would help isolate intense, chaotic (encrypted or compressed) bandwidth usage associated with Trojans Apply concepts from Web Tap to other protocols –Thorough intrusion detection –Useful in more open networks

EECS Presentation Conclusion In a high security network, outbound http is the only good way to exfiltrate information Data exfiltration is done by a Trojan computer program using callbacks Web Tap is a Network-Based Anomaly Detection system –Human web browsing follows specific patterns which are hard to mimic –Web Tap takes advantage of patterns to hunt down Trojan and “ad/spyware” programs

EECS Presentation Questions?

EECS Presentation It’s Demo Time!