Presentation is loading. Please wait.

Presentation is loading. Please wait.

EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders."— Presentation transcript:

1 EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders

2 EECS 598-2 Presentation Overview Target Environment Threat Model Web Tap Design Results Future Work Conclusion Questions Demo

3 EECS 598-2 Presentation Target Environment High-security corporate or government network –Very concerned about information leaks and intruders –Mail server and (optionally) proxy server on network perimeter –Strict firewall settings Only allow outgoing http traffic on port 80 from workstations Or use proxy server and block all traffic

4 EECS 598-2 Presentation Threat Model A highly-skilled hacker compromises a vulnerable workstation –E-mail a link to a web page that exploits the browser –E-mail with a trojan in attachment –Hard to prevent due to multitude of browser vulnerabilities

5 EECS 598-2 Presentation Threat Model (Part Two) Hacker needs to communicate with the compromised machine –Traditional Trojans do not work (Back Orifice, etc.) Incoming TCP requests blocked –Only two paths available: E-mail and Web (http) –E-mail is risky Logged Rapid two-way communication from remote shell can be easily detected –Web is a better way of communicating with machine Hard to detect Significantly more bandwidth is available (Without being detected)

6 EECS 598-2 Presentation Threat Model (Part Three) Attacker places a custom Trojan Horse program on the machine –Trojan calls back to the hacker’s machine on port 80 (http) at predetermined times –Two-way communication follows in the form of web transactions –If proxy server is used, transactions must appear to be legitimate Later on: Demo of callback Trojan through a proxy

7 EECS 598-2 Presentation Web Tap Design Web Tap is a Network-Based Anomaly Detection IDS Why Network-Based? –Host-Based intrusion detection systems are easily disabled Why Anomaly Detection? –Highly-skilled hackers use tools with unknown signatures

8 EECS 598-2 Presentation Web Tap Design: Implementation Web Tap implemented as proxy server extension –Records web requests from all users –Extracts important statistics –Builds profile of each user –Raises an alert when it detects non-human web browsing behavior Note: Web Tap also detects spyware and adware in addition to Trojan Horse programs

9 EECS 598-2 Presentation Web Tap Design: Statistics Web Tap calculates statistics to characterize human web browsing patterns –Delay between requests for the same site –Size of requests (mean, variance, maximum) –Bandwidth usage (upload) per site per five minutes and per day for each user –Total bandwidth usage (upload) per user per five minutes and per day

10 EECS 598-2 Presentation Experimental Setup Statistics were collected from a proxy server with over 30 users (currently have 8 days of data available) –The population group consists of college students, faculty, friends and family members –Home computers with browser configured to use remote proxy server

11 EECS 598-2 Presentation Results: Delay Times Aggregate delay times between accesses to a specific site by a specific user follow a distribution Jumps can be seen at certain times (30 seconds, 4 minutes, 5 minutes, etc.) –“Spyware” and other programs use proxy and call back regularly Trojans (and other programs) which call back regularly can be detected by examining distribution of delay times

12 EECS 598-2 Presentation

13 Results: Request Size Outbound HTTP request size alone does not follow a predictable pattern like delay time –Whether a site is being accessed by a program or a person cannot be determined File uploads of over 3-4 KB can be detected –Only ten hosts with a request over 4 KB (four over 10 KB) Useful for detecting data leaks and enforcing “no upload” policy

14 EECS 598-2 Presentation

15 Results: Bandwidth Usage Total upload bandwidth usage for single user shows activity time profile –Traffic during times when user is never active can raise an alarm –Will detect any callbacks that occur when user is usually away Bandwidth usage per site can show regular callbacks Daily upload bandwidth usage per site can detect site receiving a lot of data –An http callback Trojan will need a lot of information per day from the compromised machine

16 EECS 598-2 Presentation

17

18

19 Future Work Develop an algorithm to detect entropy in strings –Greatly reduce the number of outbound bytes measured per request English words contain much less information than random bytes –Would help isolate intense, chaotic (encrypted or compressed) bandwidth usage associated with Trojans Apply concepts from Web Tap to other protocols –Thorough intrusion detection –Useful in more open networks

20 EECS 598-2 Presentation Conclusion In a high security network, outbound http is the only good way to exfiltrate information Data exfiltration is done by a Trojan computer program using callbacks Web Tap is a Network-Based Anomaly Detection system –Human web browsing follows specific patterns which are hard to mimic –Web Tap takes advantage of patterns to hunt down Trojan and “ad/spyware” programs

21 EECS 598-2 Presentation Questions?

22 EECS 598-2 Presentation It’s Demo Time!

Download ppt "EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders."

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Worcester Polytechnic Institute 1 Web Tap: Detecting Covert Web Traffic Kevin Borders, Atul Prakash University of Michigan Department of Electrical Engineering.

Worcester Polytechnic Institute 1 Web Tap: Detecting Covert Web Traffic Kevin Borders, Atul Prakash University of Michigan Department of Electrical Engineering.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google