EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS 598-2 Presentation

Web Tap: Intelligent Intrusion Detection

Kevin Borders


Overview

• Target Environment• Threat Model• Web Tap Design• Results• Future Work• Conclusion• Questions• Demo


Target Environment

• High-security corporate or government network– Very concerned about information leaks and

intruders– Mail server and (optionally) proxy server on

network perimeter– Strict firewall settings

• Only allow outgoing http traffic on port 80 from workstations

• Or use proxy server and block all traffic


Threat Model

• A highly-skilled hacker compromises a vulnerable workstation – E-mail a link to a web page that exploits the

browser– E-mail with a trojan in attachment– Hard to prevent due to multitude of browser

vulnerabilities


Threat Model (Part Two)

• Hacker needs to communicate with the compromised machine– Traditional Trojans do not work (Back Orifice, etc.)

• Incoming TCP requests blocked– Only two paths available: E-mail and Web (http)– E-mail is risky

• Logged• Rapid two-way communication from remote shell can be

easily detected– Web is a better way of communicating with machine

• Hard to detect• Significantly more bandwidth is available (Without being

detected)


Threat Model (Part Three)

• Attacker places a custom Trojan Horse program on the machine– Trojan calls back to the hacker’s machine on

port 80 (http) at predetermined times– Two-way communication follows in the form of

web transactions– If proxy server is used, transactions must

appear to be legitimate

• Later on: Demo of callback Trojan through a proxy


Web Tap Design

• Web Tap is a Network-Based Anomaly Detection IDS

• Why Network-Based?– Host-Based intrusion detection systems are

easily disabled

• Why Anomaly Detection?– Highly-skilled hackers use tools with unknown

signatures


Web Tap Design: Implementation

• Web Tap implemented as proxy server extension– Records web requests from all users– Extracts important statistics– Builds profile of each user– Raises an alert when it detects non-human

web browsing behavior• Note: Web Tap also detects spyware and adware

in addition to Trojan Horse programs


Web Tap Design: Statistics

• Web Tap calculates statistics to characterize human web browsing patterns– Delay between requests for the same site– Size of requests (mean, variance, maximum)– Bandwidth usage (upload) per site per five

minutes and per day for each user– Total bandwidth usage (upload) per user per

five minutes and per day


Experimental Setup

• Statistics were collected from a proxy server with over 30 users (currently have 8 days of data available)– The population group consists of college

students, faculty, friends and family members– Home computers with browser configured to

use remote proxy server


Results: Delay Times

• Aggregate delay times between accesses to a specific site by a specific user follow a distribution

• Jumps can be seen at certain times (30 seconds, 4 minutes, 5 minutes, etc.)– “Spyware” and other programs use proxy and call

back regularly

• Trojans (and other programs) which call back regularly can be detected by examining distribution of delay times



Results: Request Size

• Outbound HTTP request size alone does not follow a predictable pattern like delay time– Whether a site is being accessed by a program or a

person cannot be determined

• File uploads of over 3-4 KB can be detected– Only ten hosts with a request over 4 KB (four over 10

KB)

• Useful for detecting data leaks and enforcing “no upload” policy



Results: Bandwidth Usage

• Total upload bandwidth usage for single user shows activity time profile– Traffic during times when user is never active can

raise an alarm– Will detect any callbacks that occur when user is

usually away• Bandwidth usage per site can show regular

callbacks • Daily upload bandwidth usage per site can

detect site receiving a lot of data– An http callback Trojan will need a lot of information

per day from the compromised machine





Future Work

• Develop an algorithm to detect entropy in strings– Greatly reduce the number of outbound bytes

measured per request • English words contain much less information than random

bytes

– Would help isolate intense, chaotic (encrypted or compressed) bandwidth usage associated with Trojans

• Apply concepts from Web Tap to other protocols– Thorough intrusion detection– Useful in more open networks


Conclusion

• In a high security network, outbound http is the only good way to exfiltrate information

• Data exfiltration is done by a Trojan computer program using callbacks

• Web Tap is a Network-Based Anomaly Detection system– Human web browsing follows specific patterns which

are hard to mimic– Web Tap takes advantage of patterns to hunt down

Trojan and “ad/spyware” programs


Questions?


It’s Demo Time!

EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

Documents

statistics web tap

proxy slide

implementation web tap

web page

web http email

remote proxy server

presentation results

traffic slide