190 likes | 349 Vues
Identifying Malicious Web Requests through Changes in Locality and Temporal Sequence DIMACS Workshop on Security of Web Services and E-Commerce. Li-Chiou Chen lchen@pace.edu School of Computer Science and Information Systems Pace University May 4 th , 2005.
E N D
Identifying Malicious Web Requests through Changes in Locality and Temporal SequenceDIMACS Workshop on Security of Web Services and E-Commerce Li-Chiou Chen lchen@pace.edu School of Computer Science and Information Systems Pace University May 4th, 2005
Needs for anomaly detection in distributed network traces • The fast spreading Internet worms or malicious programs interrupts web services • Early detection and response is a vital approach • These attacks are usually launched from distributed locations • Network traces left at distributed locations are invaluable for searching clues of potential future attacks • E.g. Dshield, the Honeynet Project
Types of IDS • Based on data • Network-based IDS • Monitors and inspects network traffic • Host-based IDS • Runs on a single host • Based on detection techniques • Signature-based IDS • Uses pattern matching to identify known attacks • Anomaly-based IDS • Uses statistical, data mining or other techniques to distinguish normal from abnormal activities
Outline • Toolkits for inferring anomaly patterns from distributed network traces • Previous works • Changes of locality over time • Markov chain analysis • Preliminary results • Summary • Future works
TIAP: Toolkits for inferring anomalous patterns in distributed network traces Network traces (web log, tcpdump, etc) Data conversion Alerts from other IDS or TIAP peers (using IDMEF) Locality pattern analysis Sequence pattern analysis Response module Alerts to other IDS or TIAP peers (using IDMEF) Alerts to administrators
Web level IDS • Anomaly detection • Structure of a HTTP request (Kruegel and Vigna 03) • Normality on streams of data access patterns (Sion et al 03) • Misuse detection • State transition analysis of HTTP requests (Vigna et al 03) • Look for attack signatures (Almgren et al 01)
Changes in locality patterns and temporal sequence patterns • Locality • where the web request is sent, such as the source IP address, • which web server is requested, such as the destination IP address • Temporal sequence • the order of requested objects during a given period of time
Locality pattern analysis in distributed network traces ABAA ABCD KIKL ABPO t1: AB t2: .... t3: …. t4: ….
An example: web traces in common log format from 6 web servers S1 S2 S3 S4 S5 S6 tstamp, ip, server, doc_tpe, user_agent 62978, 38.0.69.1, 1, 2, 3 62979, 38.0.69.1, 1, 2, 3 62979, 38.0.69.1, 2, 2, 3 63001, 38.0.69.1, 1, 2, 3 …….. ……… A session
Data profiles • 6 web servers (2 of them have links to each other, 4 of them are independent) • One day web trace • One session: a distinct IP, 10 minutes interval • 193,070 HTTP requests, • 11,177 sessions • HTTP requests from outside of the organization
Locality pattern analysis 86 sessions by only two web bots
NS N S S O S N S O SN S S N S S………………….. t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t14 t15 t16 ……………. sampling window 1 sampling window 2 N N O S O S Markov chain analysis
Data profiles • 1 web servers • One week web traces • Window size 30 • Reference list 30
Markov chain results 0.43(0.14) Old (O) 0.42(0.21) 0.43(0.17) 0.13 (0.10) 0.13 (0.08) New (N) Same (S) 0.40 (0.22) 0.83 (0.10) 0.06 (0.04) 0.18 (0.16)
Summary • The preliminary locality pattern analysis works well with identifying distinct web bot access patterns • The Markov chain analysis provides a way to infer attacks that utilize random IP addresses • A combination of the two approaches is needed
Ongoing works • Incorporate the analytical results for malware or intrusion detections • A distributed framework of data collection and information sharing for inferring malwares or intrusion attempts across servers/platforms/geographical locations • Collection of attack logs for analytical purpose • Use of the Intrusion Detection Message Exchange Format (IDMEF) for message changes among servers