Intrusion Detection in Web Traffic

greenpepperwhinnyΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

110 εμφανίσεις

An Anomaly
-
Based Approach for
Intrusion Detection in Web Traffic

Carmen Torrano
-
Gimenez, Alejandro Perez
-
Villegas
and Gonzalo Alvarez


Instituto

de
Física

Aplicada
,

Consejo

Superior de
Investigaciones

Científicas
,

Madrid, Spain

Journal of Information Assurance and Security 5 (2010)

Mike Hsiao 2010.06.11

References


Carmen Torrano
-
Gimenez, Alejandro Perez
-
Villegas and Gonzalo Alvarez
,

An
Anomaly
-
Based

Approach for Intrusion Detection in
Web

Traffic
,” in
Journal of Information Assurance and Security
, vol. 5, 2010.


C. Torrano
-
Gimenez, A. Perez
-
Villegas and G. Alvarez
, “
A Self
-
learning
Anomaly
-
Based

Web Application Firewall
,” in
2nd International Workshop
in Computational Intelligence in Security for Information Systems (CISIS 09)
,
vol. 63 of , 85
-
92, Springer
-
Verlag
, 2009.



A. Liu, Y. Yuan, D.
Wijesekera
, and A.
Stavrou
, “
SQLProb
: A
Proxy
-
Based

Architecture toward Preventing
SQL Injection Attacks
,” in
Proc. of the
2009 ACM Symposium on Applied Computing (SAC’09)
, 2009.


Fredrik
Valeur
, Giovanni
Vigna
, Christopher
Kruegel
, and
Engin

Kirda
, “
An
Anomaly
-
Driven

Reverse Proxy
for
Web

Applications
,” in
Proc. of the
2006 ACM Symposium on Applied Computing (SAC’06)
, 2006.

2

Outline


Introduction


Web Applications and Web Attacks


Web Applications


Web Attacks


Web Vulnerabilities


System Overview


Architecture (WAF: Web Application Firewall)


Normal Behavior Description


Detection Process


Experiments: Case Study (Web Shopping)


XML/Training/Testing


WAF Protection Mechanism


Performance/Results


Comments

3

An Anomaly
-
Based Approach for Intrusion Detection in Web Traffic

Introduction


Web applications handle large amounts of
sensitive data, which makes web applications
even more attractive for malicious users.


Identity supplanting, sensitive data hijacking,
unauthorized information, web content modification,
command execution, etc.


Conventional firewall (operating at network and
transport layers) are usually not enough to
protect against web
-
specific attacks.


To be really effective, the detection is to be moved to
the application layer.

4

Traditional Firewall (Layer 3/4)

5

Application layer (7)


E.g., HTTP, FTP, PRC

Transport layer (4)


E.g., TCP, UDP

Network layer (3)


E.g., IP

valuable server

attacker

Packet Inspection!

Traditional Firewall (Layer 3/4)

6

Traditional Firewall: it can inspect

messages and headers carrying in

layer 3 and 4.

Some firewall may extend its

capability to capture layer 2

information.

Most of the IDS can inspect the

application layer messages, but

they basically fall into “misuse”

based category, which only capture

known attacks.

Traditional Firewall (Layer 3/4)


Netfilter
/
iptables

(L3/L4)


iptables

-
A INPUT
-
p TCP

-
i

$RED_DEV
--
dport

135

-
s 0/0
-
j DROP


Such rules can not distinguish attacks from norms. All network traffic to TCP port 135 will be dropped.


Snort (L3/L4 + L7 signature)


alert
tcp

$EXTERNAL_NET any
-
> $HOME_NET
135

(
msg
:"NETBIOS DCERPC
ISystemActivator

path
overflow attempt little
endian

unicode
";
flow:to_server,
established
; content:"
|05|
"; within:1;
byte_test:1,&,16,3,relative; content:"
|5C 00 5C 00|
"; byte_test:4,>,256,
-
8,little,relative;
flowbits:
isset,dce.isystemactivator.bind
;
classtype:attempted
-
admin; sid:2351; rev:10;)


Such rule is much more precise than the previous one, but it relies on “
syntactic
” analysis, not

semantics
” analysis.


Shield (L3/L4 + L7 Semantic signature, Vulnerability
-
based IDS)




7

These tools are

useful for detecting


known attacks, but they

simply block the malicious traffic.

They are simply
temporary

solutions.

The vulnerable software need to be fixed

as soon as possible. And also, these rules may


not be robust to detect the attack and its
variants
.

IDS


Intrusion Detection Syste
m


Signature Detection System (Misuse)


Negative approach


Known attacks/exploitations


String Matching Techniques


Anomaly Detection System (Anomaly)


Positive approach


Normal/Common Behavior


Irregular behavior will be tagged as intrusive


Hybrid

8

Traditional IDS shortcoming


Signature Detection System (Misuse)


Fragmentation, pattern changing, …


False positive/negative problem


Anomaly Detection System (Anomaly)


Complex

environments (large network with
multiple

servers and operating systems)


Up
-
to
-
date normal? Feasible normal?


FP/FN problem

9

UTM
-

Unified Threat Management (2003)


UTM
是利用單一或簡單的介面設定來管控以及保護公司網路進出的安
全的閘道式設備。


UTM
依照不同機型,可以將以下幾種主要的功能選擇幾項整合於單一
主機中,路由、防火牆、垃圾郵件過濾、防毒(包含病毒、惡意軟體、
網路釣魚等
...
)、
IDS

IPS
(入侵偵測或防禦系統)、網頁過濾、
proxy

VPN

VOIP

NAT
、抵禦

DoS

/
DDoS

(
阻斷服務
/
分散式阻斷服

)




UTM systems must


Be an appliance


Include multiple security features


Have a hardened OS


Be able to perform:


Network firewalling


Intrusion prevention (IPS)


Gateway anti
-
virus

10

WAF


Web Application Firewall


WAF analyzes the HTTP traffic (application
layer) in order to detect malicious behaviors
that can compromise the security of web
application.



This paper relies on an XML file to describe
what a normal web application is.

11

Web Applications and Vulnerabilities


Application


Presentation, application logic, storage (see next page)


IIS/Apache, Tomcat, MSSQL/
MySQL


Web content are dynamic


CGI in Perl, Python, C/C++; JSP, PHP, ASP; Java, VB, C#


Attack


Static attack
looks for security vulnerabilities in the web
application platform: web server, application server,
database server, firewall, OS, and third
-
party component
such as shopping cart, crypto modules, …


Dynamic web attacks

only request legal pages of the
application but they subvert the expected parameters.


Vulnerability


OWASP Top 10

12

How WAF works?

13

Attacker

User

Web Server

App Server

DB Server

Media Server

Application Security Risk

14

OWASP (The Open Web Application Security Project)

OWASP Top 10


2010 (rc1)

2007 vs. 2009

15

Architecture

16

(reverse)

ModSecurity

is a popular open source signature
-
based WAF.

Armorize

SmartWAF
TM

17

Reverse Proxy (+ Load Balance)

18

Internet

WAF

Web Server

Cash Flow 1

Cash Flow 2

WebMail

Media Server

WAF

代替網頁伺服器回應

response:

可在收到

request


,

檢查內容
,

若正常
,

則向網頁伺服器請求內容
,

並回應
.


But

sometimes

WAF

is

not

enough.

Web

Site

Design

19

[
*
]

Fredrik
Valeur
, Giovanni
Vigna
, Christopher
Kruegel
, and
Engin

Kirda
, “
An Anomaly
-
Driven Reverse Proxy
for Web Applications
,” in
Proc. of the 2006 ACM Symposium on Applied Computing (SAC’06)
, 2006.

(a)

an e
-
commerce web site
implemented with a single

server that relies on a single
back
-
end database and that

accesses a credit card
processing server.

f1:

function

1

X:

table

X

(c)

The database is modified to create
two different users u1

and u2, where u1
is allowed to access table x only and u2 is

able to access both table x and table y.
User u1 is associated

with server B and
user u2 is associated with server C.


A web site could be made more resilient to attacks if it

would be
possible to design
both

the server and the database

infrastructure
so that different levels of access to the database

and the hosts
running the server processes could be clearly

enforced.


Design

(b)


(
i
) non
-
sensitive, static information about the

e
-
commerce company
(e.g., company contacts and support

information) is accessible
through one server;


(ii) the non
-
sensitive,

dynamic information about product availability is

accessible through a second server that accesses a product

database;
and, finally,


(iii) the sensitive information about

users is accessible through a third
server that relies on a user

database, which is separated from the
product database.


This last server has also access to the credit card processing

server.

20

[
*
]

Fredrik
Valeur
, Giovanni
Vigna
, Christopher
Kruegel
, and
Engin

Kirda
, “
An Anomaly
-
Driven Reverse Proxy
for Web Applications
,” in
Proc. of the 2006 ACM Symposium on Applied Computing (SAC’06)
, 2006.

Normal

Behavior

Description


The XML file contains rules regarding to the correctness of HTTP verbs,
HTTP

headers, accessed resources (files), arguments, and values for the
arguments.


Verbs.


The verbs node simply specifies the list of allowed HTTP verbs. Requests using

any other verb will be rejected.


Headers.


The headers node specifies a list of some HTTP headers and their allowed

values. Different values will not be accepted.


Directories.


Each directory in the web application space is represented in the XML file by a
directory node.


Each file in the web application space is represented by a file node.


Input arguments are represented by argument nodes within the
corresponding file node.


Legal values for arguments should meet some statistical rules.

21

22

The XML file is generated by


training/testing

method.

Example of rules: Prefix

Prefix

/
taiwan
/content/
imageView
\
.asp

/C2M21/
manager_citation
(_acts)?
\
.
php
.*

/F/[A
-
Z0
-
9]{51}
\
-
[0
-
9]{5}

/
cgi
/
openfile
{3_0}?

(/[
\
w
\
-
]*)*/
hypage
\
.
cgi

/
ttscgi
/
ttsweb
([0
-
9]|new)?

/
cgi
-
bin/(?.
Count.cgi|counter
)

(/
cgi
-
bin/file
-
upload
\
.
cgi|eduArea
/|cgin1110
\
.asp)

/
saweb
/
pc|f
\
.file.*
\
.[Pp][
Dd
][Ff]

23

Snort rule (Blaster):

alert
tcp

$EXTERNAL_NET any
-
> $HOME_NET
135

(
msg
:“NETBIOS DCERPC
ISystemActivator

path overflow
attempt little
endian

unicode
”;
flow:to_server,
established
; content:“
|05|
”; within:1;
byte_test:1,&,16,3,relative; content:“
|5C 00 5C 00|
”; byte_test:4,>,256,
-
8,little,relative;
flowbits:
isset,dce.isystemactivator.bind
;
classtype:attempted
-
admin; sid:2351; rev:10;)

Example of rules

in

Armorize

SmartWAF

24

All

Regular

Expression!!

WAF vs.

Fortify RTA

25

WAF

Fortify

RTA


26

A. Liu, Y. Yuan, D.
Wijesekera
, and A.
Stavrou
, “
SQLProb
: A
Proxy
-
Based

Architecture
toward Preventing
SQL Injection Attacks
,” in
Proc. of the 2009 ACM Symposium on
Applied Computing (SAC’09)
, 2009.

Comments


In

order

to

achieve

the

deeper

packet

inspection,

the

proxy

design

is

used

to

mitigate

the

effort

in

message

extraction.


Input

validation

is

important

task

all

kind

of

web

applications.


Proxy

(in

front

of

different

application

server)

can

focus

on

only

checking

the

attacks

that

related

to

the

server.


Misuse or anomaly approach?

27