blacklisting malicious web sites using a secure version
play

Blacklisting Malicious Web Sites using a Secure Version of the DHT - PowerPoint PPT Presentation

Nov 11, 2023 •243 likes •551 views

Blacklisting Malicious Web Sites using a Secure Version of the DHT Protocol Kademlia Philipp C. Heckel, University of Mannheim, 5/26/09 1 Road Map 1. General Idea 2. Application Design 3. Implementation 4. Testing Philipp C. Heckel,

  1. Blacklisting Malicious Web Sites using a Secure Version of the DHT Protocol Kademlia Philipp C. Heckel, University of Mannheim, 5/26/09 1

  2. Road Map 1. General Idea 2. Application Design 3. Implementation 4. Testing Philipp C. Heckel, University of Mannheim, 5/26/09 2

  3. Motivation 1. General Idea Total Dollar Loss linked to Internet Fraud in the USA in 2004-2008 300 Loss in Mio. US Dollar 250 200 150 100 Source: Internet Crime Complaint Center (IC3) 50 2008 Annual Report www.ic3.gov/media/2009/090331.aspx 0 2004 2005 2006 2007 2008 ● Rising Internet crime rates ● Less phishing, less virus-infected attachments ● More malicious Web sites → more drive by -downloads Philipp C. Heckel, University of Mannheim, 5/26/09 3

  4. Initial Situation / Problem Description 1. General Idea GET / HTTP/1.1 Host: www.infected.com www.infected.com Browser malware-infected site Philipp C. Heckel, University of Mannheim, 5/26/09 4

  5. Solution 1. General Idea URL Blacklisting Service Is “www.infected.com” infected? Yes! Browser Warning! (with according plug-in) “www.infected.com” is infected! Display warning Do you really want to open it? message Philipp C. Heckel, University of Mannheim, 5/26/09 5

  6. Blacklisting Service 1. General Idea Honeynet Add blacklist entries collects information about URL Blacklisting malicious Web sites Service Query the service Browser (with according plug-in) Philipp C. Heckel, University of Mannheim, 5/26/09 6

  7. Related Work 1. General Idea Microsoft SmartScreen (IE 8+) Google Safe Browsing (FF 3+ / Safari 3.2+) Philipp C. Heckel, University of Mannheim, 5/26/09 7

  8. Client-Server vs. Peer-to-Peer 1. General Idea ● Problems in a client-server-based environment: Limited scalability ● Resource limitations (CPU time, RAM, ● bandwidth, ...) Synchronization between servers ● Data replication ● Single point of failure/attack ● ● Peer-to-Peer (P2P): Scalability by design ● Resource flexibility ● No single point of failure/attack, no replication, no ● synchronization Philipp C. Heckel, University of Mannheim, 5/26/09 8

  9. Distributed Hash Tables 1. General Idea Distributed Hash Tables (DHT) ... are structured P2P networks ● ● define a logical position for each node and entry ● store content at specific positions in the network, redundantly ● are fault-tolerant and reliable Example (Pseudo-Code): nodes := locateResponsibleNodes(“infected.com”); foreach nodes as node do node.store(“infected.com”, “infected”); Philipp C. Heckel, University of Mannheim, 5/26/09 9

  10. DHT-based Blacklisting Service 1. General Idea Honeynet Add blacklist entries collects information about malicious Web sites Query the service Browser Plug-in DHT-based Blacklisting Service Philipp C. Heckel, University of Mannheim, 5/26/09 10

  11. DHT-based Blacklisting Service 1. General Idea Honeynet Add blacklist entries collects information about malicious Web sites Encrypted and Access-Restricted Distributed Hash Table Query the service Browser Plug-in Access-restricted DHT-based Blacklisting Service with encrypted communication Access Restriction Encrypted Communication Philipp C. Heckel, University of Mannheim, 5/26/09 11

  12. Goals and Requirements 2. Application Design ● Use the honeynet-provided data to create a URL blacklisting service ● Handle large amounts of users (concurrency) ● Fast queries, low round-trip time (RTT) ● Scalable, extendable, reliable ● Create a secure and trustworthy DHT protocol, called Kademlia Secure (KadS) ● Restricted access ● Communication encryption Philipp C. Heckel, University of Mannheim, 5/26/09 12

  13. Underlying DHT Protocol: Kademlia 2. Application Design ● Fault-tolerant design, provable 10110... 10100... consistency, good performance 00111... ● Assigns a 160-bit ID to 11100... 10101... ● each node ( nodeID ) 10111... ● each DHT entry ( key ) ● Distance is based on the XOR metric Example (XOR metric): ● Provides four RPCs: id 1 := 10111... id 2 := 10001... ● PING( nodeID ) d(id 1 , id 2 ) = id 1 ⨁ id 2 ● STORE( key , value ) = 00110... ● FIND_NODE( nodeID or key ) ● FIND_VALUE( key ) Philipp C. Heckel, University of Mannheim, 5/26/09 13

  14. Extending Kademlia: PKI-supported DHT 2. Application Design Kademlia Secure (KadS): ● One root CA certificate per network ● Each node must possess ● a copy of the network's CA ● a CA-signed public key certificate ● a matching private key → Provable Node Identity Philipp C. Heckel, University of Mannheim, 5/26/09 14

  15. Extending Kademlia: PKI-supported DHT 2. Application Design Protocol Extensions: ● KadS handshake (TCP) ● Exchange public key certificates ● Verify each other's identity ● Exchange a random session key ● Encrypted Messaging (UDP) ● Exchange messages using the previously negotiated session key Philipp C. Heckel, University of Mannheim, 5/26/09 15

  16. Using the KadS Network to create the Blacklisting Service 2. Application Design Blacklisting Service: Blacklist Data Structure: ● Domain ● KadS node (as distributed data ● Expiry Date ● Analysis Code storage) UNKNOWN ● ● Client interfaces FAILED ● CLEAN ● ● for the honeyclients PARTIALLY_INFECTED ● INFECTED ● ● for the browser plug-ins ● Path List ● Business rules to enforce a specific Example: data structure ● Domain: infected.com ● Expiry Date: 01/01/2010 ● Analysis Code: PARTIALLY_INFECTED ● Path List: </bad.html, /worse.html> Philipp C. Heckel, University of Mannheim, 5/26/09 16

  17. Schematic Design of a Blacklist Node 2. Application Design Philipp C. Heckel, University of Mannheim, 5/26/09 17

  18. Interface DistributedHashMap 3. Implementation public interface DistributedHashMap { public void connect(InetSocketAddress address); public boolean contains(Identifier key); public Serializable get(Identifier key); public void put(Identifier key, Serializable value); public void remove(Identifier key); public void close(); } public class KadS implements DistributedHashMap { ... } Philipp C. Heckel, University of Mannheim, 5/26/09 18

  19. Example: Using the KadS class 3. Implementation Config config = new Config( new File("nodes/499/config.cfg")); KadS kads = new KadS(config); /* Connect to existing KadS network (KadS handshake, SK-Exchange) */ kads.connect( new InetSocketAddress("node1.kads.dyndns.org", 6852)); /* Add/Update a DHT entry */ kads.put("cities", new String[] { "Mannheim", "Heidelberg" }); nodes/499/config.cfg /* Perform FIND_VALUE-Operation */ kads.ca = nodes/ca.cer List<Country> countries = (List<Country>) kads.get("countries"); kads.node.cer = nodes/499/node.cer kads.node.key = nodes/499/node.key kads.close(); kads.port = 6852 kads.boot.sleep = 2000-10000 kads.boot.nodelist = nodes/bootstrap.list kads.boot.tries = 5 Philipp C. Heckel, University of Mannheim, 5/26/09 19

  20. Message Flow in a KadS Node 3. Implementation Sender ID Encrypted while (..) { Payload serverSocket.receive(packet); queue.put(packet); } Philipp C. Heckel, University of Mannheim, 5/26/09 20

  21. Example: Using the TrustworthyClient class 3. Implementation TrustworthyClient client = new TrustworthyClient("Honey1.cer", "Honey1.key", "BlacklistCA.cer"); /* Connect to a blacklist node in the network (SSL-Handshake) */ client.connect( new InetSocketAddress("node1.blacklist.dyndns.org", 7001)); if (!client.getAccessRights().hasWriteAccess()) throw new Exception("No write access!"); /* Store a blacklist entry (via TCP/SSL socket) */ client.store( new Entry("uni-mannheim.de", Entry.CLEAN)); client.store( new Entry("uni-heidelberg.de", Entry.INFECTED)); client.store( new Entry("spiegel.de", Entry.PARTIALLY_INFECTED, Arrays.asList( new String[] {“/bad.html”, “/infected.html”}))); /* After all entries are stored, the TCP/SSL socket can be closed */ client.disconnect(); Philipp C. Heckel, University of Mannheim, 5/26/09 21

  22. Example: Using the UntrustworthyClient class 3. Implementation /* Called once when the browser starts */ public void onBrowserStart() { blacklistClient = new UntrustworthyClient("BlacklistCA.cer"); /* Connect to a blacklist node in the network */ blacklistClient.connect( new InetSocketAddress("node1.blacklist.dyndns.org", 7001) ); } /* Called every time code is loaded from a so far foreign page */ public void onBeforeOpenWebsite(String domain, String path, ...) { Entry entry = blacklistClient.query(domain); if (entry.getAnalysisCode() == Entry.INFECTED) throw new MaliciousWebsiteException(...); ... } Philipp C. Heckel, University of Mannheim, 5/26/09 22

  23. Average RTT of KadS' put -Operation 4. Testing Avg. put -Speed relative to the Network Size in a LAN of 10, 45 and 225 nodes 40 10-node network 35 45-node network ms per put-operation 30 225-node network 25 20 15 10 5 0 ● How fast is the KadS network? ● Is the speed dependent of the network size? Philipp C. Heckel, University of Mannheim, 5/26/09 23

Recommend

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

505 views • 31 slides
PAPER PRESENTATION: HIGHLY PREDICTIVE BLACKLISTING John Bambenek CS 563 PROBLEM There are

PAPER PRESENTATION: HIGHLY PREDICTIVE BLACKLISTING John Bambenek CS 563 PROBLEM There are

PAPER PRESENTATION: HIGHLY PREDICTIVE BLACKLISTING John Bambenek CS 563 PROBLEM There are tons of malicious events detected by firewalls, intrusion detection systems, web application firewalls, etc. The adversarial infrastructure

656 views • 17 slides
Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali Ikinci ali[at]ikinci.info 9. July 2007 Head of Department: Prof. Dr. Felix Freiling Supervisor: Dipl.-Inform. Thorsten Holz Laboratory for Dependable

665 views • 32 slides
International Web Sites Richard Ishida 1 Version: 9 October 2006 International Web Sites This

International Web Sites Richard Ishida 1 Version: 9 October 2006 International Web Sites This

International Web Sites Richard Ishida 1 Version: 9 October 2006 International Web Sites This presentation will look at three of the many aspects of designing internationalized web pages, and attempt (without, by any means, covering the topic

808 views • 58 slides
DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM

DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM

DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM International Workshop on Data Privacy Management 2013 Georg Neugebauer 1 , Lucas Brutschy 1 , Ulrike Meyer 1 and Susanne Wetzel 2 UMIC LuFG IT-Security,

212 views • 17 slides
Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils

Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils

Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils Fleischhacker 2 Jonathan Katz 1 Anna Lysyanskaya 3 oder 2 Dominique Schr 1 University of Maryland, College Park 2 Saarland University 3 Brown

547 views • 39 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Secure DHCPv6 Using CGAs draft-jiang-dhc-secure-dhcpv6-02.txt www.huawei.com DHC Working Group

Secure DHCPv6 Using CGAs draft-jiang-dhc-secure-dhcpv6-02.txt www.huawei.com DHC Working Group

Secure DHCPv6 Using CGAs draft-jiang-dhc-secure-dhcpv6-02.txt www.huawei.com DHC Working Group IETF 76, Hiroshima Sheng JIANG &amp; Sean SHEN Current DHCPv6 uses regular IPv6 addresses a malicious attacker can use a fake address to

815 views • 13 slides
Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas

Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas

Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas Chris&gt;n Carnegie Mellon University Carnegie Mellon University ECE / Cylab ECE / Cylab

491 views • 28 slides
Herbicides (Atrazine and 2,4-D) 25 sites in May Pathogens 113 sites in mid-July 88 sites in

Herbicides (Atrazine and 2,4-D) 25 sites in May Pathogens 113 sites in mid-July 88 sites in

Herbicides (Atrazine and 2,4-D) 25 sites in May Pathogens 113 sites in mid-July 88 sites in mid-August Chemicals and Nutrients 53 sites in September Metals 15 sites in September Total # of KRWW Sites Sampled by Year 300 248 250 231 207

723 views • 44 slides
Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*,

Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*,

Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*, Damon McCoy, Stefan Savage, Geoffrey M. Voelker 2 3 4 5 6 Spam was 70% of total email traffic in 2013 7 buydrugs.com canadianpharmacy.com

686 views • 49 slides
Online version available from http://www.w3.org/2007/Talks/0706-atmedia/ Richard Ishida 1

Online version available from http://www.w3.org/2007/Talks/0706-atmedia/ Richard Ishida 1

International Web Sites Online version available from http://www.w3.org/2007/Talks/0706-atmedia/ Richard Ishida 1 Version: 9 October 2006 International Web Sites Richard Ishida 2 Version: 9 October 2006 International Web Sites

796 views • 79 slides
Experimental study of the effects of Transmission Power Control and Blacklisting in Wireless

Experimental study of the effects of Transmission Power Control and Blacklisting in Wireless

Experimental study of the effects of Transmission Power Control and Blacklisting in Wireless Sensor Networks Dongjin Son, Bhaskar Krishnamachari and John Heidemann Presented by Alexander Lash CS525M Introduction Low-power wireless

288 views • 25 slides
Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can

Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can

Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can Win AdKDD2017 Yeming Shi, Claudia Perlich, Ori Stitelman yshi, claudia, ostitelman@dstillery.com Dstillery, Inc. Outline Introduction

635 views • 17 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
VOTD: XSS &amp; CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331:

VOTD: XSS &amp; CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331:

VOTD: XSS &amp; CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is XSS? XSS: Cross Site Scripting Injecting malicious scripts into a web page CWE-79

772 views • 12 slides
A Secure Selection and Filt iltering Mechanism for the Network Tim ime Protocol Version 4

A Secure Selection and Filt iltering Mechanism for the Network Tim ime Protocol Version 4

A Secure Selection and Filt iltering Mechanism for the Network Tim ime Protocol Version 4 draft-schiff-ntp-chronos-01 Neta Rozen Schiff, Danny Dolev, Tal Mizrahi, Michael Schapira Reminder: Threat Model The attacker: Controls a large

305 views • 6 slides
On the Potential of Proactive Domain Blacklisting Mrk Flegyhzi, Christian Kreibich and Vern

On the Potential of Proactive Domain Blacklisting Mrk Flegyhzi, Christian Kreibich and Vern

On the Potential of Proactive Domain Blacklisting Mrk Flegyhzi, Christian Kreibich and Vern Paxson ICSI, Berkeley Spam domain registrations Kreibich et al., Spamcraft: An inside look at spam campaign orchestration LEET 2009 (CCIED:

657 views • 40 slides
Defending Against Malicious Socialbots Position Paper Yazan Boshmaf, Ildar Muslukhov,

Defending Against Malicious Socialbots Position Paper Yazan Boshmaf, Ildar Muslukhov,

Key Challenges in Defending Against Malicious Socialbots Position Paper Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, Matei Ripeanu Laboratory for Education and Research in Secure Systems Engineering (LERSSE) Networked Systems

391 views • 36 slides
Secure and version controlled configuration with Puppet, Hiera and GPG Jens Bruer

Secure and version controlled configuration with Puppet, Hiera and GPG Jens Bruer

Secure and version controlled configuration with Puppet, Hiera and GPG Jens Bruer &lt;braeuer.jens@gmail.com&gt; Agenda 1. Background 2. Puppet for infrastructure automation 2.1 Externalize configuration information 2.2 Problems with

239 views • 23 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides

More recommend