host based anomaly detection for webservers
play

Host based anomaly detection for webservers RP1 Sudesh Jethoe - PowerPoint PPT Presentation

Nov 10, 2023 •15 likes •295 views

Host based anomaly detection for webservers RP1 Sudesh Jethoe Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion Introduction Byte Internet Since 1999

  1. Host based anomaly detection for webservers RP1 Sudesh Jethoe

  2. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  3. Introduction

  4. Byte Internet ● Since 1999 ● Managed hosting ○ Shared hosting ● 10.000+ sites ○

  5. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  6. Problem description Facts: ● Sites get hacked ● Sites get abused ○ spam ○ malware distribution ○ (d)dos

  7. Cause? old versions of: ● frameworks ● plugins weak passwords

  8. What can customers do ● Update web application frameworks ○ Joomla, Wordpress ● Avoid buggy plugins ○ guestbook, photoalbum ● Use encrypted channels for data-transport ssh vs ftp

  9. Why customers do not: Dependency on customers ● Unaware ● Don't know how ● Don't want to risk it ● Unable/unwilling to pay for security measures

  10. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  11. Research Questions Can we develop a method which detects interactive malware (for example a webshell) running on servers in a shared hosting environment? ○ What are the characteristics of this kind of malware? ○ How can the characteristics be used to detect this malware? ○ How do existing solutions detect this malware? ○ Can we make use of existing frameworks for the detection and prevention in a hosting providers environment?

  12. Method ● Collect malware ● Run it in a controlled environment ● Collect logs ● Review existing solutions ● Integrate method in a suitable solution

  13. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  14. Cases (1/3) johanstegels.nl & webcast.nl <form method=\" POST \" action=\"{$fstring}& amp;action=save&amp;chdir={$chdir}&amp;file={$file}\"> randomstream.nl 188.142.*.* - - [25/Oct/2012:11:37:11 +0200] " POST /webshell.php?http://www.education.zp. ua/images/down.jpg? &action=cmd&chdir=/home/users/randrftp/ra ndomstream.nl/ HTTP/1.1" 200 3835 "http: //randomstream.nl/webshell.php?http://www. education.zp.ua/images/down.jpg? &action=cmd&chdir=/home/users/randrftp/ra ndomstream.nl/" "Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0"

  15. Cases (2/3) florian.nl indx.php switch($_POST['action']) { case "upload":UploadFile($_FILES['file']); break; case "stop":stoped(); break; **snip** } 46.21.*.* web10.c4 www.florian.nl - - [18/Oct/2012:14:34:19 +0200] " POST /shop//langs/nl/indx.php HTTP/1.1" 200 - "-" "-" "-" "-" 46.21.145.228 florian.nl pid:31699 1608779 0 0 32002 36002

  16. Cases (3/3) liverunning.nl

  17. Cases (3/3) liverunning.nl 199.15.*.* web8.c2 liverunning.nl - - [18/Oct/2012:12:05:39 +0200] " POST /index.php ? option= com_phocaguestbook &view=phocaguestbook&id =2&Itemid=248 HTTP/1.0" 200 25805 "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" "-" "-" 199.15.*.* liverunning.nl

  18. Analyze 1. Hacker abuses exploit 2. Hacker uploads malicious script 3. Hacker instructs script a. POST is used i. no character limit ii. content not shown in log 4. Malicious script is executed

  19. Detect? POST analysis 7 sites, 7 days Site urls POSTed to real files POSTed to sc****** 451 13 it****** 37 0 fa****** 198 12 de****** 0 0 dm***** 410 0 aa***** 344 1 aa****** 130 2

  20. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  21. Solutions (Hosting Provider) ● Network Intrusion Detection Systems (NIDS) ● Web Application Firewalls (WAF) ● Host Intrusion Detection Systems

  22. Byte Internals

  23. Solutions (Hosting Provider) Network Intrusion Detection System + Can detect (and block) uploads in early stages - Does not work on encrypted channels - Depends on signatures (only detects known malware) Web Application Firewalls + Can be finetuned to look for specific instructions - Inspection takes time and slows visitor experience Host Intrusion Detection Systems + Integrated tools for checking various system variables (files,logs) - Not suitable for working over a LAN

  24. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  25. Result byte-security-POST-IDS 1. generate whitelist of files which can be posted to 2. tail access.log 3. grep POST 4. test files for: a. included in whitelist i. modifications 5. alert

  26. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  27. Conclusion ● malicious scripts can be detected ● not suitable for attacks on indirect urls

  28. Future work ● Tweak whitelist flagging ○ Who maintains the whitelist? ■ Site maintainers ■ The hosting provider ■ An algorithm? ● Read rewrite rules to find more files ○ For example by enabling mod_rewrite logging in Apache

Recommend

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong, Alan Fern, Thomas G. Dietterich and Md Amran Siddiqui School of EECS Anomaly Detection Goal: Identify rare or strange objects 2 Anomaly

756 views • 51 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity,

447 views • 34 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features

514 views • 34 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

984 views • 72 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

585 views • 30 slides
Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State University Computer Science outline background experimental flow tuples botnet server mesh detection botnet client mesh detection

364 views • 23 slides
Anomaly Detection on User-agents Peter van Bolhuis Overview Introduction Research

Anomaly Detection on User-agents Peter van Bolhuis Overview Introduction Research

Anomaly Detection on User-agents Peter van Bolhuis Overview Introduction Research Question User-agents Scoring host anomalies Verification Conclusion Anomaly Detection on User-agents 2 Introduction Methods

574 views • 16 slides
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS DAMIANO BOLZONI, SANDRO ETALLE AND PIETER HARTEL DISTRIBUTED AND EMBEDDED SECURITY GROUP TWENTE SECURITY LAB 10+ YEARS OF RESEARCH OVER ANOMALY

160 views • 14 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
&lt;Title&gt; Yiqun Hu, SP Group Agenda Condition monitoring &amp; anomaly detection

&lt;Title&gt; Yiqun Hu, SP Group Agenda Condition monitoring &amp; anomaly detection

Data Council Singapre 2019 Autoencoder Forest for Anomaly Detection from IoT Time Series &lt;Title&gt; Yiqun Hu, SP Group Agenda Condition monitoring &amp; anomaly detection Autoencoder for anomaly detection Autoencoder

540 views • 27 slides
Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The Pennsylvania State University Anomaly Intrusion Detection Systems Anomaly Intrusion Detection Systems Model normal behavior. Attack - Any

417 views • 20 slides
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats

476 views • 26 slides
Robust and Unsupervised KPI Anomaly Detection Based on Conditional Variational Autoencoder Zeyan

Robust and Unsupervised KPI Anomaly Detection Based on Conditional Variational Autoencoder Zeyan

Robust and Unsupervised KPI Anomaly Detection Based on Conditional Variational Autoencoder Zeyan Li , Wenxiao Chen, Dan Pei Department of Computer Science and Technology Tsinghua University November 18, 2018 1/37 Table of Contents 1 Background

573 views • 41 slides
An Incremental Learner for Language-Based Anomaly Detection in XML Harald Lampesberger

An Incremental Learner for Language-Based Anomaly Detection in XML Harald Lampesberger

An Incremental Learner for Language-Based Anomaly Detection in XML Harald Lampesberger Department of Secure Information Systems University of Applied Sciences Upper Austria harald.lampesberger@fh-hagenberg.at LangSec Workshop, 26. May 2016

526 views • 20 slides
Efficient Anomaly Detection by Isolation using Nearest Neighbour Ensemble Tharindu

Efficient Anomaly Detection by Isolation using Nearest Neighbour Ensemble Tharindu

Information Technology Efficient Anomaly Detection by Isolation using Nearest Neighbour Ensemble Tharindu Rukshan Bandaragoda Kai Ming Ting David Albrecht Fei Tony Liu Jonathan R. Wells Outline Overview of anomaly detection

657 views • 41 slides
Automatic Failure Diagnosis based on Timing Behavior Anomaly Detection in Distributed Java Web

Automatic Failure Diagnosis based on Timing Behavior Anomaly Detection in Distributed Java Web

Automatic Failure Diagnosis based on Timing Behavior Anomaly Detection in Distributed Java Web Applications Diploma Thesis Presentation Nina S. Marwede Abteilung Software Engineering Fakultt II Department fr Informatik August 26, 2008

654 views • 41 slides
Memristor Based Autoencoder for Unsupervised Real-Time Network Intrusion and Anomaly Detection

Memristor Based Autoencoder for Unsupervised Real-Time Network Intrusion and Anomaly Detection

Memristor Based Autoencoder for Unsupervised Real-Time Network Intrusion and Anomaly Detection Md. Shahanur Alam, B. Rasitha Fernando, Yassine Jaoudi, Chris Yakopcic, Raqibul Hasan, Tarek M. Taha, and Guru Subramanyam Dept. Of Electrical and

428 views • 19 slides
Evaluation of Anomaly Detection Method based on Pattern Recognition Romain Fontugne The

Evaluation of Anomaly Detection Method based on Pattern Recognition Romain Fontugne The

Evaluation of Anomaly Detection Method based on Pattern Recognition Romain Fontugne The Graduate University for Advanced Studies Yosuke Himura The University of Tokyo Kensuke Fukuda National Institute of Informatics CNRS-Wide

443 views • 18 slides
Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of

Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of

Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley Preview The topic of this talk: How do we evaluate the security of a host-based IDS against sophisticated attempts to

308 views • 14 slides

More recommend