blacklisting malicious web sites using a secure version
play

Blacklisting Malicious Web Sites using a Secure Version of the DHT - PowerPoint PPT Presentation

Nov 11, 2023 •243 likes •551 views

Blacklisting Malicious Web Sites using a Secure Version of the DHT Protocol Kademlia Philipp C. Heckel, University of Mannheim, 5/26/09 1 Road Map 1. General Idea 2. Application Design 3. Implementation 4. Testing Philipp C. Heckel,

  1. Blacklisting Malicious Web Sites using a Secure Version of the DHT Protocol Kademlia Philipp C. Heckel, University of Mannheim, 5/26/09 1

  2. Road Map 1. General Idea 2. Application Design 3. Implementation 4. Testing Philipp C. Heckel, University of Mannheim, 5/26/09 2

  3. Motivation 1. General Idea Total Dollar Loss linked to Internet Fraud in the USA in 2004-2008 300 Loss in Mio. US Dollar 250 200 150 100 Source: Internet Crime Complaint Center (IC3) 50 2008 Annual Report www.ic3.gov/media/2009/090331.aspx 0 2004 2005 2006 2007 2008 ● Rising Internet crime rates ● Less phishing, less virus-infected attachments ● More malicious Web sites → more drive by -downloads Philipp C. Heckel, University of Mannheim, 5/26/09 3

  4. Initial Situation / Problem Description 1. General Idea GET / HTTP/1.1 Host: www.infected.com www.infected.com Browser malware-infected site Philipp C. Heckel, University of Mannheim, 5/26/09 4

  5. Solution 1. General Idea URL Blacklisting Service Is “www.infected.com” infected? Yes! Browser Warning! (with according plug-in) “www.infected.com” is infected! Display warning Do you really want to open it? message Philipp C. Heckel, University of Mannheim, 5/26/09 5

  6. Blacklisting Service 1. General Idea Honeynet Add blacklist entries collects information about URL Blacklisting malicious Web sites Service Query the service Browser (with according plug-in) Philipp C. Heckel, University of Mannheim, 5/26/09 6

  7. Related Work 1. General Idea Microsoft SmartScreen (IE 8+) Google Safe Browsing (FF 3+ / Safari 3.2+) Philipp C. Heckel, University of Mannheim, 5/26/09 7

  8. Client-Server vs. Peer-to-Peer 1. General Idea ● Problems in a client-server-based environment: Limited scalability ● Resource limitations (CPU time, RAM, ● bandwidth, ...) Synchronization between servers ● Data replication ● Single point of failure/attack ● ● Peer-to-Peer (P2P): Scalability by design ● Resource flexibility ● No single point of failure/attack, no replication, no ● synchronization Philipp C. Heckel, University of Mannheim, 5/26/09 8

  9. Distributed Hash Tables 1. General Idea Distributed Hash Tables (DHT) ... are structured P2P networks ● ● define a logical position for each node and entry ● store content at specific positions in the network, redundantly ● are fault-tolerant and reliable Example (Pseudo-Code): nodes := locateResponsibleNodes(“infected.com”); foreach nodes as node do node.store(“infected.com”, “infected”); Philipp C. Heckel, University of Mannheim, 5/26/09 9

  10. DHT-based Blacklisting Service 1. General Idea Honeynet Add blacklist entries collects information about malicious Web sites Query the service Browser Plug-in DHT-based Blacklisting Service Philipp C. Heckel, University of Mannheim, 5/26/09 10

  11. DHT-based Blacklisting Service 1. General Idea Honeynet Add blacklist entries collects information about malicious Web sites Encrypted and Access-Restricted Distributed Hash Table Query the service Browser Plug-in Access-restricted DHT-based Blacklisting Service with encrypted communication Access Restriction Encrypted Communication Philipp C. Heckel, University of Mannheim, 5/26/09 11

  12. Goals and Requirements 2. Application Design ● Use the honeynet-provided data to create a URL blacklisting service ● Handle large amounts of users (concurrency) ● Fast queries, low round-trip time (RTT) ● Scalable, extendable, reliable ● Create a secure and trustworthy DHT protocol, called Kademlia Secure (KadS) ● Restricted access ● Communication encryption Philipp C. Heckel, University of Mannheim, 5/26/09 12

  13. Underlying DHT Protocol: Kademlia 2. Application Design ● Fault-tolerant design, provable 10110... 10100... consistency, good performance 00111... ● Assigns a 160-bit ID to 11100... 10101... ● each node ( nodeID ) 10111... ● each DHT entry ( key ) ● Distance is based on the XOR metric Example (XOR metric): ● Provides four RPCs: id 1 := 10111... id 2 := 10001... ● PING( nodeID ) d(id 1 , id 2 ) = id 1 ⨁ id 2 ● STORE( key , value ) = 00110... ● FIND_NODE( nodeID or key ) ● FIND_VALUE( key ) Philipp C. Heckel, University of Mannheim, 5/26/09 13

  14. Extending Kademlia: PKI-supported DHT 2. Application Design Kademlia Secure (KadS): ● One root CA certificate per network ● Each node must possess ● a copy of the network's CA ● a CA-signed public key certificate ● a matching private key → Provable Node Identity Philipp C. Heckel, University of Mannheim, 5/26/09 14

  15. Extending Kademlia: PKI-supported DHT 2. Application Design Protocol Extensions: ● KadS handshake (TCP) ● Exchange public key certificates ● Verify each other's identity ● Exchange a random session key ● Encrypted Messaging (UDP) ● Exchange messages using the previously negotiated session key Philipp C. Heckel, University of Mannheim, 5/26/09 15

  16. Using the KadS Network to create the Blacklisting Service 2. Application Design Blacklisting Service: Blacklist Data Structure: ● Domain ● KadS node (as distributed data ● Expiry Date ● Analysis Code storage) UNKNOWN ● ● Client interfaces FAILED ● CLEAN ● ● for the honeyclients PARTIALLY_INFECTED ● INFECTED ● ● for the browser plug-ins ● Path List ● Business rules to enforce a specific Example: data structure ● Domain: infected.com ● Expiry Date: 01/01/2010 ● Analysis Code: PARTIALLY_INFECTED ● Path List: </bad.html, /worse.html> Philipp C. Heckel, University of Mannheim, 5/26/09 16

  17. Schematic Design of a Blacklist Node 2. Application Design Philipp C. Heckel, University of Mannheim, 5/26/09 17

  18. Interface DistributedHashMap 3. Implementation public interface DistributedHashMap { public void connect(InetSocketAddress address); public boolean contains(Identifier key); public Serializable get(Identifier key); public void put(Identifier key, Serializable value); public void remove(Identifier key); public void close(); } public class KadS implements DistributedHashMap { ... } Philipp C. Heckel, University of Mannheim, 5/26/09 18

  19. Example: Using the KadS class 3. Implementation Config config = new Config( new File("nodes/499/config.cfg")); KadS kads = new KadS(config); /* Connect to existing KadS network (KadS handshake, SK-Exchange) */ kads.connect( new InetSocketAddress("node1.kads.dyndns.org", 6852)); /* Add/Update a DHT entry */ kads.put("cities", new String[] { "Mannheim", "Heidelberg" }); nodes/499/config.cfg /* Perform FIND_VALUE-Operation */ kads.ca = nodes/ca.cer List<Country> countries = (List<Country>) kads.get("countries"); kads.node.cer = nodes/499/node.cer kads.node.key = nodes/499/node.key kads.close(); kads.port = 6852 kads.boot.sleep = 2000-10000 kads.boot.nodelist = nodes/bootstrap.list kads.boot.tries = 5 Philipp C. Heckel, University of Mannheim, 5/26/09 19

  20. Message Flow in a KadS Node 3. Implementation Sender ID Encrypted while (..) { Payload serverSocket.receive(packet); queue.put(packet); } Philipp C. Heckel, University of Mannheim, 5/26/09 20

  21. Example: Using the TrustworthyClient class 3. Implementation TrustworthyClient client = new TrustworthyClient("Honey1.cer", "Honey1.key", "BlacklistCA.cer"); /* Connect to a blacklist node in the network (SSL-Handshake) */ client.connect( new InetSocketAddress("node1.blacklist.dyndns.org", 7001)); if (!client.getAccessRights().hasWriteAccess()) throw new Exception("No write access!"); /* Store a blacklist entry (via TCP/SSL socket) */ client.store( new Entry("uni-mannheim.de", Entry.CLEAN)); client.store( new Entry("uni-heidelberg.de", Entry.INFECTED)); client.store( new Entry("spiegel.de", Entry.PARTIALLY_INFECTED, Arrays.asList( new String[] {“/bad.html”, “/infected.html”}))); /* After all entries are stored, the TCP/SSL socket can be closed */ client.disconnect(); Philipp C. Heckel, University of Mannheim, 5/26/09 21

  22. Example: Using the UntrustworthyClient class 3. Implementation /* Called once when the browser starts */ public void onBrowserStart() { blacklistClient = new UntrustworthyClient("BlacklistCA.cer"); /* Connect to a blacklist node in the network */ blacklistClient.connect( new InetSocketAddress("node1.blacklist.dyndns.org", 7001) ); } /* Called every time code is loaded from a so far foreign page */ public void onBeforeOpenWebsite(String domain, String path, ...) { Entry entry = blacklistClient.query(domain); if (entry.getAnalysisCode() == Entry.INFECTED) throw new MaliciousWebsiteException(...); ... } Philipp C. Heckel, University of Mannheim, 5/26/09 22

  23. Average RTT of KadS' put -Operation 4. Testing Avg. put -Speed relative to the Network Size in a LAN of 10, 45 and 225 nodes 40 10-node network 35 45-node network ms per put-operation 30 225-node network 25 20 15 10 5 0 ● How fast is the KadS network? ● Is the speed dependent of the network size? Philipp C. Heckel, University of Mannheim, 5/26/09 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

505 views • 31 slides
PAPER PRESENTATION: HIGHLY PREDICTIVE BLACKLISTING John Bambenek CS 563 PROBLEM There are

PAPER PRESENTATION: HIGHLY PREDICTIVE BLACKLISTING John Bambenek CS 563 PROBLEM There are

PAPER PRESENTATION: HIGHLY PREDICTIVE BLACKLISTING John Bambenek CS 563 PROBLEM There are tons of malicious events detected by firewalls, intrusion detection systems, web application firewalls, etc. The adversarial infrastructure

656 views • 17 slides
Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali Ikinci ali[at]ikinci.info 9. July 2007 Head of Department: Prof. Dr. Felix Freiling Supervisor: Dipl.-Inform. Thorsten Holz Laboratory for Dependable

665 views • 32 slides
International Web Sites Richard Ishida 1 Version: 9 October 2006 International Web Sites This

International Web Sites Richard Ishida 1 Version: 9 October 2006 International Web Sites This

International Web Sites Richard Ishida 1 Version: 9 October 2006 International Web Sites This presentation will look at three of the many aspects of designing internationalized web pages, and attempt (without, by any means, covering the topic

808 views • 58 slides
DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM

DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM

DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM International Workshop on Data Privacy Management 2013 Georg Neugebauer 1 , Lucas Brutschy 1 , Ulrike Meyer 1 and Susanne Wetzel 2 UMIC LuFG IT-Security,

212 views • 17 slides
Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils

Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils

Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils Fleischhacker 2 Jonathan Katz 1 Anna Lysyanskaya 3 oder 2 Dominique Schr 1 University of Maryland, College Park 2 Saarland University 3 Brown

547 views • 39 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Secure DHCPv6 Using CGAs draft-jiang-dhc-secure-dhcpv6-02.txt www.huawei.com DHC Working Group

Secure DHCPv6 Using CGAs draft-jiang-dhc-secure-dhcpv6-02.txt www.huawei.com DHC Working Group

Secure DHCPv6 Using CGAs draft-jiang-dhc-secure-dhcpv6-02.txt www.huawei.com DHC Working Group IETF 76, Hiroshima Sheng JIANG &amp; Sean SHEN Current DHCPv6 uses regular IPv6 addresses a malicious attacker can use a fake address to

815 views • 13 slides
Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas

Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas

Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas Chris&gt;n Carnegie Mellon University Carnegie Mellon University ECE / Cylab ECE / Cylab

491 views • 28 slides
Herbicides (Atrazine and 2,4-D) 25 sites in May Pathogens 113 sites in mid-July 88 sites in

Herbicides (Atrazine and 2,4-D) 25 sites in May Pathogens 113 sites in mid-July 88 sites in

Herbicides (Atrazine and 2,4-D) 25 sites in May Pathogens 113 sites in mid-July 88 sites in mid-August Chemicals and Nutrients 53 sites in September Metals 15 sites in September Total # of KRWW Sites Sampled by Year 300 248 250 231 207

723 views • 44 slides
Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*,

Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*,

Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*, Damon McCoy, Stefan Savage, Geoffrey M. Voelker 2 3 4 5 6 Spam was 70% of total email traffic in 2013 7 buydrugs.com canadianpharmacy.com

686 views • 49 slides
Online version available from http://www.w3.org/2007/Talks/0706-atmedia/ Richard Ishida 1

Online version available from http://www.w3.org/2007/Talks/0706-atmedia/ Richard Ishida 1

International Web Sites Online version available from http://www.w3.org/2007/Talks/0706-atmedia/ Richard Ishida 1 Version: 9 October 2006 International Web Sites Richard Ishida 2 Version: 9 October 2006 International Web Sites

796 views • 79 slides
Experimental study of the effects of Transmission Power Control and Blacklisting in Wireless

Experimental study of the effects of Transmission Power Control and Blacklisting in Wireless

Experimental study of the effects of Transmission Power Control and Blacklisting in Wireless Sensor Networks Dongjin Son, Bhaskar Krishnamachari and John Heidemann Presented by Alexander Lash CS525M Introduction Low-power wireless

288 views • 25 slides
Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can

Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can

Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can Win AdKDD2017 Yeming Shi, Claudia Perlich, Ori Stitelman yshi, claudia, ostitelman@dstillery.com Dstillery, Inc. Outline Introduction

635 views • 17 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Security, Privacy and Trust in DOSNs: State-Of-The-Art Approaches and Open Challenges Panagiotis

Security, Privacy and Trust in DOSNs: State-Of-The-Art Approaches and Open Challenges Panagiotis

Security, Privacy and Trust in DOSNs: State-Of-The-Art Approaches and Open Challenges Panagiotis Ilia Institute of Computer Science Foundation for Research and Technology Hellas (FORTH) &lt;pilia@ics.forth.gr&gt; Security, Privacy and Trust

272 views • 25 slides
BU Production and Industrial Service Digital Transformation Digital transformation Digital

BU Production and Industrial Service Digital Transformation Digital transformation Digital

Industry 4.0 BU Production and Industrial Service Digital Transformation Digital transformation Digital Refinery is an end-to-end centralized One view of Refinery operations for greater operational efficiency &amp; optimization, by

569 views • 8 slides
On the Design and Implementation of a wire-speed Pending Interest Table Matteo Varvello ,

On the Design and Implementation of a wire-speed Pending Interest Table Matteo Varvello ,

On the Design and Implementation of a wire-speed Pending Interest Table Matteo Varvello , Diego Perino , Leonardo Linguaglossa Bell Labs, Alcatel-Lucent, USA, France { first.last } @alcatel-lucent.com This work focuses on the

452 views • 6 slides
Decentralized Evaluation of Regular Expressions for Capability Discovery in Peer-to-Peer

Decentralized Evaluation of Regular Expressions for Capability Discovery in Peer-to-Peer

Decentralized Evaluation of Regular Expressions for Capability Discovery in Peer-to-Peer Networks Maximilian Szengel Advisors: C. Grothoff, R. Holz, H. Niedermayer, B. Polot Masters thesis Chair for Network Architectures and Services

332 views • 32 slides
Zenome is a decentralized genomic Internet General information Web-site: https://zenome.io/

Zenome is a decentralized genomic Internet General information Web-site: https://zenome.io/

Zenome is a decentralized genomic Internet General information Web-site: https://zenome.io/ E-mail: info@zenome.io General description of the concept and technical part: https://zenome.io/download/whitepaper.pdf Summarized trends At

349 views • 11 slides
A Simulation-based Evaluation of a Hybrid Storage System combining P2P, F2F, and Cloud storage

A Simulation-based Evaluation of a Hybrid Storage System combining P2P, F2F, and Cloud storage

. . A Simulation-based Evaluation of a Hybrid Storage System combining P2P, F2F, and Cloud storage with a Distributed Reputation System Anders Skoglund andsk668@student.liu.se November 04, 2013 . Cloud storage P2P storage F2F storage

660 views • 36 slides
Parent Briefing S2/S3 14 th September 2016 1 Sapientia et Gratia - In wisdom and Grace Meeting

Parent Briefing S2/S3 14 th September 2016 1 Sapientia et Gratia - In wisdom and Grace Meeting

Sapientia et Gratia - In wisdom and Grace St Modans High School 83 rd Session Setting the Highest Standards Parent Briefing S2/S3 14 th September 2016 1 Sapientia et Gratia - In wisdom and Grace Meeting Prayer Setting the Highest

701 views • 31 slides
Future Options Programme: Introduction David Dempster, HT Future Choices/Course

Future Options Programme: Introduction David Dempster, HT Future Choices/Course

Future Options Programme: Introduction David Dempster, HT Future Choices/Course Choice Process Claire Paterson, DHT &amp; Clive Hembury Acting DHT Edinburgh College SCP/College Courses Deborah Robertson

525 views • 50 slides

More recommend