host based anomaly detection for webservers
play

Host based anomaly detection for webservers RP1 Sudesh Jethoe - PowerPoint PPT Presentation

Nov 10, 2023 •15 likes •295 views

Host based anomaly detection for webservers RP1 Sudesh Jethoe Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion Introduction Byte Internet Since 1999

  1. Host based anomaly detection for webservers RP1 Sudesh Jethoe

  2. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  3. Introduction

  4. Byte Internet ● Since 1999 ● Managed hosting ○ Shared hosting ● 10.000+ sites ○

  5. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  6. Problem description Facts: ● Sites get hacked ● Sites get abused ○ spam ○ malware distribution ○ (d)dos

  7. Cause? old versions of: ● frameworks ● plugins weak passwords

  8. What can customers do ● Update web application frameworks ○ Joomla, Wordpress ● Avoid buggy plugins ○ guestbook, photoalbum ● Use encrypted channels for data-transport ssh vs ftp

  9. Why customers do not: Dependency on customers ● Unaware ● Don't know how ● Don't want to risk it ● Unable/unwilling to pay for security measures

  10. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  11. Research Questions Can we develop a method which detects interactive malware (for example a webshell) running on servers in a shared hosting environment? ○ What are the characteristics of this kind of malware? ○ How can the characteristics be used to detect this malware? ○ How do existing solutions detect this malware? ○ Can we make use of existing frameworks for the detection and prevention in a hosting providers environment?

  12. Method ● Collect malware ● Run it in a controlled environment ● Collect logs ● Review existing solutions ● Integrate method in a suitable solution

  13. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  14. Cases (1/3) johanstegels.nl & webcast.nl <form method=\" POST \" action=\"{$fstring}& amp;action=save&amp;chdir={$chdir}&amp;file={$file}\"> randomstream.nl 188.142.*.* - - [25/Oct/2012:11:37:11 +0200] " POST /webshell.php?http://www.education.zp. ua/images/down.jpg? &action=cmd&chdir=/home/users/randrftp/ra ndomstream.nl/ HTTP/1.1" 200 3835 "http: //randomstream.nl/webshell.php?http://www. education.zp.ua/images/down.jpg? &action=cmd&chdir=/home/users/randrftp/ra ndomstream.nl/" "Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0"

  15. Cases (2/3) florian.nl indx.php switch($_POST['action']) { case "upload":UploadFile($_FILES['file']); break; case "stop":stoped(); break; **snip** } 46.21.*.* web10.c4 www.florian.nl - - [18/Oct/2012:14:34:19 +0200] " POST /shop//langs/nl/indx.php HTTP/1.1" 200 - "-" "-" "-" "-" 46.21.145.228 florian.nl pid:31699 1608779 0 0 32002 36002

  16. Cases (3/3) liverunning.nl

  17. Cases (3/3) liverunning.nl 199.15.*.* web8.c2 liverunning.nl - - [18/Oct/2012:12:05:39 +0200] " POST /index.php ? option= com_phocaguestbook &view=phocaguestbook&id =2&Itemid=248 HTTP/1.0" 200 25805 "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" "-" "-" 199.15.*.* liverunning.nl

  18. Analyze 1. Hacker abuses exploit 2. Hacker uploads malicious script 3. Hacker instructs script a. POST is used i. no character limit ii. content not shown in log 4. Malicious script is executed

  19. Detect? POST analysis 7 sites, 7 days Site urls POSTed to real files POSTed to sc****** 451 13 it****** 37 0 fa****** 198 12 de****** 0 0 dm***** 410 0 aa***** 344 1 aa****** 130 2

  20. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  21. Solutions (Hosting Provider) ● Network Intrusion Detection Systems (NIDS) ● Web Application Firewalls (WAF) ● Host Intrusion Detection Systems

  22. Byte Internals

  23. Solutions (Hosting Provider) Network Intrusion Detection System + Can detect (and block) uploads in early stages - Does not work on encrypted channels - Depends on signatures (only detects known malware) Web Application Firewalls + Can be finetuned to look for specific instructions - Inspection takes time and slows visitor experience Host Intrusion Detection Systems + Integrated tools for checking various system variables (files,logs) - Not suitable for working over a LAN

  24. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  25. Result byte-security-POST-IDS 1. generate whitelist of files which can be posted to 2. tail access.log 3. grep POST 4. test files for: a. included in whitelist i. modifications 5. alert

  26. Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion

  27. Conclusion ● malicious scripts can be detected ● not suitable for attacks on indirect urls

  28. Future work ● Tweak whitelist flagging ○ Who maintains the whitelist? ■ Site maintainers ■ The hosting provider ■ An algorithm? ● Read rewrite rules to find more files ○ For example by enabling mod_rewrite logging in Apache

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong, Alan Fern, Thomas G. Dietterich and Md Amran Siddiqui School of EECS Anomaly Detection Goal: Identify rare or strange objects 2 Anomaly

756 views • 51 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity,

447 views • 34 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features

514 views • 34 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

984 views • 72 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

583 views • 30 slides
Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State University Computer Science outline background experimental flow tuples botnet server mesh detection botnet client mesh detection

364 views • 23 slides
Anomaly Detection on User-agents Peter van Bolhuis Overview Introduction Research

Anomaly Detection on User-agents Peter van Bolhuis Overview Introduction Research

Anomaly Detection on User-agents Peter van Bolhuis Overview Introduction Research Question User-agents Scoring host anomalies Verification Conclusion Anomaly Detection on User-agents 2 Introduction Methods

574 views • 16 slides
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS DAMIANO BOLZONI, SANDRO ETALLE AND PIETER HARTEL DISTRIBUTED AND EMBEDDED SECURITY GROUP TWENTE SECURITY LAB 10+ YEARS OF RESEARCH OVER ANOMALY

160 views • 14 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
&lt;Title&gt; Yiqun Hu, SP Group Agenda Condition monitoring &amp; anomaly detection

&lt;Title&gt; Yiqun Hu, SP Group Agenda Condition monitoring &amp; anomaly detection

Data Council Singapre 2019 Autoencoder Forest for Anomaly Detection from IoT Time Series &lt;Title&gt; Yiqun Hu, SP Group Agenda Condition monitoring &amp; anomaly detection Autoencoder for anomaly detection Autoencoder

540 views • 27 slides
Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The Pennsylvania State University Anomaly Intrusion Detection Systems Anomaly Intrusion Detection Systems Model normal behavior. Attack - Any

417 views • 20 slides
terri schmit www.thegourdgirl.com 608.437.1944 Great for crafting and art Relatively

terri schmit www.thegourdgirl.com 608.437.1944 Great for crafting and art Relatively

terri schmit www.thegourdgirl.com 608.437.1944 Great for crafting and art Relatively easy to impress children with their size Terrific trellised plant, especially to cover an unsightly building or wall To sell but dont

394 views • 28 slides
April 2017 PGM:TSX-V FORWARD LOOKING STATEMENT Cautionary Statement on Forward-Looking

April 2017 PGM:TSX-V FORWARD LOOKING STATEMENT Cautionary Statement on Forward-Looking

April 2017 PGM:TSX-V FORWARD LOOKING STATEMENT Cautionary Statement on Forward-Looking Information &amp; Statements This presentation contains certain forward-looking information and statements which may not be based on fact, including without

316 views • 30 slides
s~~tl::~ (Formerly known as InfibeqflFiiftol;Jl,Oration Limited) Vice President &amp;

s~~tl::~ (Formerly known as InfibeqflFiiftol;Jl,Oration Limited) Vice President &amp;

IN FI BEAM&quot;' AVENUES May 31, 2019 BSE Limited National Stock Exchange of India Limited Phiroze Jeejeebhoy Towers, Exchange Plaza, Dalal Street, Fort, Bandra Kurla Complex, Mumbai - 400 001 Bandra (East), Mumbai - 400 051 Company Code

926 views • 45 slides
path to SEO success Stephen Stanczak Ondyr Marketing May 8, 2019 Slides: Ondyr.com/slides

path to SEO success Stephen Stanczak Ondyr Marketing May 8, 2019 Slides: Ondyr.com/slides

Schema markup, your new path to SEO success Stephen Stanczak Ondyr Marketing May 8, 2019 Slides: Ondyr.com/slides Social: @ondyrmarketing Agenda Background What is Schema Rich Results Benefits of Schema How to Get Started Case Study

831 views • 61 slides
Commercial Structure For Independent Transmission June 11, 2012 Bringing Energy Forw ard LS

Commercial Structure For Independent Transmission June 11, 2012 Bringing Energy Forw ard LS

Commercial Structure For Independent Transmission June 11, 2012 Bringing Energy Forw ard LS Power Pow er Transm ission Acquisition Generation Over 25,000 MW of 235-mile, 500 kV ON Line Over $4 billion in private

425 views • 9 slides
SOST Publications and Presentations 2019, 2020 (Last updated - 24 February 2020) Department of

SOST Publications and Presentations 2019, 2020 (Last updated - 24 February 2020) Department of

SOST Publications and Presentations 2019, 2020 (Last updated - 24 February 2020) Department of Science Publications 2020 Anirudh Singh Journal Publications 1. Prasad, S. S., Singh, A. , Prasad, S., (2020) Degummed Pongamia oil- Ethanol

213 views • 9 slides
SANDSTORM ACQUIRES 56 ROYALTIES FROM TECK FOR US$22 MILLION CAUTIONARY NOTE REGARDING

SANDSTORM ACQUIRES 56 ROYALTIES FROM TECK FOR US$22 MILLION CAUTIONARY NOTE REGARDING

SANDSTORM ACQUIRES 56 ROYALTIES FROM TECK FOR US$22 MILLION CAUTIONARY NOTE REGARDING FORWARD-LOOKING INFORMATION Except for the statements of historical fact contained herein, the information presented constitutes &quot;forward-looking

380 views • 17 slides
An SEO for Recruitment Fireside Chat Maren Hogan &amp; Patrick Lynch 1 Patrick Lynch

An SEO for Recruitment Fireside Chat Maren Hogan &amp; Patrick Lynch 1 Patrick Lynch

An SEO for Recruitment Fireside Chat Maren Hogan &amp; Patrick Lynch 1 Patrick Lynch President - CMP Southeast Maren Hogan CEO and Founder of Red Branch Media 2 Straightforward questions, statistics-backed answers and how this impacts

282 views • 26 slides

More recommend