Академический Документы
Профессиональный Документы
Культура Документы
XXII Cycle
March 2009
Abstract
Computer Security is all about the weakest point in the information processing
chain. Nowadays, the Internet is the principal vector for the information processing
and exchange, and the web-based architecture represents the de-facto standard for
accessing Internet services. Web users (browsers) and server-side web applications,
are typically the weakest points in the information processing realized through the
Internet. In this thesis we present two research works, namely Flux Buster and
Web Guardian. We will show that these systems may signicantly contribute to the
security of web browsers and web servers (and applications), i.e. the typical weak
points. Thus, our research works may improve computer security on the Internet.
Moreover, we will critically review the general role of intrusion detection. In-
trusion Detection Systems (IDS) must learn and operate in an adversarial, hostile,
environment. As soon as an IDS is deployed, it becomes a component of the pro-
tected system/network. This aspect is worth to note, because as well as any other
component, the IDS itself may be attacked. Unfortunately, such a problem is really
complex and the overall picture is still unclear. Contrary, the awareness of this
threat is a necessary condition to improve current (and future) IDS solutions. We
will critically study the ways a skilled attacker may follow to attack an IDS, in each
component of its design. Then we will review and propose possible solutions to ad-
dress these issues. We will nally give to the reader a reference scheme to support
the design of adversary-aware IDS solutions.
We will highlight that the architecture of Flux Buster and Web Guardian reects
many key points of adversary-aware IDS solutions. In particular our general analysis
will be used to better understand the possible limitations of these systems and
identify possible ways of improvement.
1 Introduction 1
1.1 Computer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Security assurance process . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.1 Intrusion Detection as a Pattern Recognition Task . . . . . . 7
Bibliography 141
Chapter 1
Introduction
Figure 1.1: The so-called pyramid of Maslow, showing the more basic human needs
at the bottom. The safety (security) is clearly one of the most important needs.
Source: Wikipedia.
The need for safety [Maslow (1943)] is widely recognized among the more basic
human needs (see Fig. 1.1). Computer security (safety) is among the basic needs for
today's Internet users and on-line organizations, as well. In this thesis we present
our research work, which aims at satisfying this need. This work has been performed
during a three-years period of time and it is mainly related to two main problems
of computer security: (1) detection of security violations and (2) counteraction.
This chapter is dedicated to introduce the reader to some basic concepts that we
will use as reference throughout the thesis. Here we will dene (a) the concept of
computer security, (b) the security assurance process, (c) the formulation of intrusion
detection. Then, in Chapter 2 we discuss about current critical aspects of today's
Internet security. In that Chapter we motivate and outline our research work.
2 Chapter 1. Introduction
Hence, the information processing and exchange must comply with some speci-
cations, namely security policies. Computer security reects how much such policies
may be guaranteed by information systems.
An intrusion (i.e. attack), is the violation of one or more security policies (secu-
rity violation), due to a security vulnerability. Malicious activity may identify either
an intrusion or an intrusion attempt.
Prevention pregures the employment of the best practices for software and
hardware engineering, in agreement with security policies. Unfortunately, informa-
tion systems are becoming more and more complex. Moreover, the typical goal is
to reduce as much as possible the time to market. These two conditions explain
why the development task is inherently error-prone [Perks (2006)]. Furthermore,
1.2. Security assurance process 3
Figure 1.2: The security assurance process can be viewed as a control system
it is common that functional constraints and security policies are not in agree-
ment. So, a tradeo between functional constraints and security policies must
be attained [Ben-Asher (2009)]. Of course, prevention of security violations on
information systems is deeply inuenced by humans who manage and use them.
On the other hand, information systems are only (and should be considered as),
instruments of human beings [Asimov (1956)]. As pointed out by Kevin Mitnick,
one of the world's most famous Hackers exploiting human vulnerabilities:
One cannot buy an expensive box and assume all problems are solved. It all
comes down to worker training and constant, diligent eorts on the part of all
workers in a company to achieve a reasonable level of information security.
Figure 1.3: Key IDS components, according to the Common Intrusion Detection
Framework [CIDF].
the main reason why intrusion detection is currently an active research eld (and
the object of this thesis).
• event box that catches and represents events occurring on the information
system in a predened way; for example, it may catch packets owing in
a network node: for each packet, it may produce a variable (packet event)
containing all packet elds.
• analysis box that analyzes low level events (e.g. packet events), looking for
evidences of security violations, or attack attempts; for example, it may raise
an alert if current packet events match against (packet events identifying)
known attacks.
It is worth noting that most commercial IDS products are called In-
trusion Prevention Systems (e.g. [Cisco IPS] [TippingPoint IPS] [IBM ISS IPS]
[Sourcere IPS]). This term is more appealing, but such products t exactly in
the CIDF denition of IDS.
Classes IDS are usually subdivided into dierent classes, depending either on the
input data or the detection method:
Each one of such classes has complementary pros and cons. This is the reason
why modern IDS solutions may t in more than one class: they may collect both
network and host events, and employ a mixture of the two detection methods.
6 Chapter 1. Introduction
Thus, an advanced knowledge of pros and cons of each one of the above classes is
of paramount relevance for developing any IDS solution. We will discuss more in
detail about it in Chapter 5.
accuracy how well the IDS is able to distinguish between malicious and legitimate
activities.
throughput amount of events per unit of time that the IDS is able to analyze.
However, the other properties are very important as well, and they may inu-
ence the actual accuracy (and eectiveness) of the IDS. The IDS environment is
prominently time-variant: information systems are constantly in evolution and new
attack instances are developed on a daily basis. Thus, the IDS models should be
updated to face this evolution and guarantee the expected accuracy value during
the time. In other terms, a relatively low value of learning time is a must. Also,
an enough large value of throughput is necessary to be able to analyze all events
collected from information systems as soon as they are generated. Furthermore, a
very important IDS property is its responsiveness. This property may signicantly
aect the quality of any counteraction. It is easy to see that counteractions should
be performed at the same speed of attacks. If this is not possible, e.g. due to a rel-
atively low responsiveness, counteractions may not be eective against the detected
attacks. Finally, all previous properties depend upon the IDS implementation, and
its computational and memory requirements. In general, the better such properties
the higher these requirements. Thus, given a specic IDS' hardware and software
platform, a tradeo must be always attained.
1.3. Intrusion Detection Systems 7
1. Data acquisition. This step involves the choice of the data source, and
should be designed so that captured events allow distinguishing as much as
possible between malicious and legitimate activities.
5. Classication and result analysis. This step performs the intrusion detec-
tion task, matching each test pattern with one of the classes (i.e. malicious
or legitimate activity), according to the IDS model. In this step an alert is
produced, either if the analyzed pattern match the model of the attack class
(misuse-based IDS), or if an analyzed pattern does not match the model of
the legitimate activity class (anomaly-based IDS).
It is easy to see that the data acquisition step is associated with the event box
of the CIDF, while all other steps can be associated to the so-called analysis box of
the CIDF. The identication of above steps is useful for the development and the
evaluation of IDS. In particular, in Chapter 5 we will use such subdivision to study
IDS in the context of their adversarial environment.
Chapter 2
Internet Threats
If you know the enemy and know yourself you need not fear
the results of a hundred battles.
Sun Tzu
program was able to replicate and to propagate itself through the Internet, by ex-
ploiting bugs on the UNIX sendmail program, the nger daemon fingerd and
performing a password guessing attack to execute Rsh/Rexec with user creden-
tials [Page (1988)]. According to the author, the main goal of such a program was
to count the number of vulnerable computers connected through the Internet. Un-
fortunately, as soon as the Morris Worm was injected on, and started to spread over
the Internet, it turned out a worm design aw. This aw caused -very quickly- the
crash of thousand of computers at many sites, including universities, military sites
and medical research sites [Kehoe (1992)].
The Morris Worm is perhaps the rst known relevant Internet-based threat:
it caused an accidental Denial Of Service (DoS). About three years later, on
August 6, 1991, Tim Berners-Lee presented the World Wide Web (WWW, or
simply web) project, by posting a short summary on the alt.hypertext news-
group [Berners-Lee (1991)]. This date is signicant as identies the beginning of the
web as a public service. Later, in 1994 an email message warning about a computer
virus named good times started to circulate among Internet users [Jones (1998)].
This message recommended to delete any email having good times as subject, to
avoid virus infections. Actually, this was a false alarm, since such a virus never
existed. However, the world wide diusion of this email message was itself a sign
of the possible impact of real email viruses. In fact, some years later (1999), the
Melissa virus -by means of email messages- infected thousand of computers world-
wide, with an estimated nancial cost of million dollars [Northcutt (1999)]. Since
1
The concept of worm was introduced for the rst time by researchers at Xerox Palo Alto
Research Center. This research was aimed to support distributed computing, network diagnosis,
and signaling [Shoch and Hupp (1982)].
10 Chapter 2. Previous, Current and Future Internet Threats
then, Internet has represented the key instrument for the diusion of viruses and
malicious software, i.e. malware, in general.
This chapter is dedicated to a brief inquiry into the nature of today's (and ex-
pected future) most signicant Internet threats and vulnerabilities. This study is
organized as follows. Section 2.1 outlines the most common and critical vulnerabili-
ties. A brief analysis of the current most threatening attackers is made in Section 2.2.
Sections 2.3 and 2.4 are dedicated to the analysis of the web security problem and
the adversarial environment in which security solutions must operate, respectively.
This analysis is useful to highlight our research contributions in Section 2.5.
Miscreants employ the infected computers for a variety of purposes. First, com-
promised computers may attack other computers in the internal network (which are
normally not accessible from the Internet), or in the Internet, in order to propa-
gate the infection. Also, miscreants usually steal condential data from the infected
computers and install back doors in order to allow them to return for further ex-
ploitation. Such computers may become part of a botnet in order to serve as slaves
2.2. Know your enemy 11
for performing coordinated attacks against other computers [Lee et al. (2008)]. In
particular, computers in a botnet are increasingly employed to make up fast ux
service networks. These sophisticated networks usually host malicious webstites,
and remediating these websites is a really hard problem (see Section 3.1.2).
In general, the higher the software abstraction level, the higher is the related
number of vulnerabilities (see g. 2.1). Also, most of the attacks involve software
applications, because their patching is much slower than operating system patch-
ing [SANS (2009)].
Figure 2.1: The higher the software abstraction level, the higher the number of
vulnerabilities (source [SANS (2009)]).
Figure 2.2: The web-based architecture. (1) A request message is sent by the web
client (i.e. browser) to the server. (2) The web server interprets the message to select
a web application and its inputs. (3) Inputs are submitted to the web application.
(4) Depending on its inputs, the web application outputs some informative content.
(5) The web server replies with a response message to the web client; this message
contains the web application's output.
A recent report from Cenzic corporation shows that about 78% of the total
Internet-based threats are related to web-based vulnerabilities [Cenzic (2009)]. The
current trend highlights that this situation is going to be worse, since web vulner-
abilities are signicantly increasing over time. Thus, this is a current problem, but
it is expected to be a relevant problem in years to come.
the automatic software update). Unfortunately, the patch development process may
take a relatively long time. Some vulnerabilities may wait years before getting a
patch [SANS (2009)].
Remote Code
Execution
50.0%
6.2%
9.4%
Other
Elevation of
9.4% Privileges
25.0%
Buffer Overflow
Multiple
Vulnerabilities
Web applications represent an interesting target for two main reasons. First
and foremost, web applications may handle condential data, such as user's ac-
count credentials, users' personal information or condential documents. Moreover,
a vulnerability may be exploited to perform unauthorized actions, such as unau-
thorized money transfers in a home banking website, or to stealthily attack other
computers, e.g. using the website as a proxy. Secondly, the web application may be
compromised to return malicious code (e.g. Javascript code) and attack users that
will further connect to the website. The latter type of attack is currently the most
diused [SANS (2009)].
Server-side attacks may target popular web sites, and in particular websites em-
ploying open-source Content Management Systems (CMS). There is a good reason
for this, because CMS are widely diused, and they may be easy to attack, since
their source code is publicly available and thus it may be easier to nd security bugs
through white box analysis (i.e. code inspection).
even more sophisticated and easier to use, and security tools even less eective.
As an example, a new generation of malware, the so-called malware 2.0, has re-
cently started to thrive [Porras (2009)]. Malware 2.0 may employ sophisticated tech-
niques such as code metamorphism, cryptography, virtualization, in order to evade
detection [Ollmann (2009)]. Advanced malware production programs are available
in the wild. These programs automate the malware production process, providing a
wide range of options to defeat current detection methods. They may even provide
for hack-back routines designed to identify whether the malware is operating within
a virtual environment. In this case, the malware may change its behavior and try to
compromise the virtual machine. The automated production of malware may also
employ techniques similar to copyright protection for games and media digital rights
management (DRM). These methods may signicantly enhance the robustness and
stealthiness aganist automated detection systems and even the reverse engineering
performed by threat analysts. Finally, miscreants dedicate a signicant eort in
quality assurance practices for new malware. New malware is validated, and thus
deployed, only after an extensive evaluation using current anti-virus products and
specialized on-line detectors (e.g. www.virustotal.com) [Ollmann (2009)].
Similarly, a wide range of evasion techniques is employed by most popular
web application attacks such as cross-site scripting [Hansen (2009)] and sql injec-
tion [Mac Vittie (2007)]. Web application input validation routines may be easily
evaded combining one or more of these evasion methods.
This situation suggests (and we believe) that the design of future security tools
must necessarily embed an adversarial environment awareness, in order to cope
with current and future threats. We dedicate Chapter 5 to the study of this problem
2.5. Research contributions of this thesis 17
On the other hand, malicious websites are increasingly hosted by means of fast
ux service networks. In such a way, cyber criminals may provide for a reliable
(malicious) service, which is inherently dicult to switch o. The rst research
contribution that we describe on this thesis is the ideation and development of Flux
Buster [Perdisci, Corona et al. (2009)]. Flux Buster is a research tool which is able
to detect fast ux service networks through passive analysis of trac collected from
Recursive Domain Name Servers (RDNS) on multiple Internet Service Provider
(ISP) networks. Our detection system is important for a variety of reasons. Firstly,
we may detect domain names which point to malicious websites through a more
advanced technique w.r.t. domain name blacklists. We may look for intersections
between the set of IP addresses resolved by a domain name and the set of known
ux agents (i.e. IP addresses of computers pertaining to malicious ux networks
detected by Flux Buster). If an intersection is found, the domain may be deemed as
suspicious and we may protect web users by denying the loading of the associated
URL. In this thesis, we will show that such an approach may contribute to email
spam ltering. In addition, we will show that Flux Buster is able to detect a wide
range of malicious websites which are not noticed by querying the Google Safe
Browsing API.
Furthermore, Flux Buster allows to get a clear view of most popular websites
supported by malicious ux networks. This is fundamental to understand the actual
impact of ux networks, independently from the way such websites are advertised
on the Internet. Finally, the passive approach to the detection of malicious ux
networks allows to detect them in a stealthy way. Contrary to previous work, there
is no interaction between our detection system and malicious networks. As we will
explain in Section 3.1.2, this means that for criminals it is more hard to disguise the
detection system.
dous threat for Internet security. The state-of-the-art defence against server-side web
attacks is represented by Web Application Firewalls (WAF). Such systems match
incoming web requests (which may contain web application inputs) against a pre-
dened set of security rules. If a violation is found they may perform some kind
of counteraction, e.g. drop or redirect the request. However, WAF present some
relevant problems. Firstly, due to the rule-based approach, WAF may detect and
provide protection against known attacks only. Secondly, even for simple web ap-
plications, it is tedious, complex and error prone to dene suitable rules to detect
and block web attacks. Web applications (and their inputs) are typically highly
customized depending on the service specication and the developer. Thus, security
rules must be customized depending on the web application, in order to be eective.
To cope with these issues, we studied and developed a research tool called Web
Guardian. Web Guardian is an anomaly-based Intrusion Protection System. The
key task of Web Guardian is to model the normal prole of web requests received
by the web server, without supervision. A relevant feature of Web Guardian is
the capability of handling esplicitly the presence of noise (attacks) in its training
set. The normal prole of web requests is described through a set of independent
models. Each model describes the statistic prole of a specic feature of the web
requests. In such a way, each model may be viewed as an anomaly sensor. A
counteraction module is employed to correlate models' outputs and dene the action
to be performed. This architecture has the following advantages:
• We may protect web services against either known and unknown attacks.
• Anomalies may identify the class of an attack: since models are highly spe-
cialized, the set of anomalies may identify the typology of the attack. This
is important to provide for well-suited counteractions and support forensics
procedures.
• Extensibility: it is easy to extend Web Guardian with new models that take
into account other features of web requests
In this thesis, we will show that Web Guardian is able to detect simple as well
as sophisticated attacks against web servers and web applications. False alarms
are very few and counteractions may be tuned to have a negligible probability of
aecting legitimate web requests, yet retaining their eectiveness against malicious
web requests. In any case, through a web interface, the security administrator
may easily adjust probability thresholds to cope with false alarms. Web Guardian
represents an extension and the evolution of HMM Web [Corona et al. (2009)], and
it is presented in Chapter 4.
2.5. Research contributions of this thesis 19
Flux Buster and Web Guardian represent Intrusion Detection Systems (as de-
ned in Section 1.3)
2 that we propose to enhance the state-of-the-art Internet
(web) security. However, in this thesis we present another signicant, more general,
research contribution.
The eectiveness of any Intrusion Detection System (IDS) depends upon the
IDS operating environment. This environment is constantly evolving and pregures
an hostile component which is due to the presence of an adversary. This is clear
from the discussion in Section 2.4. The adversary is willing to evade or compromise
the security tool, reduce the accuracy of its results or divert its expected behavior.
The eectiveness of IDSs during the time is strictly related to their capability to
cope with an adversary having these goals. Thus, we believe that the design of
future IDSs must necessarily address this issue. Nevertheless, this is not a trivial
problem. Many research works highlighted open issues or proposed new solutions
related to this problem. Unfortunately, such works typically focused on specic
topics, discussed about attacks against specic IDSs and often used dierent terms
for same general concepts. As a consequence, an overall picture of the problem is
still lacking.
Thus, in Chapter 5, we critically review related work both in terms of problem
formulation, contributions and proposed solutions. Then, we highlight the pros and
the cons of each one of the main IDS typologies, and suggest how to address the cons.
Our study may be employed as a reference to either design robust IDS solutions or
evaluate the quality of dierent IDS solutions, depending on the specic intrusion
detection task. As we will see, the design of Flux Buster and Web Guardian reects
many of the key features of adversary-aware IDS solutions.
2
Flux Buster may be considered an IDS, if we consider fast ux networks as violations of Internet
security policies.
Chapter 3
Bruce Schneier
As mentioned in Section 2.5, fast ux service networks are increasingly adopted
to host malicious websites, supporting any kind of scam. The robustness and the
pervasiveness of such malicious networks make the remediation and thus the protec-
tion against these websites a really hard problem. Nevertheless, even if we cannot
easily remediate these websites, we propose to protect web users by preventing the
loading of websites whose domain names resolve to ux networks. To this end, we
studied and developed Flux Buster, a research tool which has been developed in
collaboration with Damballa, Inc. and Georgia Tech Information Security
Center, Atlanta, USA. Flux Buster is an advanced system for the detection of fast
ux networks.
This chapter is organized as follows. First, in Section 3.1 we introduce the reader
to fast ux networks, previous work on the detection of such networks, as well as
the key contributions of our work. Then, in Section 3.2 we present more in detail
Flux Buster and evaluate its performance.
Subsequently, in Section 3.4 we employ Flux Buster in a operational setting.
We show how the output of Flux Buster may improve the detection of malicious
websites provided by the Google Safe Browsing API, the state-of-the-art protec-
tion adopted by most popular web browsers. Furthermore, we show how our system
may benet spam ltering applications. Finally, in Section 3.4.3 we discuss about
limitations of Flux Buster, as well as some possible ways of improvement.
3.1 Introduction
3.1.1 Content Delivery Networks
Most of high-prole organizations, such as Google, Microsoft, Yahoo!, Amazon
employ legitimate Content Delivery Networks (CDNs) to oer their Internet services
22 Chapter 3. Protecting web users
Figure 3.1 shows the basic functioning of a CDN. Assume a user tries to connect
to a website (e.g. http://www.google.com). Firstly, the browser tries to resolve
the related domain name (e.g. www.google.com). To this end, it queries the Recur-
sive Domain Name Server (RDNS) provided by the user's Internet Service Provider
(ISP). Then, the RDNS may query various DNS until reaching the authoritative
DNS for the specic domain name. The authoritative DNS server, according to the
current state of the CDN, and the geographical position of the request source, replies
with one or more IP addresses corresponding to the closest CDN's nodes. Sub-
sequently, the RDNS forwards this list to the user's browser. Finally, the browser
sends a HTTP GET message to the rst IP address in this list, retrieving the HTTP
response (e.g. which contains the main Google page). Typically, only if the rst IP
address is not reachable, the browser will contact other IP addresses in the list.
It is worth noting that the list of IP addresses is valid only for a limited period
of time, dened by the Time To Live (TTL) parameter. In the example of g. 3.1,
this value is 50 seconds. Thus, this list is stored (cached) by the RDNS only for
50 seconds. If the browser sends another DNS query for the same website within
this interval, the RDNS won't further contact the authorithative DNS. Instead, in
order to redistribute the load among equivalent nodes, the RDNS will return the
same list of IP addresses, but in a dierent order, e.g. following a Round-Robin
algorithm [Brisco (1995)]. After TTL seconds, if the user wants to connect to the
same website, all the process above is repeated. In general, relatively low TTL
values (e.g. 20 or 50 seconds) are necessary to provide users with an updated list of
nodes, in order to optimize the content delivery process.
Figure 3.1: Basic functioning of a Content Delivery Network. The user retrieves the
main Google page.
24 Chapter 3. Protecting web users
Figure 3.2: Basic functioning of a malicious fast ux service network. The user
retrieves a fake facebook login page, advertised by means of an email very similar
to legitimate facebook emails.
3.1. Introduction 25
software that turns a machine into a botnet member) is able to infect a high number
of machines around the world (e.g., through a worm-like propagation), in particu-
lar poorly administered home-user machines. The ux-agents are usually part of
a botnet and can be remotely controlled by the malware author, who is often re-
ferred to as the bot-herder. Actually, the bot-herder may just lease the use of (a
part of ) her botnet to a fast ux service operator (in the following, ux operator ).
This operator may work in collaboration with spammers, in order to advertise her
malicious websites through a variety of means (e.g. email spam, blog spam, search
engine spam) [SH (2010)]. The ux operator in turn may sell her illicit fast ux
service to a customer, e.g. to support a particular scam campaign [SAC (2008)].
Of course, more complex relationships are possible. The key point is that know-how
and organization of machiavellians miscreants makes this problem a tremendous and
pervasive threat.
In order to set up a ux service, the ux operator registers a number (hundreds
or even thousand) of so called fast-ux domain names. To this end, the operator
typically employs multiple domain name registrars world-wide. Domain names are
routinely registered by using stolen user credentials and paying with stolen credit
card numbers. Each registration associates a domain name with an authoritative
DNS. The authoritative DNS is a computer tightly controlled by the malicious
operator. For example, it may be a computer of the botnet (e.g. under leasing
purchase) with public IP address and high uptime. In such a way, whenever a RDNS
tries to resolve one of the registered domain names, it will nally query this computer
to get an updated list of IP addresses. The operator set up the authoritative DNS
so that this list reects the addresses of active ux agents. On the other hand,
each ux agent may be turned on and o at any moment by their owner. In other
words, it is dicult for the ux operator to control or predict the uptime of each
ux agent. Therefore, in order to provide malicious content with relatively high
availability and load balancing, authoritative DNS are usually congured to provide
a dierent (large) set of resolved IP addresses (i.e., of ux agents) at every new
DNS query, to increase the chance of returning at least one IP address that will be
reachable and able to provide the malicious content at any given time. In practice,
fast-ux domain names allow ux operators to apply light-weight load balancing of
content requests on a large number of ux agents, thus eectively accomplishing
high availability at the expense of the compromised nodes.
More complex network structures are possible. In some ux network schemes,
a number of ux agents may also act as authoritative name servers, namely the
servers that will be contacted directly by the RDNS resolver to obtain the list of
IPs associated to fast-ux domain names. Such ux networks are usually referred
to as double-ux [KYE (2007), SAC (2008)].
Malicious ux service networks are commonly used to host phishing websites,
illegal adult websites, or serve as malware propagation vectors, for example. Con-
sider the scenario of Figure 3.2, in which a malicious organization, the customer,
wants to steal facebook users' credentials for illicit purposes (e.g. advanced social
engineering [Mitnick (2002)]). The customer may pay a ux operator to set up the
26 Chapter 3. Protecting web users
whole scam. Firstly, the ux operator registers a number of domain names (e.g.
mysession21.com, · · · , sessionnew83.com, xsessionid.com) that resolve to her
ux agents, which will return a fake facebook login page. He contacts a spammer
to send a large number of phishing emails that signal a new message from a face-
book user (e.g. Rob), in order to attract web trac from victim users. This email
may look very similar to legitimate facebook notications, except that all the links
contain a fast ux domain name, e.g. login.facebook.sessionnew83.com. When
a user receives one of such emails and clicks on the advertised URL, her browser
will resolve the domain name login.facebook.sessionnew83.com and will be redi-
rected to one of the ux agents. The ux agents will then provide a web page that
looks just like the login interface on facebook.com, but has the ability to steal any
information provided by the user and submit it to the customer.
The ux agents may have two roles. In some cases they may function as trans-
parent web proxies to the real content provider machine, instead of storing the
malicious content locally. In the example above, this means that when the browser
is redirected to one of the ux agents to access the phishing login web page, the ux
agent will contact another machine under control of the ux operator, download
the malicious content and forward it to the user's browser. The machine that ac-
tually provides the malicious content through the ux agents is often referred to as
the mothership, as shown in Figure 3.2. Thus, when ux agents act as transparent
proxies they eectively hide the real source of the malicious content.
1
fast-ux domains advertised through email spam . In particular, given a dataset of
spam emails (typically captured by spam traps and lters), potential fast-ux do-
main names are identied by extracting them from the URLs found in the body
of these emails [Holz et al. (2008), Passerini et al. (2008), Nazario et al. (2008),
Konte et al. (2009)]. Then, an active probing strategy is applied, which repeatedly
issues DNS queries to collect information about the set of resolved IP addresses
and to classify each domain name into either fast-ux or non-fast-ux. The work
in [Hu et al. (2009)] is in part dierent from other previous work, because it is not
limited to domains found in spam emails. Hu et al. [Hu et al. (2009)] propose to an-
alyze NetFlow information collected at border routers to identify redirection botnets,
which are a specic kind of botnets used to set up redirection ux service networks.
However, the information they extract from network ows is not able to detect ux
agents that are being used as transparent proxies, instead of redirection points. Also,
the work in [Hu et al. (2009)] is heavily based on a DNS analysis module that applies
active probing in a way very similar to [Holz et al. (2008), Passerini et al. (2008)],
in order to collect the information necessary to perform the classication of suspi-
cious domains collected from spam emails and the correlation with network ows
information.
Flux Buster adopts a novel, passive approach for detecting and tracking malicious
ux service networks. It is based on passive analysis of recursive DNS traces col-
lected from multiple large networks. In practice, as shown in Figure 3.3, we deploy a
sensor in front of the recursive DNS (RDNS) server of dierent networks, passively
monitor the DNS queries and responses from the users to the RDNS, and selectively
store information about potential fast-ux domains into a central DNS data collec-
tor. Since the amount of RDNS trac in large networks is often overwhelming, we
devised a number of preltering rules that aim at identifying DNS queries to poten-
tial fast-ux domain names, while discarding the remaining requests to legitimate
domain names. Our preltering stage is very conservative, nevertheless, it is able to
reduce the volume of the monitored DNS trac to a tractable amount without dis-
carding information about domain names actually related to malicious ux services.
Once information about potential malicious ux domains has been collected for a
certain epoch E (e.g., one day), we perform a more ne-grain analysis. First, we
apply a clustering process to the domain names collected during E , and we group to-
gether domain names that are related to each other. For example we group together
domain names that point to the same Internet service, are related to the same CDN,
or are part of the same malicious ux network. Once the monitored domain names
have been grouped, we classify these clusters of domains and the related monitored
resolved IP addresses as either being part of a malicious ux service network or
not. This is in contrast with most previous works, in which single domain names
1
The domain names found in domain blacklists and malware samples are also considered in
some works, but they are very few compared to the domain names extracted from spam emails.
28 Chapter 3. Protecting web users
are considered independently from each other, and classied as either fast-ux or
non-fast-ux [Holz et al. (2008), Passerini et al. (2008), Konte et al. (2009)].
Goals and assumptions Flux Buster aims at detecting malicious ux networks
in-the-wild. It passively processes the RDNS trac generated by a large user base
(see Figure 3.3). We assume that during their normal Internet experience some of
these users will (intentionally or unintentionally) request malicious content served
through a ux network. In practice, given the large user base we are able to monitor,
it is very likely that at least some of these users will (unfortunately) fall victims of
malicious web content, and will therefore click on (and initiate DNS queries about)
ux domain names. We aim to detect such events, and track the ux domain
names and the IP address of the related ux agents contacted by the victims in
the monitored network. Since we perform passive analysis and we monitor real
users' activities, this allows us to stealthily detect and collect information about
popular malicious ux networks on the Internet, regardless of the method used
by ux operators to advertise the malicious content served by their ux networks.
This is important to provide a preemptive protection to web users against any scam
supported by malicious ux networks.
2
In the remainder of this paper we will sometimes use domain in place of domain name, for
the sake of brevity.
30 Chapter 3. Protecting web users
kept in memory and updated periodically. This list contains historic information
about candidate ux domain names, namely the maximum TTL ever seen for each
domain name, the set of resolved IPs extracted from the DNS responses over time,
etc. At the end of every period ∆T < E (e.g., ∆T may be equal to a few hours),
the list of candidate ux domain names is checked by lter F2 to verify if they are
still likely to be ux domains, according to the collected historic information. For
example, F2 checks whether the set of resolved IPs returned by the RDNS for a
given domain name has grown during ∆T . In fact, if a domain name was queried
several times during ∆T , but no new resolved IP was observed, it is unlikely that
the domain name is associated to a malicious ux service. On the other hand, if the
set of resolved IPs returned by the RDNS for a certain domain name keeps changing
after every TTL, the domain name is considered a good candidate ux domain. The
domain names that are found not to be likely ux-related are pruned from the list
L.
At the end of each epoch E, the remaining candidate ux domains in L and
related historic information are transfered from the RDNS sensors to our Detector
machine (see Figure 3.3), where we perform further analysis. In particular, in this
phase we aim at clustering together domain names related to the same service. We
group domains according to their resolved IP sets. Namely, given two candidate ux
domain names, if their set of resolved IPs collected during the epoch E intersect
(i.e., the two domain names share a signicant fraction of resolved IPs), we consider
the two domain names as similar. Given this notion of IP-based similarity, we apply
a hierarchical clustering algorithm to group domain names that are related to each
other. In practice, each of the obtained clusters represents a separate candidate
ux service network. It is worth noting that lter F1 and F2 are very conservative.
They will accept domains related to malicious ux services, but may also accept
a number of domains related to legitimate services.
where p is the ratio between the number of distinct /16 network prexes and the
total number of resolved IPs. We now briey motivate the choice of these ltering
rules.
As mentioned in Section 3.1.2, ux domains are characterized by a low TTL,
which is usually in the order of a few minutes [KYE (2007)] and allows the set of
resolved IPs to change rapidly. Rule F1-a excludes all the queries to domain names
whose TTL exceeds three hours, because such domain names are unlikely to be
uxing. Rule F1-b takes into account the fact that DNS queries to ux domain
names usually return a relatively large number (> 3) of resolved IPs [KYE (2007)].
The reason for this is that, as mentioned in Section 3.1.2, the uptime of each ux
agent is not easily predictable. A large set of resolved IPs provides a sort of fault-
tolerance mechanism for the ux service. However, a similar result may also be
obtained by setting up ux domains that return a very small set of resolved IPs (e.g.,
only one per query) but have a very low TTL (e.g., equal or close to zero). This
way, if a ux agent is down, a new ux agent can be immediately discovered by
performing another DNS query, because the previous response will be quickly evicted
from the RDNS's cache. Rule F1-b takes into account both these scenarios. Rule
F1-c is motivated by the fact that the ux agents are often scattered across many
dierent networks and organizations (e.g., the infected machines may be scattered
across several dierent academic networks, ISP networks, enterprise networks, etc.).
On the other hand, most legitimate (non-ux) domain names resolve to IP addresses
residing in one or few dierent networks (e.g., IPs all residing in the same sub-
network of the organization that provides a legitimate Internet service). We use
the function pref ix(P(d) , 16) to estimate the number of dierent networks in which
32 Chapter 3. Protecting web users
3
the resolved IPs reside , and the ratio p (rule F1-c) allows us to identify queries to
domains that are very unlikely to be part of a malicious ux service.
In order to narrow down the number of candidate ux domains and only consider
the ones that are most likely related to malicious ux services, the list L is pruned
at the end of every interval ∆T < E (e.g., every ∆T = 3 hours). That is, every ∆T
we check the status of each candidate ux domain d ∈ L. Let tj be the time when
(d)
|pref ix(Rj ,16)|
this pruning check occurs. Also, let p= (d) be the network prex ratio
|Rj |
(see Section 3.2.1) for the cumulative set of resolved IPs of d ever seen until tj . We
remove from L those domain names for which
(d) (d)
F2-a) Qj > 100 AND |Gj | < 3 AND (|Rj |65 OR p 6 0.5).
Rule F2-a lters out those domains for which we monitored more than 100 queries,
the cumulative set of resolved IPs didn't grow more than twice, the total number
of resolved IPs ever seen is low (6 5) or the network prex ratio p is low (6 0.5).
The lter F2 is justied by the characteristics of ux domain names described in
Section 3.1.2, and domain names that do not pass F2 are very unlikely to be related
to ux services.
3
Ideally, it would be better to decide if two IPs belong to two dierent networks by mapping
each IP to their AS number, and then compare the AS numbers. However, it may be hard to do
this eciently, and from our experience using /16 gives us a way to eciently compute a good
approximation of this result.
3.2. Flux Buster 33
and we mainly use it to reduce the amount of memory required by the clustering
algorithm. These ltering rules may be tuned (or eliminated) to accept more
domains for the clustering step if more memory was available. This additional
lter step reduces the average number of candidate ux domains to be clustered
of almost an order of magnitude (from 4 · 104 to 6 · 104 , to about 8 · 103 domains
per sensor). It is worth noting, though, that similarly to lter F1 and F2 the
ltering rules are still very conservative. In fact, from our experimental results we
noticed that even after this further ltering, the list of candidate domain names
still included all the domain names most likely related to malicious ux services,
along with domain names related to legitimate CDNs, pools of NTP servers, and
other legitimate services. As mentioned in Section 3.2, domain names related to
legitimate CDNs and pools of NTP servers, for example, share some similarities
with fast-ux domains, and given that our ltering rules are very conservative (i.e.,
they aim at not rejecting any potential ux domain, but may include also non-ux
domains) these domains tend to be included in our list of candidate ux domains.
In order to further narrow down the domain names to be processed by our domain
clustering algorithms, we apply an additional ltering step F3. We keep only the
domain names that respect any of the following ltering rules (see Section 3.2.2 for
the notation), where the subscript E indicates that the quantities are measured at
the end of the epoch E=1 day:
(d) (d)
F3-a) TE < 30 F3-b) |RE | > 10 F3-c) |GE | > 5
(d) (d)
F3-d) |RE | > 5 AND pE > 0.8 F3-e) pE > 0.5 AND TE 6 3600 AND |GE | > 10
Our clustering approach groups together domain names that within an epoch
E (equal to one day in our experiments) resolved to a common set of IP ad-
dresses. To perform domain clustering of ux domains that are related to each
other, we use a single-linkage hierarchical clustering algorithm [Jain et al. (1988),
Jain et al. (1999)], which adopts a friends of friends clustering strategy. In order
to apply clustering on a set of domain names D = {d1 , d2 , ..dn }, we rst need to for-
mally dene a notion of similarity between them. We dened the following similarity
metrics between candidate ux domains. Given a two domains α and β, and their
cumulative set of resolved IP addresses collected during an epoch E, respectively
34 Chapter 3. Protecting web users
8000
6000
num. of clusters
4000
2000
0
|R(α) ∩ R(β) | 1
sim(α, β) = · ∈ [0, 1] (3.1)
|R ∪ R | 1 + e
(α) (β) γ−min(|R(α) |,|R(β) |)
The rst factor is the Jaccard index for sets R(α) and R(β) , which intuitively mea-
sures the similarity between the two cumulative sets of resolved IPs. The second
factor is a sigmoidal weight. In practices, the higher the minimum number of re-
solved IPs in R(α) or R(β) , the higher the sigmoidal weight. To better understand
the choice of this weight factor consider this example: |R(α) ∩ R(β) | = 1 and
if
|R(α) ∪ R(β) | = 4 or |R(α) ∩ R(β) | = 10 and |R(α) ∪ R(β) | = 40, the Jaccard index is
0.25 in both cases. However, in the second case we want the similarity to be higher
because there are 10 resolved IPs in common among the domains α and β, instead
of just one. We can also think of the second factor as a sort of condence on the
rst one. The parameter γ is chosen a priori, and is only used to shift the sigmoid
towards the right with respect to the x-axes. We set γ =3 in our experiments so
that if min(|R(α) |, |R(β) |) = 3 the weight factor will be equal to 0.5. As the min-
imum number of resolved IPs grows, the sigmoidal weight tends to its asymptotic
value of 1 (e.g., when min(|R(α) |, |R(β) |) = 10, the weight factor is equal to 0.999).
A similarity (or proximity) matrix P = {sij }i,j=1..n that consists of similari-
ties sij = sim(di , dj ) between each pair of domains (di , dj ) can then be computed.
The hierarchical clustering algorithm takes P as input and produces in output a
dendrogram (see example in Fig. 3.10), i.e., a tree-like data structure in which the
leaves represent the original domains in D, and the length of the edges represent
3.2. Flux Buster 35
7000
5000
num. of clusters
3000
0 1000
the distance between clusters [Jain et al. (1988)] (see example in Figure 3.10). The
(i)
single-linkage algorithm denes the similarity between two clusters Ci = {dk }k=1..ci
(j) (i) (j)
and Cj = {dh }h=1..cj as σi,j = maxl,m {sim(dl , dm )}. The obtained dendrogram
does not actually dene a partitioning of the domains into clusters, rather it de-
nes relationships among domains. A partitioning of the set D into clusters can
then be obtained by cutting the dendrogram at a certain hight h. The leafs that
form a connected sub-graph after the cut are considered part of the same clus-
ter [Jain et al. (1988)]. Of course, dierent values of the height of the cut h may
produce dierent clustering results. In order to choose the best dendrogram cut (i.e.,
the best clustering), we apply a clustering validation approach based on plateau re-
gions [Dugad et al. (1998)]. In practice we plot a graph that shows how the number
of clusters varies for varying hight of the cut, and we look for plateau (i.e., at) re-
gions in the graph. For example, consider Figure 3.5 and Figure 3.6. The two graph
are related to clusters of candidate ux domain names extracted from two dierent
RDNS sensors (see Section 3.3 for details). Both graphs are related to monitoring
the DNS trac from each sensor for one epoch E =1 day. The long plateau re-
gion between 0.1 and 0.7 shows that varying the cut height h does not signicantly
change the number of obtained clusters. This stability in the number of clusters can
be viewed as an indication of the fact that by cutting the dendrogram at an height
h ∈ [0.1, 0.7] we would obtain a sort of natural grouping of the domain names.
A manual validation of the clusters obtained using this analysis strategy conrmed
that the obtained clusters were indeed correct. We will discuss the clustering results
more in detail in Section 3.3.
36 Chapter 3. Protecting web users
Passive Features
φ1 Number of resolved IPs. This is the overall number of distinct resolved IP addresses ever
observed during epoch Em for all the domains in a cluster. Malicious ux services typically
use a large number of ux agents to provide load balancing and high availability of malicious
content, and therefore feature φ1 will typically have a high value.
φ2 Number of domains. This is the total number of distinct domain names in a cluster. As
mentioned above, some malicious ux services are advertised through large sets of fast-ux
domains. This is often the case when the ux operator tries to avoid domain blacklisting
by registering and advertising new random-looking domains every day.
φ3 Avg. TTL per domain. Average TTL of domains in a cluster. Flux domains are cong-
ured with a low TTL to force RDNS servers to frequently ush their cache and query the
authoritative DNS server for an updated list of resolved IPs. This way, the resolved IPs of
ux domains are frequently changed to reect changes in the set of active ux agents.
φ4 Network prex diversity This is the ratio between the number of distinct /16 network
prexes and the total number of IPs. This feature is used to estimate the degree of scattering
3.2. Flux Buster 37
φ5 Number of domains per network. Number of distinct domain names that resolved to
at least one of the IP addresses in the considered cluster, during all the previous epochs
E1 , E2 , ... until the considered epoch Em . In spite of the high variability of ux domain
names, ux networks are rather stable and persistent [Konte et al. (2009)]. Thus, the same
ux agents will be used by so many distinct domain names, during the time. This feature
measures how many domains can be associated to the IPs (i.e., the ux agents) in a cluster,
throughout dierent epochs.
φ6 IP Growth Ratio. This represents the average number of new IP addresses discovered per
P |R(d) |
each DNS response related to any domain in a cluster. Namely, |C | ·
1
d∈C Q(d) . The
i i
higher this value, the higher the probability that the response to a new DNS query for a
domain d ∈ Ci will contain a set of new (never-seen-before) IPs, and therefore the higher
the probability that d is associated to a ux service.
Active Features
φ10 Country Code diversity. For each IP in a cluster, we map it to its geographical location
and compute the ratio between the number of distinct countries across which the IPs are
scattered and the total number of IPs. We expect high values of this feature for ux
networks, since ux agents are typically located in many dierent countries.
φ11 Dynamic IP ratio. The bot-compromised machines that constitute malicious ux services
are mostly home-user machines. In order to estimate whether an IP is related to a home-
user machine, we perform a reverse (type PTR) DNS lookup for each IP, and we look for
keyworks such as dhcp, dsl, dial-up, etc., in the DNS response to identify machines that
use a dynamic (as opposed to static) IP address. We then compute the ratio between the
(estimated) number of dynamic IPs in the cluster and the total number of IPs. The intu-
ition is that, contrary to malicious ux services, the vast majority of legitimate CDNs and
other Internet services rely on professionally managed machines having static IP addresses.
Therefore feature φ11 can help us distinguishing between malicious ux services and other
services.
φ12 Average Uptime Index. This feature is obtained by actively probing each IP in a cluster
about six times a day for a predened number of days (e.g. 5 days), and attempting to
4
establish TCP connections on ports 80/53/443, i.e., HTTP/DNS/HTTPS services . If the
host accepts to establish the TCP connection, it is considered up, otherwise it is considered
down. An estimate of the uptime of each IP is given by the ratio between number of times
the IP is found to be up versus the total number of probes. Feature φ12 is computed as the
average uptime for the IPs in a cluster.
4
We use TCP instead of UDP for DNS probing, because most o-the-shelf DNS software are
designed to listen on port 53 for both TCP and UDP communications.
38 Chapter 3. Protecting web users
3.3 Experiments
In this Section we present the results obtained with our malicious ux network detec-
tion system. All the experiments related to the clustering of candidate ux domains
and classication of ux service networks were conducted on a 4-core 3GHz Intel
Xeon Machine with 16GB or memory. However, because the machine was shared
with other research applications, we constrained ourselves to using a maximum of
5GB for our experiments.
in Figure 3.4 and described in Section 3.2. We set the epoch E to be one day.
Figure 3.7 shows the number of candidate ux domains obtained at the end of each
epoch. It is easy to see that the overwhelming trac volume monitored by the
RDNS sensors is eectively reduced from more than 109 DNS queries for tens of
millions of distinct domain names, to an average of 4 · 104 to 6 · 104 candidate ux
domain names per day (depending on the sensor we consider).
fr.pool.ntp.org were all correctly grouped together, and separated from the
cluster containing au.pool.ntp.org and oceania.pool.ntp.org, for example. In
other cases we had to conrm the correctness of our clusters by manually probing
the clustered domain names and nding relations between the obtained resolved
IPs and the services (e.g., web pages) provided through them. Figures 3.8 and 3.9
show a snapshot of our graphical interface, showing a malicious ux network and a
legitimate ntp pool, respectively.
5
The second level domain (2LD) of a domain name d is dened as the last two substrings
separated by a dot. For example the 2LD of www.example.com is example.com
3.3. Experiments 41
Passive features l1 l2 l3 l4 m1 m2 m3
Number of resolved IPs (φ1 ) 25 22 1069 346 765 137 1011
Number of domains (φ2 ) 12 24 15 13 466 3 269
Avg. TTL per domain (φ3 ) 22 20 1402 7421 300 180 180
Network prex diversity (φ4 ) 0.12 0.5 0.53 0.483 0.81 0.84 0.445
Number of domains per network (φ5 ) 488 165 57 54 42000 228 1632
IP Growth Ratio (φ6 ) 0.028 0.016 0.039 0.021 0.932 0.374 0.56
Active features l1 l2 l3 l4 m1 m2 m3
AS diversity (φ7 ) 0.04 0.364 0.383 0.396 0.25 0.5 0.193
BGP prex diversity (φ8 ) 0.12 0.68 0.562 0.485 0.77 0.8 0.43
Organization diversity (φ9 ) 0.04 0.364 0.382 0.393 0.23 0.47 0.186
Country Code diversity (φ10 ) 0.04 0.136 0.033 0.078 0.054 0.212 0.05
Dynamic IP ratio (φ11 ) 0 0 0.015 0 0.132 0.32 0.385
Average Uptime Index (φ12 ) 0.993 0.925 0.778 0.95 0.148 0.063 0.088
Table 3.1: Example of legitimate and malicious ux networks and their passive
and active feature values.
online pharmacy scam scheme. As we discussed in Section 3.2.5, we use the C4.5
decision tree classier to automatically classify between clusters of domains related
to malicious ux networks and clusters related to legitimate or non-ux networks.
We discuss the details of how we trained and tested our classier later in this section.
Here it is important to notice that one of the reasons we chose the C4.5 classier
is that the decision tree obtained after the training period is relatively easy to in-
terpret [Quinlan (1993)]. In particular, we noticed that when using the passive
features described in Section 3.2.5 for training, the classier indicated that the IP
Growth Ratio (feature φ6 ) is the most discriminant feature (i.e., the root of the de-
cision tree). It is easy to see that this is actually the case for the examples reported
in Table 3.1, where the malicious ux networks have a value of φ6 that is always
higher than the one computed for legitimate networks. This conrms the fact that
the rapid change of the resolved IPs of ux domains is a distinctive characteristic
of malicious ux service networks.
Since we focus on classifying malicious ux services, and considering that the
number of ux agents for each ux service network is usually very high, we only
consider clusters of domains for which overall we observed at least φ1 > 10 resolved
IPs. With the help of our graphical interface, during the entire month of March 2009
we were able to label 670 clusters as being related to malicious ux networks of var-
42 Chapter 3. Protecting web users
AUC DR FP
All Features 0.992 (0.003) 99.7% (0.36) 0.3% (0.36)
ious kinds (e.g., ux networks serving malware, adult content, phishing websites,
etc.), and 8541 clusters related to non-ux/legitimate clusters, including clusters
related to dierent CDNs, NTP pools, IRC pools, and other legitimate services.
Using this labeled dataset and a 5-fold cross-validation approach, we evaluated the
accuracy of our classier. The obtained results are reported in Figure 3.2. It is easy
to see that our network classier is able to reach a very high Area Under the ROC
curve [Bradley (1997)], and a high detection rate and low false positive rate at the
same time. We performed experiments using three dierent sets of features. First,
we used all the passive and active features described in Section 3.2.5 to char-
acterize clusters of domains. Afterwards, we repeated the same experiments using
only the passive features (second row in Figure 3.2). From this last experiments,
the C4.5 learning algorithm generated a decision tree whose root was feature φ6 ,
and with feature φ3 and φ5 as children nodes at the top of the tree. This indicates
that these three features tend to be the most useful ones for distinguishing be-
tween malicious ux networks and legitimate networks. For the sake of comparison,
we evaluated the classication performance of our classier using only these three
features. As we can see from the third row in Figure 3.2, only three features are
sucient to obtain very good classication results, although using all the available
features produces slightly better results. Furthermore, we evaluated our classier in
an operational setting. Namely, we used the entire labeled dataset described above
to train our network classier, and then we used the obtained classier to classify
new (i.e., not seen during training) clusters of domains obtained in the rst 14 days
of April. During this period we obtained an average of 448 clusters per day (again,
considering only clusters for which φ1 > 10), 26 of which where classied as being
related to ux service networks. We manually veried that the classier correctly
labeled clusters related to malicious ux networks with very few false positives, thus
conrming the results reported in Figure 3.2. Overall, during the entire 45 days
period of evaluation, between March 1 and April 14, 2009, we detected an average
of 23 malicious ux service networks per day, with a total of 61,710 ux domain
names and 17,332 distinct IP addresses related to ux agents.
3.4. Applications 43
3.4 Applications
From March, 2009 up to now (February, 2010) Flux Buster is continuously detecting
(new) malicious fast ux networks. Furthermore, since July 2009, RDNS trac is
collected from two additional sensors in Italy and USA, respectively. Overall, from
March 2009 up to February 2010, we detected about 180,000 unique IP addresses
associated to ux agents. This value clearly states the relevance of the threat posed
by fast ux networks. Figure 3.11 shows the distribution of these ux agents among
6
dierent countries . It is easy to see that a substantial fraction of ux agents are
from USA, and this is in agreement with results from other fast ux detectors
(e.g. [Atlas, DNSBL]). Almost all ux networks are employed to support web-
based scams, from illegal adult websites to phishing scams involving high-prole
companies. Table 3.3 shows some examples of malicious fast ux networks. From
these examples, it is clear that these networks are employed for a wide range of
scams against web users. However, depending on the scam type, fast ux domains
may have dierent characteristics. In particular, we found that phishing websites
have a small time duration (e.g. few days), in spite of adult websites that may be
active for months. We speculate that this may be due to a relatively higher eort
of organizations (e.g. banks, governments) against phishing websites.
In any case, no legitimate websites are hosted by fast ux networks. If a website
is hosted by a ux network, it is very likely that is malicious and should be blocked.
Since this task is inherently dicult, in this Section we propose two client-side
security applications, supported by the output Flux Buster. Our goal is to prevent
users to retrieve malicious content hosted through malicious fast ux networks.
Figure 3.12 shows the number of websites which have been visited (in yellow) by
the Google safebrowsing engine. It is worth noting that out of 16,375 ux domain
6
The country has been obtained by means of the whois service of the Cymru team.
44 Chapter 3. Protecting web users
names, only 629 (3.8%) of them are related to analyzed websites. Among all ux
domain names which have been analyzed by Google safebrowsing, 87.3% (529) have
been recognized as malicious.
These results highlight some important characteristics of ux domain names.
First, it is clear that most of ux domain names are actually unknown to Google
(i.e. they are not related to websites analyzed by Google safebrowsing). As a con-
sequence, we speculate that most of ux domain names are advertized by webpages
not indexed by Google, or by means of non-web-based forms of advertisement. In
fact, during our experiments we came accross several compromised websites whose
injected HTML code was in the form:
The META tag prevents search engines from indexing any link within the page. Then,
a list of links pointing to malicious scripts hosted through fast ux networks are
provided. Miscreants provide redundant links to the same script, by means of
dierent fast ux domain names. In such a way, the exploit works if any of these
domain names is active. Thus, the injected client-side exploit is aimed at forcing
the user's browser to fetch (and execute) malicious scripts and preventing search
engines from indexing the related links.
Our analysis evidences that most of websites related to fast ux domain names
analyzed by Google are recognized as malicious. However some of these are rec-
ognized as legitimate by Google safebrowsing. For example, this is the case of the
following ux domain names:
online.lloydstsb.co.uk.2z6ht9vcfl.com
online.lloydstsb.co.uk.3yjvl43o3a.com
online.lloydstsb.co.uk.5nfq2v9ph9.com
online.lloydstsb.co.uk.623hneczc1.com
online.lloydstsb.co.uk.g6eyxto9ri.com
It is easy to see that these malicious domains have been employed for a bank
phishing scam. Nevertheless, they are deemed as legitimate by Google. Figure 3.14
shows the Google safebrowsing's report on one of these fast ux domain names. We
obtained a similar result by checking fast ux domain names against the domain
blacklist of www.malwaredomains.com (see Figure 3.13). Malwaredomains' blacklist
is valuable since it is compiled from a variety of reliable sources [Likarish (2009)].
Nevertheless, only 715 fast ux domain names (4.4%) are actually recognized as
malicious. This highlights that the passive acquisition of RDNS query/replies on
large computer networks allows gaining a privileged observation standpoint.
46 Chapter 3. Protecting web users
Summarising, our study shows that Flux Buster may signal a relevant number of
malicious domain names which are not noticed by the Google safebrowsing blacklist
(on average, about 5250 domain names per month). The key point is that we
may detect such malicious domain names independently from the way they are
advertised. Besides this contribution, we may provide for a real time detection of
malicious domain names. A real time detection is fundamental to protect users
against phishing scams and spam emails. These aspects are studied in the following
section.
A similar spam detection process may be used for types of spam dierent from
email spam. For example, using a browser plug-in this spam detection process may
be extended to identify blog spam, social network spam, etc., before the users access
the malicious content. Therefore, it is easy to see that the output of our malicious
ux detection system may contribute to a number of dierent spam ltering appli-
cations. Also, entreprises may set up their own Recursive DNS to identify malicious
domain names using this approach. For example, RDNS may provide users with the
set of resolved IPs only if a domain name is deemed legitimate. Otherwise, it may
just return the IP address of a local machine to prevent client-side applications from
loading malicious content from ux agents. This way, all employers and client-side
applications may be protected.
In order to measure to what extent our detection system may benet email spam
ltering, we proceeded as follows. We obtained a feed of URLs extracted from spam
emails captured by a mid-size email spam-trap during a period of 30 days, between
March 1 and March 30, 2009. This feed provided us with an average of 250,000 spam-
related URLs per day, from which we extracted about 86,000 new (i.e., never seen
before) domain names per day. Let Dk+1 be the set of spam-related domain names
3.4. Applications 47
(d)
collected on dayk + 1, Sk+1 be the set of resolved IPs obtained by performing one
DNS query for domain d ∈ Dk+1 , and R̂k−l be the overall set of IP addresses of ux
k
agents detected by our malicious ux network detection system in the period from
day k−l to day k . s(d) for domain d, we use
In order to obtain a suspiciousness score
(d)
the similarity metric dened in Equation 3.1 to compute s(d) = sim(Sk+1 , R̂kk−l ),
i.e., the degree of overlap between the resolved IPs of domain d and the malicious
ux networks we were able to detect from RDNS trac. If the value s(d) exceeds
a predened threshold θ , we classify the domain name d as malicious, otherwise
we classify it as legitimate. We repeat this process for each spam-related domain
name d ∈ Dk+1 to estimate the detection rate of the proposed approach, namely
the percentage of spam-related domain names that may be identied by a spam
lter. Furthermore, we considered the list of domain names related to the top
600,000 most popular web sites according to Alexa (www.alexa.com) to estimate
the false positives that may be generated by our detection approach. Let A be
the set of these popular websites. For each domain α ∈ A, we perform a DNS
query and collect the set resolved IP addresses R
(α) , and we compute the similarity
First and foremost, we may detect only fast ux domains which are resolved by
at least one user in the monitored networks. Thus, a reasonable statistical sample of
popular fast ux domains (and their resolved IPs) may be gained only if we collect
RDNS trac in large computer networks (as in our case). Thus, our approach may
be eective only if applied on large computer networks, such as those managed by
Internet Service Providers. This implies that ISP must collaborate and allow the
acquisition of RDNS trac.
Furthermore, even if our preltering stage is very conservative, it could be possi-
ble that some ux domain names are erroneously preltered. To this end, a detailed
evaluation is required. For example, we could select ltered domain names whose
patterns are placed near the decision surface of our preltering stage. Then, we may
analyze them using other fast ux detection tools (e.g. [DNSBL]).
More important, due to the massive amount of data Flux Buster has to process,
the responsiveness of Flux Buster is slow. That is, it may require two or three days
before performing a decision about a domain name. However, this limitation may
be reduced by employing the detection approach described in Section 3.4.2.
On the other hand, ux operators may inject some noise in the pool of ux agents
detected by Flux Buster. For example, false positive malicious domain names in g-
ure 3.4.2 were caused by few legitimate IP addresses in our list of ux agents. A
detailed analysis revealed that this was caused by some non-conventional ux do-
main names. These domain names resolved to legitimate IP addresses, pointing to
web services such as search engines (e.g. Google, Virgilio), but also to ux agents,
using a fast ux technique. Of course, this approach is in some way counterproduc-
tive from the ux operator's point of view, since some users may be redirected on
legitimate websites. We speculate that this behavior may be due to some congu-
ration test performed by ux operators. However, in principle, fast ux operators
may deliberately inject some legitimate IP address in the pool of ux agents. They
have to pay some reduced eectiveness of ux domain names, but in such a way
they may aect the reliability of our system.
In order to cope with this issue, we may lter known-as-legitimate IP addresses
from the pool of ux agents, e.g. by extracting all IP addresses used by most popular
websites according to legitimate organizations such as Alexa.
Finally, Flux Buster is not contrapposed to other fast ux network detection
tools employing active approaches. It simply adopts a complementary approach.
Thus, for a more clear view of the fast ux phenomenon, it is necessary to correlate
information from multiple tools, employing dierent approaches and with dierent
input data sources. Also, the output of Flux Buster should be public in order to
benet the security comunity. Unfortunately, due to some privacy issues this is not
(currently) possible. However, we may allow the access to security researchers (visit
the ocial website http://dnsrecon.gtisc.gatech.edu).
Candidate Flux Domains (x104) Query Volume (x109)
3.4.
1 1
2 2
3 3
4 4
5 5
6 6
7 7
Applications
8 8
9 9
10 10
11 11
12 12
13 13
14 14
15 15
16 16
17 17
18 18
19 19
20 20
21 21
22 22
23 23
24 24
25 25
26 26
27 27
28 28
29 29
30 30
31 31
32 32
33 33
34 34
35 35
36 36
37 37
38 38
39 39
40 40
Sensor 2
Sensor 1
Sensor 2
Sensor 1
49
50 Chapter 3. Protecting web users
Figure 3.8: The Flux Buster validation interface, showing a fast ux network identi-
ed by Flux Buster. Through such an interface we may further obtain informations
regarding the detected ux networks as well as validate them and identify the scam
typology they support.
3.4. Applications 51
Figure 3.9: The Flux Buster validation interface, showing a legitimate network
identied by Flux Buster. As we can see, multiple domains of the european ntp
pool are grouped together.
Dendrogram
140
80 100
Height
60
40
20
0
d8
d3
d5
d4
d7
d1
d2
d9
d6
US
RU
34.3%
JP 8.1%
4.9%
ES 4.0%
3.5%
RO 3.5%
DE
41.6%
Others
Figure 3.11: Distribution of ux agents (detected by Flux Buster) among dierent
countries.
3.4. Applications 53
Figure 3.12: Unique ux domain names detected in the time interval November,
3, 2009 - February, 2, 2010 (blue). Among them, only 629 are related to websites
analyzed (visited) by the Google safebrowsing engine (yellow). Out of all visited
websites employing fast ux technique, 87.3% (529) have been evaluated as malicious
by the Google safebrowsing engine (red).
14000
12000
10000
8000
6000
4000
2000
0 Total Detected
Figure 3.13: Unique ux domain names detected in the time interval Novem-
ber, 3, 2009 - February, 2, 2010 (blue). Among them, only 715 are noticed by
www.malwaredomains.com.
54 Chapter 3. Protecting web users
Figure 3.14: Google safebrowsing's diagnostic page for a fast ux domain name used
for bank phishing purposes.
3.4. Applications 55
Figure 3.15: Example of how our malicious ux network detection system can benet
spam ltering.
56 Chapter 3. Protecting web users
Criminals need only nd one open door to get in, whereas
defenders need to protect all the doors.
Unknown
Cyber criminals aim at exploiting the web to their own advantage, without
qualms about the rights of other Internet users. As we have seen in the previous
Section, fast ux networks represent a sophisticated threat for web users. In the case
of ux networks, the attacker is working at server side. On the other hand, miscre-
ants may operate at client-side. They may attack web services, to steal condential
information, or acquire high level privileges on targeted servers, or slow down or
completely disrupt services. These attacks may cause nancial and image damages,
and target users that will further access to these services, for example. Thus, it is
not sucient to enhance client-side web security. In order to enhance web security,
we must also improve the security of web services. This is clear from all recent Inter-
net security reports (see Section 2.3.2). In recent years there has been a lot of eort
to improve the security of web applications. Many international organizations, such
as OWASP foundation and Web Applications Security Consortium are specically
dedicated to enhance the security of web applications. Nevertheless, there is still a
signicant lack of awareness and security training by most of web developers. Also,
the complexity of web services makes server-side security an intrinsically dicult
problem.
Web application rewalls (WAF) represent the state-of-the-art instrument to
block malicious web requests. However, they adopt a rule-based approach that
makes expensive and challenging the protection of web services during the time.
To cope with this problem, we focused our research on anomaly-based approaches
to the detection of server-side web attacks. In this section we present our research
contributions. First, in Section 4.1 we outline the threat model for web services.
In Section 4.2 we summarize related work on the detection of attacks against web
services.
Then, in Section 4.3 we present HMM-Web, an anomaly-based IDS for the detec-
tion of attacks against web applications. HMM-Web may be trained autonomously,
and we will show experimentally that it produces very high detection rate and very
low false positive rate. A key contribution of HMM-Web is its capability of explicitly
58 Chapter 4. Protecting Web Services
handling and detecting attacks (i.e. noise) within its training set. The main limita-
tion of HMM-Web is that it analyzes web server logs. From web server logs we may
not observe some elds of the web requests. For example, web application inputs
sent through a HTTP POST request cannot be analyzed from the web server's log.
In addition, attacks can be carried at HTTP/HTTPS level, i.e. against the web
server. These attacks are typically performed by submitting web requests having
malicious elds. For example, it may be a (unexpected) large value for the message
chunk length, in order to exploit an integer overow vulnerability (chunked encoding
attack) [Mutz et al. (2005)]. In general, a vulnerability in the web server's request
processing may allow the attacker to execute arbitrary instructions, cause a Denial
of Service, bypass Secure Sockets Layer authentication, or include arbitrary HTML
code in the web server's reply (Cross-Site Scripting, XSS) [Apache Vulnerabilities].
Last, but not least, attacks may leverage on web application's vulnerabilities. As
mentioned in Section 2.1, web application attacks constitute the primary threat to
web services. Web applications may be attacked by submitting well-crafted inputs
that exploit input validation or logical aws. Cross Site Scripting and SQL Injection
are the most popular attacks, and leverage on input validation aws [Spett (2002)]
[WASC (2010)].
For example, let us consider a hotel website based on the popular open-source
CMS Joomla and employing the so-called Joomla Hotel Booking System Compo-
nent. Version 1.x of such a component is vulnerable to XSS and SQL Injection
[K-159 (2009)] . In particular, input passed via the h_id and id attributes in the
web application longDesc.php are not properly validated before being used in SQL
4.1. Threat model 59
queries. The Joomla CMS mantains a SQL table jos_users where for each user
there is a row entry. Each row entry has the username and password (encrypted
using the MD5 algorithm) of a Joomla user. For example we may have:
username password
admin 1a1dc91c907325c69271ddf0c944bc72
joe c1572d05424d0ecb2a65ec6a82aeacbf
··· ···
http://www.vulnerablehotel.com/components/com_hbssearch/longDesc.php?h_id=1&
id=-2%20union%20select%20concat%28username,0x3a,password%29%20from%20jos_users
This SQL Injection attack exploits a input validation aw on the attribute id, in
order to execute arbitrary SQL instructions on the back-end MySQL database. The
application longDesc.php will return a page containing usernames and encrypted
passwords of the Joomla users. Then, the attacker may run (oine) an automated
password guessing attack to nd out the passwords (including the admin password).
The administrator access to the booking portal allows the attacker to perform any
kind of manipulation, by just using the CMS.
http://www.vulnerablehotel.com/index.php?option=com_hbssearch
&task=showhoteldetails&id=118&adult=2<script src=http://www.dbrgf.ru/script.js>
the red code will be included in the HTML page generated by index.php.
This allows an attacker to run arbitrary Javascript code (retrieved from
http://www.dbrgf.ru/script.js) on the user's browser. For example, malicious
code may be hosted through a fast ux network (e.g. www.dbrgf.ru is a fast ux do-
main name). The malicious code may exploit client-side vulnerabilities, stole user's
cookies or any other condential information in the context of the aected site.
http://www.vulnerablehotel.com/index.php?option=com_hbssearch
&task=showhoteldetails&id=118&adult=2%3C%73%63%72%69%70%74%20%73%72%63%3D
%68%74%74%70%3A%2F%2F%77%77%77%2E%64%62%72%67%66%2E%72%75%2F%73%63%72%69
%70%74%2E%6A%73%3E
Similarly, wide range of advanced techniques for evading WAF are available for SQL
Injection [Mac Vittie (2007)] [L0t3k].
From such an example, it seems easy to avoid XSS and SQL Injection vulnera-
bilities. On the other hand, we should assess that h_id and adult attributes receive
only integer values. Nevertheless, in general this may be not an easy task. The
key point is that web applications (such as those used by Joomla) may be high in
number and they may be very complex (i.e. perform complex operations). Web
applications may handle many inputs, and it is necessary to take into account all
possible input combinations and exceptions. This is not straightforward, and unfor-
tunately, most web developers demonstrate a lack of security training to cope with
most common software aws. Also, web applications are often developed under
strict time constraints.
In [Kruegel et al. (2005) (a)], the authors proposed a multi model framework
for the detection of attacks against web applications. They modelled (legitimate)
queries using both spatial features (related to a single request), and temporal fea-
tures (related to multiple consecutive requests). Dierent models to represent these
features were applied, being the HMM the more powerful of them. In particular,
they codied web application queries by extracting the sequence of attributes, and
1
Actually Snort may also employ an anomaly-based preprocessor, i.e. Statistical Packet
Anomaly Detection Engine (SPADE). However, it is not specically developed to detect web ap-
plication attacks. Instead it looks for anomalies in some statistic features of the network trac.
4.2. Detecting attacks against web services 61
for each attribute, its input, codied as a sequence of characters. HMM have been
used to model attribute inputs without taking into account typical semantic dier-
ences between classes of characters (alphabetic, numeric, non-alphanumeric), which
usually determine their meaning. Moreover, the authors denitely did not exploit
the powerful of such a model, because they rounded every non-zero probability value
to one. Finally, the training set was assumed without attacks, by ltering it with a
signature based IDS, in order to throw out at least known attacks.
In [Robertson et al. (2006)], the authors adopt an anomaly detection approach
very similar to [Kruegel et al. (2005) (a)]. However, they also group anomalies ac-
cording to their typology and infer the associated attack class according to a set of
heuristics based on known attack patterns. This is a very interesting approach, for
two main reasons. First, grouping anomalies having similar features, we may group
together false alarms and thus it should be easier for a security administrator to
cope with a relatively high amount of false alarms. Second, anomaly-based systems
typically provide poor information about the type of attack that is associated with
an anomaly. Thus, it is interesting to automatically infer the attack class to which
an anomaly is associated.
In [Bolzoni and Etalle (2008)] the authors propose to subdivide web applica-
tion inputs in two classes regular and irregular. Depending on the class, they
apply a dierent machine learning approach to the modeling their legitimate val-
ues. In particular regular inputs are automatically modeled using regular expres-
sions, whereas irregular ones are modeled using a simpler approach (based on a
previously developed anomaly-based IDS). This is justied, since dierent inputs
may have very dierent variability. For example, the attribute id in the exam-
ple of Section 4.1, should receive only integer values. Contrary, some other at-
tributes may receive very variable inputs. As an example, this is the case of
the attribute q in the web application employed by the google search engine (i.e.
http:www.google.com/search?q=searchkey ). It receives the search key, that may
contain any character. Similarly to [Kruegel et al. (2005) (a)], the main limitation
of the approach is that it is not able to cope with noise in the training set. Authors
in [Bolzoni and Etalle (2008)] collect the training set from production web servers
and throw out known attacks employing a signature-based IDS and through manual
inspection. However, in general this may not be sucient, and training set noise
may signicantly aect the modeling of legitimate inputs [Cretu et al. (2008)].
In [Ezeife et al. (2008)] malicious HTTP requests are detected using a mixture
of legitimate trac models and high-level signatures for web attacks. High-level
signatures are dened in a priori fashion, on the basis of typical attack patterns.
For example, the presence of the < and > on web application inputs may indicate
XSS attacks, whereas the quote character ' may indicate a SQL Injection attack.
Furthermore, legitimate web applications inputs are described using simple models,
built using a sample of real HTTP trac on the web server. They model the
set of attributes and the length of their values. An anomaly score is increased
whenever a high-level signature matches the current request (or multiple requests),
or web application inputs do not match the model of legitimate inputs. If this
62 Chapter 4. Protecting Web Services
the ratio between successful and unsuccessful requests performed by the source IP
address of the request. They employ a labeled training set containing legitimate
HTTP trac from production web servers and (injected) known attacks, in order
to bootstrap the models of agents. Then, agents are able to self-adapt their models
by analyzing new requests. The approach is interesting and authors showed that
self-adaptation may allow detecting and modeling new attack instances. However,
authors experimented with generic attacks, i.e. known attacks against web servers
and applications. Such generic attacks are easy to evidence, since they typically
fail. For example, they may target web applications which are not installed on the
web server, or other types of web servers. Contrary, web application attacks are
tuned according to the specic application inputs in order to be eective. Thus, it
must be veried the actual performance of the approach in [Guyet et al. (2009)].
The paper [Torrano et al. (2009)] proposes an anomaly-based WAF. The authors
store the denition of legitimate requests in a XML le. In particular, the XML
le describes legitimate values for request method, headers, and allowed paths for
request URIs. Also, for each web application attribute, the XML le describes (a)
the set of allowed non alphanumeric characters, and the maximum and minimum
allowed (b) input length, (c) number of digits, (d) number of letters, (e) number of
non-alphanumeric characters. This approach is simple and very eective in detecting
web application attacks that leverage on input validation aws. However, a key
problem of the approach is that the legitimate prole inference requires a clean
training set. Unfortunally, in a real environment, such a training set is very hard
to obtain. In addition, a problem is to take into account equivalent URIs. This
may cause false positives, since the same resource may be identied by multiple
URIs (see for example mod_rewrite of the Apache web server), but only a small
portion of them may be present in the training set, and thus recognized as legitimate.
Moreover, this system is not able to inspect HTTPS, since acts in a way similar to
HTTP proxies (i.e. the typical protocol used for web services managing sensitive
information).
2
Each token is a string comprised between two meta-charaters within the set: [/, ?, =, &]
4.2. Detecting attacks against web services 63
data. On the other hand, we explicitly codify queries to light out the most relevant
semantic aspects of their structure. This operation substantially leads to better
IDS performances and to a complexity reduction of the learning task for HMM.
Similarly to HMM-Web, Web Guardian is able to infer the normal prole of web
requests without supervision, explicitly coping with the presence of noise (attacks)
in the training set. Moreover, Web Guardian is a multi-model detection system.
This architecture may allow to infer the attack type from the raised anomalies.
This is important to provide more informative security reports, with respect to
state-of-the-art anomaly detection systems. The idea is similar to those proposed
in [Robertson et al. (2006)] and [Bolzoni et al. (2009)].
4.3 HMM-Web
Our aim is detecting both simple and sophisticated attacks against each web ap-
plication that resides on a web server. Focusing on this goal, the IDS is composed
3
That is, Web Guardian provides an additional protection against unknown attacks (or attacks
for which Modsecurity rules are not available).
4.3. HMM-Web 65
The following sections provide details about (a) the feature extraction process,
(b) the application-specic modules, (c) decision module and (d) the building of
HMM ensembles. Throughout these sections we will refer to g. 4.1, where it is
showed the IDS processing for a search.php application, which could be used to
list publications of a certain category (cat attribute), containing a key-word (key
attribute). It may be nally useful to remark that in some works the term web
application is used to identify the a set of executables/scripts that oers a certain
number of services (e.g. a search engine: main page, database interrogation, images
generation). For the sake of clarity, in the following we will refer to each program
or script which generate dynamic web contents, as a dierent web application.
Web application queries are extracted from web server logs. In particular, we select
all requests where the method is GET and that receive a successful response (status
code 2xx, as described in [RFC 2616 (1999)]). Then, the web application and its
input query are obtained from the Uniform Resource Identier (URI), by considering
the web server conguration and its URI parsing routine.
For a generic query, the sequence of attributes and, for each attribute, its in-
put string, are extracted. Regarding the sequence of attributes, we consider each
attribute as a symbol of the sequence, as it is enough to detect anomalies either in
the order or in the presence of suspicious attributes. On the other hand, it is useful
to provide for a more complex codication of attribute inputs w.r.t. the simple
extraction of the character sequence. By scrutinising attacks against web applica-
tions [CVE], it is evident that, typically, non-alphanumeric characters have higher
relevance than alphanumeric characters when interpreting the meaning of attribute
inputs. Non-alphanumeric characters could be used as meta-characters, with a spe-
cial meaning, during the processing made by web applications. Thus, a distinction
between them (e.g. between / and -) is denitely necessary. On the contrary
distinguishing between digits or between alphabetic letters is not useful to detect
input validation attacks. Consequently, we substitute every digit with the symbol N
and every letter with the symbol A, while all the other characters remain the same.
For example, the attribute value /dir/sub/1,2 becomes /AAA/AAA/N,N. The
obtained sequence of symbols is then processed by HMM.
66 Chapter 4. Protecting Web Services
• q(wi ) the set of queries for the i-th web application wi , ∀i ∈ [1, M ]. |q(wi )| is
the number of queries for wi .
∑M
• N= j=1 |q(wj )| is the total number of queries collected.
1 ∑
M
α= αi · |q(wi )| (4.1)
N
i=1
4
Braces and commas are not part of the sequence, we use them just to represent it.
4.3. HMM-Web 67
α
αi = ∀i ∈ [1, M ] (4.2)
M · f req(wi )
It is easy to see that, with such a setting, the smaller the frequency of a web
application, the larger the fraction of training queries classied as suspicious. In
other terms, the weaker the assumption that web application queries are legitimate,
the bigger the fraction of training queries classied as suspicious.
We set an equal number of states for each HMM inside an ensemble. This
number is equal to the average length of training sequences, rounded to the nearest
greater integer. Also, an eective length denition is used; the length of a sequence
is given by the number of dierent symbols in this sequence. For example, in the
sequence {a, b, c, b, c} there are 3 dierent symbols, a, b and c. Consequently 3 is
the eective length for this sequence. In consequence of the heuristics we used to
x the number of states, each state can be associated to an element of the analyzed
sequence, rather than a particular state of the web application.
Both the state transition and the symbol emission matrices are randomly ini-
tialised. Considering IDS performance, this choice seems to be reasonable. In fact,
our IDS consists of a large number of HMM, and using the a priori knowledge of
the problem to model the structure of matrices could be a time and eort expensive
task. Finally, we build the dictionary of symbols by extracting them from training
sequences. HMM in the same ensemble use the same dictionary.
68 Chapter 4. Protecting Web Services
Table 4.1: Working exploits and some papers used as reference for our attacks inside
dataset A. Either exploits or papers can be looked up in the web site [milw0rm],
respectively, on exploits or papers sections.
4.3.6 Experiments
4.3.6.1 Dataset and performance evaluation
In order to test our IDS in a realistic scenario, we collected a data set of queries from
a production web server of our Academic Institution. Let us call D this dataset. It
consists of more than 150,000 queries collected in a period of six months. Queries are
distributed over a total of 52 web applications. In particular, 24 of these applications
provide services for registered users, the remaining 28 provide public services. As
D consists of a set of real requests from a web server log les, it may contain both
normal and attack queries. Our rst goal is to assess IDS performance in terms
of false alarm rate and detection of attacks similar to those which may be inside
the training queries. To this end, each query inside D has been labelled as attack
or legitimate, through a semiautomatic process, further described in sec. 4.3.6.1.
Furthermore, D has been split randomly into 5 parts (all containing the same number
of queries) in order to apply a 5-fold cross-validation. As we are dealing with real
4.3. HMM-Web 69
trac each split of D will contain unknown attacks and, in consequence of the
random sampling, we assume the percentage of attacks being the same in all of ve
splits. Exploiting the labelling process, we evaluated both the false positive (FPR)
and the detection rate (DR) on D.
In order to evaluate the detection rate, we selected a set of attacks published
on [milw0rm] and used these as a basis to build a dataset (called A) of attacks
exploiting specic vulnerabilities on our set of applications. This dataset consists of
19 SQL Injection and 19 Cross-site Scripting (XSS) attacks, on a subset of 18 web
applications (see table 4.3.6.1).
It is worth to note that, due to privacy issues and the problem formulation,
public data sets are not available. Anyway, there are attacks as those referred in
[Ingham et al. (2007)] that are related to known vulnerabilities of widely deployed
and open-source web applications. On the other hand, in practice, web applications
which manage critical information (i.e. public administration, home banking) are
typically highly customised and their source code is not public. This reect also
our case, and it is the reason why attacks inside A are just derived from well know
attacks, representing a version of them customised against applications in our set.
Thus, for each web application wi having a relatively high number of queries, we
identied (and labelled) attack queries inside the training set by manually inspecting
queries which receive the lowest probability. For web applications having a relatively
low amount of queries, we inspected all training queries, because an attack query
could not receive lower probability than a legitimate query (i.e. the majority of
queries are attacks), as discussed in sec. 4.3. Spotting attack queries inside D, we
exploited additional information.
We assessed legitimate inputs by links contained inside web pages, when brows-
ing as a typical user. Moreover, evidencing attack queries, we exploited our expertise
regarding typical attacks and perhaps the corresponding output generated by web
applications. In such a way, for each application wi we computed the corresponding
∗
fraction of attacks αi inside D.
∑M
Using such a method, we found an overall fraction of α∗ = ∗
i=0 αi = 0.995%
of attacks inside D. These attacks were very similar and were mainly related to the
injection of HTML code.
In addition, the graphics on gure 4.2 conrm our intuition that the the lower
the number of queries, the more weak is the assumption that they are legitimate. In
70 Chapter 4. Protecting Web Services
fact, we observe that as the number of queries toward a certain application decreases,
the percentage of attacks between them tend to increase (about 10% of attacks for
the 9th application).
4.3.7 Results
In this section we summarise experimental results when (1) a single HMM and (2)
multiple HMM are used to model a generic sequence. Our IDS has been always able
to detect all attacks inside dataset A, so in the following we will focus our analysis
on the evaluation of FPR/DR on dataset D (average values over all splits).
Fig. 4.3 shows the performance of the proposed IDS for the option (1), either
with the query codication used in [Kruegel et al. (2005) (a)] or with the proposed
codication. As we can see, the proposed query codication is really eective to
heavily reduce the false alarm rate. In particular, we computed IDS performance
for dierent values of α, as in real scenarios we cannot rely on a reliable estimation,
but only on raw estimates. On the other hand, with a little expense in terms of false
alarm rate, a positive value of α denitely enhance the detection rate of attacks.
It is evident that a precise value is not necessary, because even with a relatively
large value, i.e.α ∼ 3% (we know that attacks are about the αi∗ ' 1%), we are
able to both detect 96% of attacks, and raise a fraction of false alarms lower than
1%. The point α = 0 identies IDS performances when we are fully condent on the
legitimacy of the training queries, as in [Kruegel et al. (2005) (a)]. It is evident that
for the proposed query codication, the lowest amount of false alarms is obtained
(about 0.4%), but a signicant part (about 15%) of attacks inside D cannot be
detected. However, it is fundamental to spot these attacks, as they may light out
vulnerabilities in web applications which are currently exploited.
Results obtained with a single HMM, are compared with those obtained while
using 3, 5 and 7 HMM per ensemble in g. 4.4. For small values of α, if the number
of HMM per ensemble increases, there is an improvement of performance. This is a
reasonable result, because using more models the IDS is able to better modelling the
information inside the training set. However, the improvement of performance is not
as large as we expected. This because the proposed query codication (sec. 4.3.1),
which simplies the learning task for HMM, reduces the advantages of modelling a
generic sequence using multiple HMM. In fact, in some preliminary experiments we
performed using the codication used in [Kruegel et al. (2005) (a)], the improve-
ment of performance of multiple HMM was larger. Moreover, as the value of α
increases, the 4 curves become more close each other. This may be explained if
we note that the increasing of α can lead to a heavy modication thresholds (in a
complex relationship), which may overwhelm advantages of a more thorough com-
putation of the query probability.
4.4. Web Guardian 71
Now, it is worth noting that this assumption may not be valid for all features.
Some features may not be present in all web requests. As an example, even if we
consider a large number of web requests (e.g. one million), it is possible that a
web application receives only few queries (e.g. 3 queries). In the worst case, these
few queries may be performed by an attacker instead of a legitimate user. Thus,
it is important to keep track of the number of training samples for each model. It
reects how much the training set may be assumed as representative of legitimate
behavior. As a consequence, it tells us something about the reliability of the model
output. On the other hand, an operator may inspect those features having a very
low number of training samples. Due to the relatively low number of such samples,
this is not an expensive task.
This Section is organized as follows. Section 4.4.1 presents the proposed learning
framework. In that Section we also outline the limits of the framework. Section 4.4.2
describes the general models we adopt to describe web trac features. In Section
4.4.3 we present and motivate all features which are currently employed by Web
Guardian. The key components of the architecture of Web Guardian are described
in Section 4.4.4. Then, in Section 4.4.5 we present some preliminary experimental
results. These results are very promising, and clearly highlight that Web Guardian
may signicantly improve the security of web services. However, Web Guardian is
still a work-in-progress: we are improving it and we are studying new functionalities.
In Section 4.5 we discuss about current limitations and future work.
data collected from computer systems is related to legitimate activity, since outlier
patterns (noise) are typically rare events. However, the presence of outlier patterns
may not be avoided, because the size of the data set makes the manual labeling of
outlier patterns very dicult or expensive. Also, due to the complexity of patterns,
well-known outlier detection techniques may not be suitable.
Unfortunately, outlier patterns may signicantly aect classier's performance
during the operational phase [Cretu et al. (2008)]. Moreover, such outlier patterns
might be deliberately generated by an adversary [Barreno et al. (2006)]. In this case
we refer to adversarial learning, since such malicious outlier patterns are aimed at
introducing persistent classication errors.
In this section, we present a general learning framework, that may be applied
to every statistical model, including all general models employed by Web Guardian.
The algorithm provides for an automatic ltering of noise inside the training set.
Furthermore, we study the limits of our framework, by dening the necessary condi-
tions that noisy patterns must meet for introducing errors in the target (legitimate)
class model.
4.4.1.1 Algorithm
i.e. target patterns have higher likelihood than outlier patterns. If the condition
4.3 is satised, then there exists an index R such that TR = {x1 , x2 , . . . , xR }, and
OW = {xR+1 , xR+2 , . . . , xN }. Thus, the goal of one-class classication is to nd
the value of R (which is unknown) to separate target patterns from outlier patterns.
Now, let us dene the relative distance measure δ between two patterns xj and xk
as δ(xj , xk ) = |f (j) − f (k)|. In agreement with the notion of one-class classication,
the distance δ between a target pattern and a outlier pattern is expected to be
higher than the distance δ between any two consecutive target patterns (or any two
consecutive outlier patterns). This means that index R should satisfy:
5
Otherwise, they may not be considered as outliers.
4.4. Web Guardian 73
It is interesting to note that the distance measure δ(xj , xj+1 ), may be viewed
as a particular version of the well-known Local Outlier Factor (LOF) for
xj+1 [Breunig et al. (2000)].
If conditions (4.3) and (4.4) are satised, R∗ = R is the index j such that the
∗
distance δ(xj , xj+1 ) is maximum, i.e., R = arg maxj {δ(xj , xj+1 )}, j ∈ [1, N ). Of
∗ ∗ ∗
course, we must validate the obtained value R , by verifying that R >> W , where
W ∗ = N − R∗ . At this point a new model m0 may be trained using only patterns
x1 , . . . , xR∗ . If the condition R∗ >> W ∗ is not valid, we may set an ad-hoc ag to
signal this exception. An operator may further inspect training patterns near the
threshold R∗ , to better understand the cause of the exception (e.g. it may be due
to a relatively low number of training samples).
An adversary could produce well-crafted trac so that noisy patterns are produced
and either condition (4.3) or (4.4) are violated. If this happens, the system may
behave incorrectly, as outliers can be considered as targets (missed detection), or
targets may be considered as outliers (false alarms). In this section we express this
situation in terms of the a-posteriori probability of the model m, given such noisy
patterns.
Violation of condition (4.3) The a-priori probability for outlier and target pat-
terns can be estimated as p[X = xo ] = W/(W + R) and p[X = xt ] = R/(W + R),
respectively. Thus, applying the Bayes theorem, it is easy to see that the adversary
may attack the constraint in eq. (4.3) by submitting at least one outlier pattern xo
for which the model m has the following a-posteriori probability
R
p[M = m|xo ] ≥ min p[M = m|xt ]. (4.5)
W xt ∈TR
Case I. R∗ > R There exists an index j so that the distance δ between two
consecutive outlier patterns is higher than the distance between patterns xR and
xR+1 . In order to achieve Case II, the adversary has to submit outlier patterns with
dierent characteristics (otherwise, δ(xj , xj+1 ) = 0, ∀j ∈ [R + 1, N − 1]). Applying
74 Chapter 4. Protecting Web Services
R
p[M = m|xR+1 ] > · p[M = m|xR ] (4.6)
2W
This condition is less restrictive than condition (4.5).
Case II. R∗ < R There exists an index j so that the distance δ between two
consecutive target patterns is higher or equal than the distance between patterns
xR and xR+1 . Applying the Bayes theorem, it is easy to see that in order to achieve
Case II, the adversary must generate at least one noisy pattern xo , for which:
R
p[M = m|xo ] ≥ (p[M = m|xR ] − φ) . (4.7)
W
where φ = max{P [M = m|xi ]−P [M = m|xi+1 ]}, i ∈ [1, R). Recall that if condition
(4.3)
t
is satised, p[M = m|xR ] = minxt ∈T p[M = m|x ]. It is worth noting that
R
condition (4.7) is easier to achieve w.r.t. condition (4.5).
The value of φ in some sense quanties how much target patterns are dissimilar
each other. The higher the value of φ, the easier for an adversary to achieve the
attack condition (4.7). On the other hand, in general, the lower the value of φ,
the more similar the feature values of target patterns, and the more dicult is for
an adversary to violate conditions (4.3) and (4.4), because minxt ∈TR p[M = m|xt ]
should increase. For this reason, a robust solution for one class learning may be
based on MCS, where each (one-class) classier of the ensemble is trained using a
set of features showing similar values over target patterns (i.e. low values for φ).
experiments in Section 4.3.7 showed that a HMM ensemble allows attaining only
a small performance improvement (in spite of an increased learning time). As in
HMM-Web, this model is built using the Baum-Welch algorithm [Rabiner (1989)].
Both the state transition and the symbol emission matrices are randomly initialised.
The dictionary of symbols is the overall set of distinct symbols encountered in train-
ing sequences. The number of states is given by the average number of unique
symbols of a sequence in the training set, rounded to the nearest greater integer.
We train the HMM on the (raw) training set SN . Then, in order to cope with
training set noise, we apply the algorithm described in Section 4.4.1.1. At the end
of this phase, a probability threshold for the model is set. This threshold is given by
the minimum probability among those assigned to (deemed as) legitimate sequences
within the training set SN .
R∗ = arg max δ(xi , xi+1 ), where δ(xi , xi+1 ) = |xi − xi+1 |. (4.8)
i∈[1,N −1]
This index reects the number of (deemed as) legitimate patterns in the training
set. As described in Section 4.4.1.1, the index R∗ is validated by verifying that
R∗ >> W ∗ , where W∗ = N − R∗ . After this step, the new (ltered) training set
becomes SR ∗ = {x1 , x2 , . . . , xR∗ }. If condition R∗ >> W ∗ fails, an ad-hoc ag is
set, in order to signal this exception to an operator. The operator may further
∗
inspect training patterns having index close to R to understand the origin of this
exception.
∑
The model is based on the mean µ = R1∗ i∈[1,R∗ ] xi and the variance σ 2 =
1 ∑
i∈[1,R∗ ] (xi − µ) of values inside SR∗ . Using these parameters, we compute
2
R∗ −1
the probability of the maximum value within the set SR∗ (see next paragraph). This
will be the probability threshold of the model.
6
If multiple values for R∗ are found, we select the lowest value.
76 Chapter 4. Protecting Web Services
Detection During the detection phase, the probability of a certain value x is given
7
by :
{
σ2
p[x is legitimate|model-b] = p[|X − µ| ≥ |x − µ|] = (x−µ)2
if x≥µ+σ
p[x is legitimate|model-b] = 1 otherwise
(4.9)
This equation is obtained from the well-known Chebyshev inequality:
σ2
p[|X − µ| ≥ q] ≤
q2
q = x − µ considering the upper value for p[|X − µ| ≥ |x − µ|]. Moreover,
with
since p[|X − µ| ≥ |x − µ|] ≤ 1, it follows that the Chebyshev inequality should be
used only when x ≥ µ + σ . The same model is used in [Kruegel et al. (2005) (a)].
R∗ = arg max δ(ωj , ωj+1 ), where δ(ωj , ωj+1 ) = |count(ωj ) − count(ωj+1 )|.
j∈[1,K−1]
(4.10)
This index reects the number of unique symbols (deemed as) legitimate in the
training set. The index R∗ is validated by verifying that
∑ ∑
count(ωj ) À count(ωj ). (4.11)
j≤R∗ j>R∗
That is, we verify that the great majority of symbols in the training
set is assumed as legitimate. After this step, we consider only symbols
having index lower or R∗ :
equal to Ωnew = {ω1 , ω2 , · · · , ωR∗ }, Onew =
{count(ω1 ), count(ω2 ), · · · , count(ωR∗ )}. Then, the probability of each distinct sym-
bol ωi is given by its relative frequency:
count(ωi )
p[x is legitimate|model-c] =∑ (4.12)
j∈[1,R∗ ] count(ωj )
7
Since large values should receive lower likelihood, we compute the probability that the random
variable X , having mean µ and variance σ 2 exceeds the x value.
8 ∗
If multiple values for R are found, we select the lowest value.
4.4. Web Guardian 77
If the condition of eq. 4.11 is not valid, an ad-hoc ag is set, in order to signal
this exception to an operator. The operator may further inspect symbols in Ω
having number of observations close to R∗ , in order to understand the origin of
this exception. The probability threshold of this model is given by the minimum
probability among those assigned to symbols in Ωnew .
{ count(x)
p[x is legitimate|model-c] = P
count(ωj ) if x ∈ Ωnew
j∈[1,R∗ ] (4.13)
p[x is legitimate|model-c] =0 otherwise
For each web application query, we extract (a) the sequence of attributes and (b) for
each attribute, the sequence of input characters. As made in HMM-Web, attribute
inputs are processed so that every digit and every letter are substituted by the
special characters N and A, respectively (see Section 4.3.1). Therefore, for each web
application
For each distinct source IP address, we group web application queries using an
inter-request time threshold t. Within a group, the time interval between each query
and its subsequent is lower or equal to t. For each group we extract the number
of queries. By modeling the average number of queries per group, we may detect
automated requests on web applications. To this end, we adopt model B. It is worth
noting that, the raw training set for the model is obtained considering all groups, for
all source IP addresses. That is, the distinction between IP addresses is used only
to dene each group. Automated requests may be used by attackers to perform
password guessing or attacks or some automated vulnerability assessment. Some
of these attacks require a relatively high number of requests per unit of time, in
order to be eective. In this case, the number of queries per group is expected to
be higher with respect to that of typical users. With this feature we aim to detect
such anomalous events. During the detection phase, we compute the number of web
application queries within the group of the current query (if any). Then, we submit
this value to the model in order to assess if it is anomalous (too high).
For each web request we extract the method and the http version eld. Attackers
may issue web requests with less common methods, e.g. OPTIONS or TRACE to
gain information about the target web server. Also, automated tools for web server
ngerprinting issue non existent methods, to get information from the web server's
reply. Thus, requests having non-typical methods are clearly suspect. Similarly,
the HTTP Version eld receives a very limited range of values by web browsers.
Therefore, a non conventional value for this eld is clearly suspect.
We employ a model C for modeling both method and http version features.
Each distinct string is considered as a distinct symbol by the model. For example,
the method string GET and GeT are considered as dierent symbols. Similarly, the
HTTP version strings HTTP/1,1 and HTTP/1.1 are viewed as dierent symbols by
the model. During the detection phase, we submit the current request method and
HTTP version to their corresponding models.
By means of request headers, web servers acquire some additional input. Depending
on this input, the web server's reply (and the returned informative content) may
change substantially. For example, the Cookie header is typically submitted by web
browsers for authentication, once a user logs on a website. The input string for this
header is typically processed by a web application to authenticate a web request.
Thus, a validation vulnerability on the Cookie input string may be exploited by an
attacker to compromise web applications. This is the so-called Cookie manipulation
attack [CGIsec]. Also, attacks are often carried by submitting malicious input in the
User-Agent header [Ollmann (2008)]. Anyway, the key point is that each header
input should be inspected. It may be processed by a vulnerable web browser, and
maybe by a vulnerable web application.
4.4. Web Guardian 79
• input length When malicious input is injected, its length is typically higher
than legitimate input (this is denitely true for buer overow attacks). Thus,
this straightforward feature may eectively detect malicious requests. We
model this feature by means of an instance of model B for each header.
if the header input has some anomalous digit and/or letter character. If so,
we signal an anomaly for the header input.
For each distinct source IP address, we group web requests using an inter-request
time threshold t. Within a group, the time interval between each request and its
subsequent is lower or equal to t. Then, for each group of requests we compute
the ratio between rejected and total requests. We consider as rejected all requests
receiving response code dierent from 2xx and 3xx [RFC 2616 (1999)]. This feature
is useful to spot exploitation tools, while they are trying to nd web applications with
well-known vulnerabilities, or resources with common names (e.g. INSTALL.txt,
index_old.php). These attempts typically cause the server to reject many requests
within a small time interval.
This feature is described through model B. The training set is made up by ratio
values in each group of training requests, for all source IP addresses. During the
detection phase, we compute the ratio between rejected and total requests within
the group of the current query. Then, we submit this value to the model in order
to assess if the ratio is anomalous.
4.4.4 Architecture
Figure 4.5 shows the architecture of Web Guardian with focus on the training and
detection phase. These two phases may overlap, since Web Guardian has a multi-
thread implementation. This is important, because web services are constantly in
evolution, and Web Guardian may be (re)trained in order to keep its models up
to date. Until this process is not completed, our system may continue providing
real time protection. Our system currently supports the protection of the Apache
web server version 2.x (http://httpd.apache.org/docs/2.0/). We added some
9
code into Modsecurity WAF (version 2.5.7 ), in order to introduce some useful
functionality. Our version of Modsecurity can store each (eld of a) web request
and the header of the web server response into a MySQL database
10 .
9
At the time we are writing, Modsecurity reached version 2.5.12. However, it is easy to patch
latest versions with our code.
10
To this end, it is also possible to install a specic Apache module. However, due to some
constraints, we preferred to implement such a functionality in Modsecurity.
4.4. Web Guardian 81
The central controller represents the core of Web Guardian. The central con-
troller is able to launch and stop dierent (concurrent) threads. Three types of
thread are currently supported: (1) a learning thread, (2) a training set analysis
thread and (3) a real-time detection thread. The learning thread acquires a set of
requests from the database and produces the set of legitimate trac models (one
for each modeled feature). The training set analysis thread employs the current
models to analyze requests employed during the training phase. This is useful to
make sure that the models did not (erroneously) discard relevant samples. Finally,
the real-time analysis thread loads current models and performs real time analysis
of incoming web requests. It may also perform some predened counteraction, once
a suspect web trac is detected.
We may interact with Web Guardian (i.e. the central controller) through a
web-based graphical interface. Through this interface we may send commands (or
queries) to the central controller, which in turn replies with the requested informa-
tion. For example, we may launch one of the threads mentioned above. Also we
may check their status (e.g. progress, errors etc.). If false alarms are found we may
ask Web Guardian to update the model(s) which erroneously raised the anomaly.
The model update may be performed by either changing the probability threshold
or (re)training the model, including more samples (i.e. previously discarded by the
learning framework). In such a way, also similar false alarms are switched o.
4.4.5 Experiments
In order to evaluate the performances of Web Guardian, we installed our version
of Modsecurity in a production web server of our academic institution. This web
server was dedicated to support a web portal, with a number of web applications.
We collected real web trac on this web server for about a week. Due to the
relevant number of users accessing the portal these few days were sucient to gain
an high number of web requests. Table 4.2 shows main characteristics of the collected
dataset. Let us refer to this dataset as Λ. The dataset Λ contains about a week of
trac, and accounts for about 450,000 requests. About 100,000 of such requests
(i.e. 22%) are associated to web application queries.
A the end of the training phase, we evaluated the eectiveness of the learn-
ing framework in Section 4.4.1. To this end, we spotted attacks inside the dataset
11
In is worth noting that we may not randomly split dataset Λ. This because some features
depend on the sequence of requests during the time.
82 Chapter 4. Protecting Web Services
For models built using a relatively high number of samples (e.g. a thousand),
there is a good chance that a substantial part of samples is related to legitimate be-
havior. This means that malicious samples are expected to receive lower probability
with respect legitimate samples. Recall that bad guys are typically in lower number
with respect to legitimate guys. On the other hand, known web exploits typically
show very dierent features with respect to legitimate requests. Thus for models
receiving a relatively high number of samples, we expect that they substantially
describe legitimate behavior.
This reasoning is not valid for models having a little number of training samples
(e.g. 20). In the worst case, these samples may be all related to attacks. Thus, a
manual inspection of all samples is necessary.
To better evaluate the detection rate of our system, we built a set of malicious
web requests Φ against both web server and web applications of the portal. We
then evaluated how many of them were actually detected by Web Guardian. Our
malicious requests targeted input validation vulnerabilities (the typical and most
threatening vulnerabilities). These requests have been thoroughly suited to the spe-
cic conguration of web server and web application inputs. That is, we ideated
proof-of-concept attacks against the web portal, using a number of reference docu-
ments and known vulnerabilities (and of course, our expertise). It is worth noting
that these attacks have been crafted in order to highlight security vulnerabilities,
but without actually exploiting them.
Table 4.3 summarizes the key characteristics of the dataset Φ. Overall, it ac-
counts for 507 attacks against the web portal under analysis. For SQL Injection and
XSS attacks we used also some typical lter evasion techniques (see Section 4.1). We
12
Recall that due to the ad-hoc nature of web applications, we may not rely on signature-based
systems to perform this task.
13
We veried legitimate web application inputs by links contained inside web pages, by browsing
as a normal web user.
4.4. Web Guardian 83
analyzed these well-crafted malicious requests with Web Guardian, and 505 (99.6%)
of them have been detected. On the other hand, these attack show features which
are denitely dierent from typical web requests. The (only) two attacks that have
not been detected were related to information gathering attempts, and highlight
some limitation of our system (see Section 4.5).
Table 4.2: Overview of the key characteristics of the dataset Λ employed to evaluate
the performance of Web Guardian.
4.4.5.1 Discussion
Table 4.4 outlines the performances of Web Guardian, in terms of (a) detection, (b)
false alarm rate and (c) average response time per request, evaluated on datasets Λ
and Φ.
Our results clearly highlight that Web Guardian is able to accurately spot attacks
even if they are included in the set of requests used for training. We detected all
attacks encountered in the wild (i.e. within dataset Λ) and almost all our custom
attacks in the dataset Φ. Thus, our results clearly evidence that Web Guardian has
excellent detection performances. Moreover, its response time is signicantly low
(considering that we did not optimized the code of Web Guardian). In addition,
Web Guardian generates a very low false positive rate (0.2-0.3%). Nevertheless, the
number of false positives per day may be relevant, especially for popular websites.
For the dataset under analysis, by analyzing the set of requests not employed for
training we obtained on average 267 false alerts per day. This value is slightly
higher with respect to the number false alarms we have by analyzing the set of
training requests. This is reasonable, since we used a limited statistical sample of
web requests. In fact, reducing the memory needed by our system (i.e. optimizing
the implementation), we could use a higher statistical sample.
It is worth to note that a signicantly lower false positive rate may be attained
by manually verifying false alarms on our web interface. Using such a interface we
may:
• group anomalies depending on their type: i.e. what is the model which raised
the anomaly, common traits of the anomaly (e.g. a suspect non-alphanumeric
character), source IP address, targeted web application/header
84 Chapter 4. Protecting Web Services
http ver- bad format string buer overow, infor- [Donaldson (2002)] 5
sion mation gathering [Shah (2004)]
Table 4.3: Overview of the attacks performed against the website under evaluation
(dataset Φ).
• adjust model thresholds, so that attacks may be still reliably evidenced and
false alarms are reduced
• (re)train models using some samples which have been erroneously discarded
by the learning framework (e.g. because there were no attacks in the set of
training samples)
For example, with few clicks (ten minutes of work), by manually adjusting model
thresholds, we reduced the total number of false alarms from 1,252 to about 40014 .
Through the web interface we may also dene the association between anoma-
lies and counteractions. A dierent counteraction may be specied, depending on
anomaly type(s), output probabilities of models and their reliability
15 . This part is
critical to some extent, since we have to make sure that legitimate trac is never af-
fected by Web Guardian. So we may provide for strong counteractions (e.g. drop the
TCP connection, return the home page) only on the basis of (a) very reliable mod-
els, e.g. with very few false alarms, (b) output probabilities well under threshold,
(c) multiple anomalies. Otherwise, we may provide for more safe counteractions.
For example, the work [Valeur (2006)] proposes a anomaly-driven reverse proxy to
protect web applications. This approach is very interesting to provide for automated
counteractions that may work well even with some false alarm. If an anomalous re-
quest is detected, it is forwarded to a copy of the website that do not hold sensitive
content. In such a way, even if a false alert is raised, legitimate users may still access
to website contents that are not sensitive (e.g. public).
14
All attacks inside Λ were still detected.
15
For each one, we may evaluate the number of false alarms they raise on average and the number
of training samples. These two parameters are used as reference to outline the reliability of each
model.
86 Chapter 4. Protecting Web Services
in our world does not exist a perfect system, and denitely Web Guardian makes
no exception. So, it is important to recognize the main limitations of our detection
system.
First, Web Guardian models (web application) attribute inputs generalising let-
ters and numbers. This allows a signicant reduction of the learning time of HMM,
and false positives due to random inputs (e.g. session identiers). For example,
numbers between 100 and 999 are represented by the same sample {N,N,N}. Assum-
ing that such numers are submitted to an attribute, e.g. to identify a category inside
the website, some of them may not be accepted by the web application (e.g. because
for some of them there is no category associated), causing an error. An attacker
may exploit this exception to gain information about the target application. In
fact, two attacks in Φ used a similar a technique, and they have not been detected
by Web Guardian. This example is useful to highlight a general limitation of our
detection system: it may not detect attacks targeting the logic of web applications.
That is, we are not modelling what is the internal processing of web applications.
To this end, other web trac features are necessary. Thus, a possible improvement
of Web Guardian may be the modellation of new features regarding the logic of web
applications. Currently, the set of extracted features mainly supports the detec-
tion of input validation attacks, because they are the most popular and threatening
attacks.
Another limitation of Web Guardian is inherited by the traditional anomaly-
based approach to the detection of computer intrusions. That is, we may evidence
detailed anomalies, but currently these are not associated with a description of the
attack, as in signature-based systems. To overcome this limitation, we are currently
working on the automatic classication of anomalies. Also we are working on the
automatic inference of the attack class, given an anomaly. Our idea is similar to
that proposed in [Robertson et al. (2006)] and, in particular [Bolzoni et al. (2009)].
Finally, as we will further discuss in Section 5.5.1.1, anomaly-based systems
16
may be subject to false alarm injection. Let us suppose that Web Guardian is
protecting a website in real-time. An adversary (using a unique IP address) may
deliberately submit a very high number of web requests (e.g. 100,000) that do not
harm the website, but raise a lot of (false) alarms. Among these requests, he may
submit the real exploit against the monitored web services. In this case, it is likely
that the security administrator do not veries all alerts (100,000!). He may verify
only a portion of them, and by assessing that actually they are not dangerous, he
may throw out all alerts having the same source. Thus the attacker can successfully
compromise the monitored web services, without actually being detected. Of course,
in this case we are assuming that no automatic counteraction is performed by Web
Guardian against the true exploit. Thus automatic counteractions may actually
face this kind of attacks. However, as matter of fact, the false alarm injection attacks
are not currently addressed by Web Guardian. As future work, we intend to research
solutions to this issue also.
16
Actually, as we will discuss in Chapter 5, all IDS suer from this problem.
4.5. Limitations, proposed solutions and future work 87
Figure 4.1: HMM-Web scheme. The Parser processes the request URI and identies
the web application (i.e. search.php) and its input query. Applying a threshold
on the probability value associated to the codied query, it is labeled as legiti-
mate/anomalous. The threshold depends on the web application probability and
the α parameter.
88 Chapter 4. Protecting Web Services
70000
TRAINING SET - The 14th most frequent web applications
60000
Number of queries
50000
40000
30000
20000
10000
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
Web Application
11%
10%
Percentage of attacks
9%
8%
7%
6%
5%
4%
3%
2%
1%
0% 1 2 3 4 5 6 7 8 9 10 11 12 13 14
Web Application
Figure 4.2: Distribution of queries and percentage of attacks for the 14 most frequent
web applications.
4.5. Limitations, proposed solutions and future work 89
Figure 4.3: Average DR and FPR for dierent values of α and a single HMM per
ensemble. The proposed query codication solution is compared with that used in
[Kruegel et al. (2005) (a)].
Figure 4.4: Average DR and FPR for dierent values of α either with single or
multiple HMM per ensemble.
90 Chapter 4. Protecting Web Services
Figure 4.5: Architecture of Web Guardian. Our detection system may be controlled
through a web interface.
4.5. Limitations, proposed solutions and future work 91
Figure 4.6: Some attacks detected by Web Guardian (as showed by our web inter-
face). These attacks were contained in set of training requests.
Chapter 5
Adversarial Environment
Sun Tzu
The aim of today's cyber criminals is to realize attacks without being detected
by security administrators (or computer users). For example, this may allow the
attacker to place access points on violated computers for further (stealthy) crim-
inal actions. In other terms, the IDS itself may be deliberately attacked by a
skilled adversary. Some recent work tried to nd the best protection strategy by
leveraging on the denition of an attacker's model [Cordasco and Wetzel (2009)]
or assuming a rational attacker and employing a game theoretical framework
[Chen and Leneutre (2009)]. In any case, a rational attacker leverages on the weak-
est component of an IDS to compromise the reliability of the entire system, possibly,
with minimum cost.
It is easy to see that this problem cannot be completely avoided, as absolute
security does not exist. On the other hand, the recognition of such a threat, and its
knowledge may help devising an IDS model which reduces the impact of the threat.
Of course, many research papers in some way have dealt with this problem.
Unfortunately, such works focus on specic topics, discuss about attacks against
specic IDSs and use dierent terms for same general concepts. Often the analysis is
focused on specic phases of the intrusion detection task, and the mutual dependence
of each phase from the others is neglected. There is a good reason for this, since
the problem is fairly complex, and must consider many (uncertain) variables. As a
consequence, an overall picture of the problem is still lacking.
In this Chapter of the thesis we give our contribution to ll this gap. First, we
subdivide the general design of IDS into dierent phases and components. To this
end we refer to the CIDF scheme presented in Section 1.3. In particular, we further
subdivide the analysis box of the CIDF scheme according to the analogy between
intrusion detection and pattern recognition (see Section 1.3.1).
Then, we critically analyze how the adversarial environment may aect the IDS
in each one of its components. This study allows gaining a wide knowledge of the
94 Chapter 5. Intrusion Detection and Adversarial Environment
problem and to support the design of robust IDS solutions. Furthermore, if the goal
is to choose the best security solution on the market, our analysis may provide
concrete support. Some concepts will be given through real world examples, mainly
related to the web, as it currently accounts for the majority of vulnerabilities (see
Section 2.1).
At the end of the Chapter, it will be clear that the architecture of Flux Buster
and Web Guardian reects many of the key points we outline for adversary-aware
IDS solutions. This is important, as we strongly believe that adversary-aware IDS
solutions are the right response to current and future security threats.
The rst problem of NIDS is that they can only simulate packet processing as
performed by destination hosts. As pointed out in [Ptacek and Newsham (1998)],
NIDS usually rely upon a mechanism of data collection (called passive protocol
analysis) which is fundamentally awed because there isn't enough information on
the wire on which to base conclusions about what is actually happening on networked
machines.
The reason for this gap relies on the fact that network trac is typically pro-
cessed by dierent host-side operating systems and applications. Such dierent
systems can process the network trac in a way not fully adherent to specic stan-
dards (i.e., RFC), or they implement only some functionalities described by these
standards. In addition, even if dierent implementations are perfectly adherent to a
specic standard, they might process the trac in a dierent way in situations that
are not considered by the standards. Finally, destination hosts can process the traf-
c at dierent network nodes, therefore with dierent trac views. Thus it follows
that, in principle, a NIDS should be designed to incorporate all the knowledge on
the mechanisms of trac processing employed by operating systems and application
software, as well as the network topology. Unfortunately, this is denitely a hard
task in a real scenario. Thus, typically, the NIDS use a pre-dened mechanism of
trac processing that is assumed to be coherent with all the hosts in the network,
and it is assumed that it is placed in the same network node of the monitored hosts.
To the best of our knowledge, the most comprehensive work to date that thor-
oughly analyze evasion attacks against NIDS is [Ptacek and Newsham (1998)]. The
problems presented there still represent open issues and concrete threats, as con-
rmed in [Hernacki et al. (2005)]. In [Ptacek and Newsham (1998)], the evasion of
NIDS (that in such a paper is called elusion ), is posed in terms of insertion and
exclusion
1 of packets in the trac as seen by the NIDS. An insertion attack consists
in inducing a NIDS to accept one or more packet(s) that will be rejected by the tar-
get system, conversely, an exclusion attack consists in inducing a NIDS to discard
(or to ignore) a packet that will be accepted by the target system.
This goal may be achieved by means of some well-known evading attacks against
NIDS: tunneling, desynchronization, encoding variations, segmentation and reorder-
ing [Hernacki et al. (2005)].
The tunneling technique aims to hide an attack enclosing it in a tunnel
[Hernacki et al. (2005)]. The tunnel represents a type of trac that is ignored or not
observable by the monitor, so it can be classied as an exclusion attack. An example
of tunneling for the evasion of intrusion detection, can be the use of an encrypted
channel to hide the attacks (i.e. using Secure SHell (SSH) [RFC 4252 (2006)])
[Brown (2003)]. An encrypted channel is used to guarantee the condentiality of an
information ow during its travel from the source to the destination. Even if the
data is captured by an attacker it is very dicult to (nd the correct decryption
key and) reconstruct the original ow. The NIDS has the same problem, as it can-
not analyze encrypted trac, like SSH or HTTPS [RFC 2818 (2000)], unless it is
provided with the correct decryption key. Nevertheless, this increases the exposi-
tion of the trac ow to condentiality attacks, since a vulnerability on the NIDS
may compromise the condentiality of any encrypted trac ow passing through
it. Tunneling can also be accomplished by using non standard ports. For example,
many IDS identify the monitored services through the port eld of the IP protocol,
thus if the port eld of packets does not match with the standard port, (e.g. HTTP
trac on the port 22, conventionally used by SSH trac), its analysis can fail or can
be neglected. In practice, the tunneling technique is the routinely used for evading
NIDS [Hernacki et al. (2005)].
1
We use this term for the sake of clarity, but the original term was evasion.
5.1. Data Acquisition 97
packet [IPv4]. Let us recall that the value of this eld is decreased every time
the packet pass through a router in order to avoid possible loops of trac ows.
Thus, if a router is placed between the NIDS (that monitors outbound an inbound
trac) and a monitored host, an attacker can set the value of the TTL (Time
To Live) eld of IPv4 packets so that it is large enough to reach the sensor, but
small enough to cause the dropping of the packet prior to reaching the destination
[Ptacek and Newsham (1998)] (this is an insertion attack). Now, if the attacker
sends a (apparent) packet duplicate (i.e. same sequence id), changing the TTL eld
and its content, such a packet is typically recognized by the NIDS as a duplicate
and then discarded, while it will reach the destination. Such manipulations could
be detected by NIDS by storing and comparing the entire content of the packet, but
unfortunately this approach can be very time and memory expensive in environment
characterized by high bit rates. Even if the sensor is designed to analyze new packets
regardless duplication, it is possible to realize the same attack (through exclusion),
by rst sending the packet with malicious content to the destination, and then
sending a duplicate packet with legitimate content so that it reaches only the NIDS.
As the NIDS takes into account the latest duplicate packet, then the malicious
content is not detected. Let us make another example: following the relative RFC
2616, the rst line of an HTTP request (the request line ) must specify the Method,
Uniform Resource Identifier (URI) and HTTP version. From our experience,
a modern web server like Apache, accepts also a number of empty lines (Carriage
Return (CF) and Line Feed (LF) characters) before the request line. A NIDS that
does not consider this issue can discard such a request even if it has been processed
successfully by the target. In this case, it loses the request URI and probably it is
forced to be out of phase (desynchronized) for the entire HTTP session, because
many web attacks involve request URI manipulations (see Chapter 4).
Encoding variations represent another evasion method. These are realized
through the encoding of a trac message such that its semantic on the NIDS is
dierent from the semantic on the target [Hernacki et al. (2005)]. A typical exam-
ple can be the use of encoded characters in a request URI of a HTTP message.
Each character in a request URI can be encoded using the % symbol followed by
its position on the ASCII table. Request URI like /MSADC/root.exe?/c+dir and
%2fMS%41D%43%2f%72oot.%65x%65%3f%2f%61+di%72 are equivalent from the point
of view of a target HTTP server (%2f is the encoding of /, %41 is the encod-
ing of A, etc.), while a NIDS that does not apply the same character conversion,
will fail during the analysis phase. This issue may appear easy to solve, but in
a heterogeneous environment, e.g. where dierent HTTP servers are employed,
dierent encoding schemes should be taken into account. In this case, not only
it is necessary to know every encoding scheme accepted by each server type, but
also it is necessary to apply the correct decoding process according to the des-
tination host. For example, there are some cases in which a character can be
equivalent to another: request URIs may be case insensitive, (e.g. /InDeX.HtmL
is equivalent to /index.html) and some Windows servers can accept \ as equiv-
alent of /. In addition, the trac message semantics can still remain the same
98 Chapter 5. Intrusion Detection and Adversarial Environment
Figure 5.1: A skilled attacker evades NIDS detection exploiting a awed reconstruc-
tion of the trac at application level (i.e. through encoding variations). He modied
his attack in order to both compromise the web server and evade detection.
from the point of view of the destination host by applying more skilled manipu-
/MSADC/root.exe have
lations. For example, a request URI the same meaning of
/MSADC/../MSADC/../MSADC/root.exe, because /MSADC/../ identies the root di-
rectory. Fig. 5.1 shows how an attacker may evade a NIDS that do not consider
this equivalence. Since the NIDS does not apply the URI conversion (made by the
victim), the string matching between the known attack /MSADC/root.exe?/c+dir
and the current request URI fails. Thus, the attack is successful and no alerts are
raised.
A device that has been proposed to increase the robustness against ambiguous
trac is the trac normalizer. This is a network forwarding element that at-
tempts to eliminate ambiguous network trac, reducing the amount of connection
state that the monitor must manage. A mandatory characteristic for such a device
is to preserve end-to-end semantics, and to guarantee high performance. A number
of architectural considerations are associated with the design of a trac normalizer
[Paxson and Handley (1999), Handley et al. (2001)]. Of course, the communication
mechanism between the normalizer and the monitor must be carefully designed. In
addition, attacks against the normalizer itself must be taken into account. Provided
that a trac normalizer with a suitable design is available, it can prevent evasion
attacks that leverage either on ambiguous TCP stream contents, or on the manipu-
lation of TCP connection state, or on the ooding of the monitor with bogus state
[Paxson and Handley (1999), Handley et al. (2001)].
Another important issue of host data acquisition is related to the practical de-
ployment of sensors. In some cases, host sensors may be dicult to be deployed.
For example, this is the case of a hotspot, which oers Internet access to any com-
puter having the access credentials. Also, the deployment of host sensors is typically
problematic in the case of palmtops or mobile devices.
Finally, an evident weakness of HIDS in front of successful attacks is the fact that
they are placed on target machines. Thus, if an attacker exploits a vulnerability on
that machine, he may disable or aect the HIDS sensor processing (see g. 5.2). To-
day, this is perhaps one of the main goals of a rootkit [Hoglund and Butler (2006)],
i.e. malicious software which runs with high privileges on the target machine, with-
out the need for user's (e.g. administrator's) access credentials. One of the most
popular rootkits is FU, which modies data structures employed by the Windows
XP kernel (Direct Kernel Object Manipulation) in order to hide the presence of les,
processes, device drivers, etc. [Butler and Hoglund (2004)]. Such a technique pre-
vents the operating system itself (by means of the system call functions) to retrieve
information related to its state (e.g. running applications and loaded drivers).
Figure 5.2: After the web server is compromised, a skilled attacker evades HIDS
detection by disabling or aecting the input of host sensors. Typically this is one of
the goals of a rootkit.
insider intrusions is much lower than that of external intrusions. This computer will
only have one open port (port 80) associated to the HTTP service, and it will not
consider requests for other protocols or services.
Thus, an external intruder may access this system through HTTP requests only.
In this case, the security of the system can be entrusted to a HIDS sensor that
monitors HTTP server logs, and, if a database is used, another HIDS sensor that
monitors database queries. Furthermore, an additional HIDS sensor that monitors
open ports and running applications can be useful to detect suspicious host events.
For example, after a successful attack, new network services, such as a SSH server,
may be activated in order to guarantee further access. Conversely, in this case the
use of a HIDS that monitors only operating system calls and/or running applications
is not sucient, because the critical asset of this host is related to the HTTP service.
This example points out the need for a careful choice of the input data source to be
analyzed by HIDS, the input choice depending on the services oered by that host,
and on the category of users accessing the system.
Finally, the principal solution proposed so far to isolate HIDS sensors from tar-
get machines is based on virtualization. The monitored machine runs in a virtual
5.2. Data pre-processing 103
environment and, by means of a Virtual Machine Monitor (VMM), the IDS ac-
quires data related to the state of the monitored machine. The VMM is able to
retrieve low level information regarding the monitored machine, e.g. bytes written
on physical memory or disk by the monitored machine. The HIDS interacts with
an Operating System (OS) library, whose task is to translate low level information
coming from the VMM, into high (OS) level information (e.g., list of running pro-
cesses, contents of a le), inside the monitored machine. Such an operation is also
called Virtual Machine Introspection (VMI) [Garnkel and Rosenblum (2003)]. It
is easy to see that VMI requires a dierent OS library depending on the operat-
ing system of the monitored machine. Due to the exibility of the virtualization
approach, in the last years many works applied this approach to solve dierent
adversarial problems. For example, virtualization has been proposed for rootkit be-
havior proling [Gadaleta et al. (2009)] or defeat stack-based buer overow attacks
[Riley et al. (2009)].
Virtualization is a very promising approach to strengthen HIDS solutions, nev-
ertheless, some main issues still remain open:
Thus, in practice, the relevance of these issues should be always compared to the
benets of the virtualization approach for HIDS.
can be lost if we aim to remove all noisy patterns, or enhance all relevant events,
as typically at this stage only a coarse analysis of data can be performed. This
fact can be explained by observing that typically in the early stage of data process-
ing, low-level information is processed. As a consequence, only noise that can be
clearly associated with low-level data representation can be removed. Other kind
of noise can be only detected when data is analyzed and represented at higher level
(e.g., alarms), because it is possible to use higher-level concepts that allow remov-
ing noisy patterns, as well as enhancing relevant information. Thus, the goal of the
data enhancement phase should not be to remove all noisy patterns, but only those
patterns which can be considered as noise with high condence. This aspect will be
discussed in detail in the following Section.
It is worth to point out a concept that we will recall throughout this Chapter.
Given a piece of information for which we can conclude that it is not related to le-
gitimate activities, then we cannot necessarily conclude that it is related to attacks
against the monitored machines, and vice versa. That is, some information, i.e.,
noise, can neither describe legitimate activities, nor attacks against the monitored
machines. As this information is not representative of any of the two classes (legit-
imate trac and attacks), it should be discarded, because its use in further steps
can be counterproductive or, at least, not useful. On the other hand, if this noisy
information is used in further steps, it can cause an erroneous characterization of
attacks and/or legitimate activities.
associated to these attack patterns can be removed, while the remaining trac can
be considered as associated to legitimate activities.
However, trac associated to new attacks or other spurious trac which is
not representative of typical legitimate activity might still be present. It is expected
that this kind of trac accounts for a very small percentage of the pre-processed
data. This is a reasonable assumption, because typically most of the users perform
legitimate actions, that is, they use resources or services as expected. The latter
assumption is the basis of outlier detection techniques [Tandon et al. (2004)].
Such techniques are aimed at evidencing patterns having dierent characteristics
w.r.t. the majority of patterns contained in a set. By means of outlier detection
techniques it is possible to achieve a good classication accuracy of the informa-
tion related to legitimate activity. For this reason, this technique is well-suited in
anomaly-based IDS.
Conceptually, outlier detection techniques may also be used to identify attack
activities, and the related trac patterns. This result can be achieved by exploiting
the data collected by the so-called honeypots, i.e., computers or networks specif-
ically designed to act as decoy for attackers [Kreibich and Crowcroft (2003)]. As
these systems are not designed to oer network services, users performing legiti-
mate operations should not access these systems. So, the activities performed on
these systems can be classied as suspicious and probably related to attacks. That
is, in principle, outlier detection techniques may help in better identifying informa-
tion related to attacks, that can be further used to design misuse-based systems.
However, it can be easily seen that if an adversary discovers which hosts are acting
as honeypots, then the trac collected by the host can be maliciously polluted, and
we should be very careful in considering the majority of information as related to
attacks.
An example of a system that collects both legitimate activity and attack patterns
is described in [Newsome et al. (2005)] (Polygraph). In that work data preprocess-
ing is made up of a network ow classier. This system tags the trac as legitimate
or suspicious for the detection of worm activities, and innocuous and suspicious ow
pools are generated, respectively. In particular, a misuse (signature) based detector
is trained using trac belonging to both classes of trac. This system is vulnerable
as it does not take into account that even if suspicious trac is not representative
of the legitimate class, it is not necessarily representative of the attack class. This
vulnerability has been shown in [Perdisci et al. (2006) (a), Newsome et al. (2006)],
and it will be further discussed in Section 5.3.
An interesting question that arises is the following: Could attacks against the
learning phase of an IDS be dened as outliers, and thus removed from the training
data?. The answer is yes, at least for simple models. Let us consider an anomaly-
based IDS that looks for buer overows attempts on protected hosts by analyzing
the content of FTP commands. A (stack-based) buer overow attack exploits in-
sucient bounds checking on a buer located on the stack to overow the buer,
and overwrite (hijacking) the return address of the currently executing function, so
that malicious code is executed [Aleph One]. This type of attack is clearly charac-
106 Chapter 5. Intrusion Detection and Adversarial Environment
If an adversary was able to include in the training set FTP commands with arbi-
trary large content length, he would probably aect the correct model inference. In
this case, a further buer overow attack would be probably classied as legitimate.
It is not necessary that such commands reect attacks against the monitored hosts.
Such malicious commands have just similar features (i.e. length) w.r.t attack com-
mands. In this case, since malicious commands are characterized by higher length
w.r.t. legitimate commands, they may be removed by means of outlier detection
techniques.
It is worth to note that the data enhancement task can be useful to design an
IDS that is robust with respect to an adversarial environment. In this case, for
an adversary it is more dicult to inject noise, because spurious trac instances
(noise) that do not generate dangerous behavior on the target host (that is, such
trac instances do not represent attacks) can be discarded.
5.3. Feature selection 107
Let us make an example related to an attack against the feature denition pro-
cess. The worm signature generator Polygraph [Newsome et al. (2005)] is vulnera-
ble to deliberate noise injection aimed at misleading the signature generator so that
incorrect features are extracted [Perdisci et al. (2006) (a), Newsome et al. (2006)].
In particular, Polygraph pre-processes trac data so that it is inserted into one
of two pools: legitimate pool and suspicious pool. Then, common features of the
suspicious pool are used to dene the characteristics of attacks. An adversary can
pollute the suspicious trac ows to force Polygraph to generate signatures using
wrong features. This is possible because, as evidenced in Section 5.2, an adversary
can inject some trac identied as suspicious but that do not reect worm activi-
ties (that is, they do not represent attacks). This trac aect the reliability of the
IDS, because it is well-crafted to induce a choice of a feature space which does not
guarantee the expected discrimination capabilities between attacks and legitimate
activity patterns. It is worth to note that in [Perdisci et al. (2006) (a)] only noise
aecting the suspicious trac pool is considered. However, following the general
denition of noise proposed in Section 5.2, we can extend this reasoning to an ad-
versary that injects patterns that are not representative of legitimate activity, but
not necessarily related to attacks. These patterns can be included in the legitimate
trac ow that is used by Polygraph to verify the quality of extracted features that
minimize the false alarm rate. Thus, if patterns similar to attack patterns are in-
jected in the legitimate trac pool, the system may be forced to choose low quality
features when minimizing the false alarm rate. This example is useful to point out
108 Chapter 5. Intrusion Detection and Adversarial Environment
[Duda et al. (2000)]. In this way, an adversary is uncertain on the subset of fea-
tures that is used in a certain time interval, and thus it can be more dicult to
conceive eective malicious noise. However, it should be recognized that the use of
random subsets of features must be careful designed to guarantee a high discrimi-
nation capability between attacks and legitimate activities.
As far as attacks against the feature extraction process are considered, the key
point is that this task must be strictly related to the data processing as performed
by the monitored systems. It should be clear from Section 5.1.1.1 that the feature
extraction process on the IDS may be dierent from that of monitored systems. This
may be caused by the fact that dierent implementations of the standards on which
IDS and hosts rely on may cause dierent feature values. It should be recognized
that, in practice, it is denitely a hard task to guarantee this synchronization
2
We will further discuss about this problem in Section 5.5.5.
5.4. Model Selection 109
between IDS and monitored systems. In our opinion, a way to address this problem
from the root can be the use of host based data acquisition. In particular, the
monitored system itself could send the features extracted from input data to the IDS:
in this way the problem can be addressed. Evidently, in such a solution, monitored
system and IDS are strictly coupled: this implies, at least, a lower exibility of the
IDS input source choice. However, it must be recognized that a solution can be
based on virtual machines, to both guarantee synchronization between IDS and
monitored system, and more exibility [Garnkel and Rosenblum (2003)].
Motivation and purposes The model selection phase aims at describing (mod-
eling) patterns associated to attacks and/or legitimate activities, using a set of
training patterns. It should be clear from the previous sections that the labeling of
data for the creation of the training set is not an easy task, and that this activity
is vulnerable to adversaries that try to pollute the data. These patterns are de-
scribed using the features dened and extracted in the feature selection phase. A
model for attack and/or legitimate activity patterns is then selected so that the best
discrimination between these two classes on the training set, or on a validation set,
is attained. The selected model is then used to assign data processed by the IDS to
one of the two classes during the classication phase.
stated in sections 5.1, 5.2 and 5.3. Here we identify two principal noise components
that should be taken into account when designing machine learning algorithms:
• malicious noise; this is made up of noisy patterns that appear in the training
set depending on the fact that a machine learning algorithm is used. These
patterns are intentionally inserted by an adversary so that the machine learn-
ing algorithm is misled by using these patterns to model a class they don't
belong to. These patterns thus allow some control of an adversary over the
model selection phase. In the literature, this operation is often referred to as
mis-training.
These two types of noise can be more clearly dened if we refer to a specic
IDS paradigm. Let us analyze the eect of these two types of noise when anomaly-
based IDS are considered. We can collect the data and assume that all patterns
belong to the legitimate class .
3 In this case, the independent noise is made up
of attacks against the monitored host(s) that are collected during the acquisition
of the training set. These attacks can be considered as accidentally contained
in the training data, because actually the attacker goal was not to interfere with
the correct model selection. Typically the small percentage of independent noise
is correctly handled by learning algorithms, and it doesn't signicantly aect the
design of the anomaly detector. On the other hand, an adversary can intentionally
pollute the training set with patterns that do not represent legitimate activities
(malicious noise). Such patterns may be crafted in order to signicantly aect the
selection of the model of the legitimate activity.
3
This can be a reasonably assumption in a real world scenario, because usually the great majority
of patterns belong to this class [Kruegel et al. (2005) (a)].
5.4. Model Selection 111
Behind the general inuence of the malicious noise on the model selection, dif-
ferent classes of machine learning algorithms may exhibit dierent strengths in front
of an adversarial environment. For the sake of the following discussion we subdivide
machine learning algorithms into incremental (on-line), and o-line training algo-
rithms. Incremental algorithms modify their model incrementally, that is, the model
may change every time a new pattern is processed. These systems are useful to deal
with systems in evolution, as every time they analyze a pattern, they can adapt their
model. Conversely, o-line algorithms need a well-specied training set, and they
can analyze patterns only after the entire training set is available. In other words,
training and analysis phases are performed in non overlapped time intervals, and the
adversary has a bounded time interval to inject malicious noise, that is, the time
interval when training data is acquired. As evidenced in [Barreno et al. (2006)],
incremental algorithms allow for a gradual tampering of training data. This fact
forces the adversary to follow a dierent attack strategy, in front of incremental,
and respectively, o-line training algorithms.
Since an o-line training algorithm is used, the attacker has a bounded time
interval to inject malicious noise. That is, he may leverage on a relatively low
number of malicious patterns w.r.t. the total number of patterns in the training
set. Thus, in order to signicantly aect the model selection, the attacker has to
inject patterns signicantly dierent from those representing the target class. In
such a way, during the classication phase, some attacks may go undetected (false
negatives), e.g. because such attacks share some similarities with the malicious noise
in the training set. However, since malicious patterns must be signicantly dierent
from those representing the legitimate class, they may be removed by means of
outlier detection techniques.
If the learning system is aimed at modeling the attack class, an analogous pro-
cess may not be suitable. In this case, we may not assume that the great majority
112 Chapter 5. Intrusion Detection and Adversarial Environment
of patterns in the training set represents the target class. If we exclude legitimate
activity patterns in this training set (i.e., those legitimate patterns that have mistak-
enly passed the preprocessing phase), both patterns related to attacks and pattern
related to malicious noise have same source: the adversary. This implies that the
ratio between number of attack patterns and malicious patterns in the training set
depends only by the adversary. So, in this case, the condence on the estimation of
the data distribution may be more weak.
Table 5.1: Summary of the key issues of the classication and result analysis step.
Misuse-based Anomaly-based
Motivation and purposes The classication and result analysis step represents
the nal phase of the intrusion detection task. In this step an alert is produced
if the observed pattern is evaluated as being related to an attack by the model
selected in the previous phase. Then, a further step can be performed that is
aimed at analyzing these results using a higher level interpretation of events. This
phase is usually called alarm correlation as the evidence of an attack is better
seen by clustering alarms related to the same event, while removing spurious alarms
produced by noisy patterns.
On the other hand, the risks related to over-stimulation are less obvious. Let us
recall that the alert log of an IDS needs to be analyzed by a security administrator,
and consequently the presence of false alarms requires a huge analysis eort, espe-
cially in networks with high volumes of trac. An adversary can deliberately inject
false alarms to increase this eort, exploiting IDS classication weaknesses. Table
5.1 summarizes how these two techniques may aect anomaly- and misuse-based
classication, respectively. A distinct paragraph is dedicated to the analysis of each
one of these issues. However, before such an analysis, in the following Section we
discuss more in detail about false alarm injection, as we believe that it is a less
evident problem in the research literature.
As discussed in the introduction, even if all attacks have been detected and the
related alerts have been stored, they might not be easily extracted from the alert
log due to high volumes of false alarms. An estimation of the probability that given
an alert this reect a real attack can be written as:
attackN um(log)
P (attack|alert) = (5.1)
alertN um(log)
where attackN um(log) and alertN um(log) represent the number of real attacks,
and the number of alerts, respectively, for a given IDS log . This probability reects
what we will call alerting log reliability : the closer this value to one, the higher the
alerting log reliability. Obviously, the larger the number of alerts used to estimate
the reliability, the closer this estimation to the real P (attack|alert). In real world
cases, real attacks are extracted from the IDS log through a thorough log analy-
sis accomplished by the security auditor(s), using their expertise, and some semi-
automated alert clustering/correlation mechanisms. For an enterprise that manages
high volumes of network trac (i.e., an Internet Service Provider (ISP)), this eort
translates into high costs and the allocation of huge resources. Analogously to the
classication of noise given in Section 5.4, it is possible to single out two principal
types of false alarms:
• legitimate activity patterns (that is, patterns generated by users using services
as expected) classied as attacks;
The common practice followed during the testing phase of an IDS for the evaluation
of the false positive (alarm) rate is carried out by submitting instances of legitimate
4
These patterns do not reect attacks against monitored hosts. In some sense, they can be
considered as attacks against the information content of the alerting log, as they aim to decrease
the signal to noise ratio of the alerting log content.
5.5. Classication and result analysis 115
activity to the IDS, and by keeping track of the alerts generated accordingly. The
result of this evaluation clearly provide a lower bound for the false positives rate
as it does not take into account the contribution of false alarm injection. Let us
explain how the over-stimulation problem can aect the alerting log reliability. Let
us express the probability P (attack|alert) using the Bayes formula, as made by
Axelsson [Axelsson (2000)]:
P (alert|attack) · P (attack)
P (attack|alert) =
P (alert|attack) · P (attack) + P (alert|¬attack) · P (¬attack)
(5.2)
Let us assume the availability of an IDS that detects all attacks, that is,
P (alert|attack) = 1. The equation 5.2 can be rewritten as:
1
P (attack|alert) =
1+α
(5.3)
P (alert|¬attack) · P (¬attack)
α=
P (attack)
The higher the value of α, the lower the value of the alerting log reliability. By
following the previous denition, the probability of false alarms P (alert|¬attack) ·
P (¬attack) can be expressed as the sum of two independent terms:
5
This malicious pattern is conceived so that an alert is raised, but it is not an attack from the
point of view of monitored hosts.
116 Chapter 5. Intrusion Detection and Adversarial Environment
• P (legitimate) = 0.996 i.e., legitimate patterns are the great majority of non-
attack patterns
This example is useful to light out that real IDS capabilities can be overesti-
mated, often with surprising consequences. Whereas most of the eorts spent
during the development of an IDS are focused on the maximization detection ca-
pability, often, less eorts are devoted to the false alarm rate bounding, and in
particular to the false alarm injection problem.
Now the question is: How to protect an IDS against false alarm injection?.
In the following, we will give some answers, by observing that anomaly and misuse
based IDS have dierent strengths and weaknesses not only w.r.t. detection evasion,
but also w.r.t. false alarm injection.
The ability of a Misuse-based IDS to detect attacks is strongly aected by the qual-
ity of corresponding signatures, but also limited to known attacks. The denition of
these signatures mainly relies to human expertise, as in Snort, or machine learning
algorithms, as in Polygraph. Unfortunately, manually or automatically building
good signatures is very dicult. Attacks that exploit a specic vulnerability can
succeed in many dierent ways (many attack instances, that exploit the same vul-
nerability), and building models that take into account all those instances is very
5.5. Classication and result analysis 117
hard. As evidenced in [Mutz et al. (2005)], generally a Misuse-based IDS allows de-
tecting all event sequences that match a signature, but these signatures only cover
a subset of all the possible instances of the same attack.
Conversely, a Misuse-based approach allows for low false alarm rates, because
for all known attack instances it is possible to select the most discriminant features,
and the corresponding values. In fact, both commercial [IBM ISS IPS, Cisco IPS]
and open source (e.g. [Snort]) IDS rely heavily on the misuse paradigm for such a
suitable peculiarity.
A way to estimate the quality of a specic signature is to build many variants
of the same attack and evaluate the fraction of detected attacks. The authors in
[Vigna et al. (2004)] describe such an estimation procedure where a large number
of attack variants is generated by applying mutant operators to an attack template.
That is, a mutant operator builds dierent attack instances having the same attack
template. A similar work using a genetic algorithm to generate dierent instances
of a buer overow attack is presented in [Kayacik et al. (2006)].
The automatic development of an evading attack needs the perfect knowl-
edge of the signatures used by the IDS to be evaded. Commercial systems typ-
ically rely on keeping the signatures secret to increase their resistance to evasion
or over-stimulation attacks. However, in the intrusion detection research eld
it is well-known that security through obscurity does not work. The authors in
[Mutz et al. (2005)] proved this assertion by using a reverse engineering process to
understand the way signatures are matched by a commercial (ISS Realsecure version
7.0) misuse-based NIDS.
In [Mutz et al. (2005)] it is also shown a successful HTTP chunk encoding attack
(see Section 5.3.1) that evades the detection by Snort. The signature implemented
in Snort for this attack is based on matching the content of TCP packets with a
xed string CCCCCCC:\ < space >AAAAAAAAAAAAAAAAAAA. In this case, the signature
represents the description of a single attack instance. As a consequence, it is easy to
see that by simply adding another space in the attack string (obtaining CCCCCCC:\ <
space >< space >AAA...) the same attack works successfully (because server-side
eects do not change), and it is unnoticed because the string matching procedure
fails.
• either the IDS does not have the signature for that attack;
• or the IDS have a signature for that attack, but it does not match with the
specic attack instance.
learning algorithm has been designed so that signatures cannot be exactly extracted
by an attacker by a query-response mechanism. However, in our opinion, an eective
solution against evasion in misuse-based IDS involves both the signature denition
process, and the choice of the signature matching techniques.
Behind general solutions, there are specic solutions that can enforce or tune
a correct misuse detection. Much attention is given to buer overow attacks,
especially when polymorphic mechanisms are used to escape from IDS detection.
Biologically inspired systems have been also proposed. Biological analogies are
useful because many problems that researchers try to confront, are already solved
(or very reduced) in nature. In [Stephenson and Sikdar (2006)] is proposed a model
based on coevolution of biological quasi-species to describe polymorphic worms prop-
agation. In such a work, the worm evasion problem is posed principally in terms
of mutation rate time. Given this model, it is possible to calculate the maximum
allowable response time of the IDS in order to contain the spread of the worm,
and the optimal mutation rate that a polymorphic worm should employ in order
to evade an IDS with a known response time. That is, even if an IDS has a good
machine learning technique to model polymorphic worm attacks, a worm can still
evade detection because the time response of the IDS is too long with respect to the
worm mutation rate. Thus, it can be useful to know if a worm cannot be detected
for this reason. That work lights out that machine learning systems can be used to
evaluate some characteristics and performance of an IDS.
A polymorphic worm can encrypt its own invariant parts to escape from a
signature-based IDS detection. But, in such a case, it is necessary a decryption
routine before launching the worm exploit. Thus, with a NIDS, self-decrypting
exploit codes can be detected by scanning network trac for the presence of
6
These operations do not aect the exploit behavior, but they are useful to increase the program
counter of the CPU, until the address of the injected shellcode is reached.
5.5. Classication and result analysis 119
We note that the many works regarding misuse-based IDS are suited for spe-
cic (new) problem instances. Because of this, often these solutions can be easily
bypassed by a skilled adversary. It should be recognized that, to cope with eva-
sion techniques against misuse-based IDS, it is needed to focus on root causes of
an attack, avoiding signatures for specic attack instances. Through the knowledge
of attack root causes, it is possible to focus on discriminant features, reducing the
impact of evasion techniques. Even if this is not a trivial task, this is the key point
of a reliable misuse-based IDS.
1. the attacker has the knowledge of the IDS signatures, and he uses this knowl-
edge to craft patterns that match with the signatures;
With reference to item (1), this knowledge can be easily gained if the signatures
of the target IDS are publicly available (e.g, the open-source IDS project Snort).
On the other hand, if an automatic signature generator is used, then it is more
dicult to gain exact knowledge of the signatures, because each signature depends
on the training data. Typically automatic signature generators are implemented by
machine learning algorithms. However if the adversary gains access to the training
data, and the machine learning algorithm used to generate the signatures is known,
then he may reconstruct the signatures. In Section 5.4.2, we discussed about a
possible solution based on randomization techniques. Furthermore, if the adver-
sary is able to access the outputs of an IDS, he can infer the signatures through
suitable queries. As an example, an adversary can submit patterns with dierent
feature values, and, by accessing the outputs of the IDS, he can try to reconstruct
the internal signatures IDS. This is a reverse engineering approach, the same used
in [Mutz et al. (2005)] to reconstruct the signatures of the commercial NIDS ISS
Realsecure.
No matter how the adversary gains the signatures of the target IDS, it has
been shown that for an attacker it is possible to generate non-malicious packets
crafted to match any signature, thus injecting an unbounded number of false alarms
120 Chapter 5. Intrusion Detection and Adversarial Environment
[Patton et al. (2001), Yurcik (2002)]. In particular, real world examples are carried
out on Snort, for the availability of the signatures. In the following we will refer to
Snort as an example, but the related comments are valid whenever the attacker is
able to gain the signatures.
As far as item (2) is concerned, it is worth to point out that often there is the
need to analyze only some stateful features of the trac, because of an excessive
expense in terms of memory capacity and computation needed to perform a complete
stateful analysis. Especially when large volumes of trac are involved, typically a
trade-o between the need for stateful analysis by the IDS, and the need for real-
time detection capabilities, becomes necessary. This implies an exposure to false
alarm injection, based on those stateful features that are not considered by the
IDS for real-time constraints. For example, Snort v. 1.6.3 was vulnerable to false
alarm injection, because it did not perform a stateful analysis of a TCP session
[Patton et al. (2001), Yurcik (2002)]. For example, the Snort signature:
raise an alert for every TCP packet containing the bytes specied by the content
eld to detect a buer overow against a SSH server, without assessing whether
such a TCP packet pertains to a TCP session or not. Even if a TCP packet that
does not pertain to a TCP session is discarded by the destination host, a false alert
is raised by Snort if such a packet contains the bytecode specied by the signature.
Even if the versions of Snort starting from 2.1.1 have a module that performs the
TCP session reconstruction (stream4), it is still vulnerable to false alarm injection
(and evasion), using attacks related to the HTTP level. Let us make an example.
The signature:
uses the stream4 module to assess if the analyzed TCP packet pertains to a TCP
session (flow:to_server,established statement). However, even if this signature
is related to an attack at the HTTP level, it does not consider the meaning of
HTTP messages because it does not perform stateful analysis at the HTTP level.
Instead, it simply looks for the string logged,true anywhere in the HTTP trac.
Obviously, in this case false alarms can be easily injected by simply adding such a
string in the HTTP trac ow.
The latter example can be useful to note some dierences between evasion and
over-stimulation points of view. If we suppose that the string logged,true is a
necessary content value for the attack, a stateful analysis at HTTP level does not
5.5. Classication and result analysis 121
increase the robustness against evading attacks, that is, we can neglect the HTTP
session analysis. Conversely, from the over-stimulation point of view, the statefulness
is fundamental. The key question is Is the matched (anywhere) string logged,true
a real sign of attack?. We can thus conclude that such a signature is written by
taking into account the point of view of attack detection rather than a trade-o
between detection and false alarms production.
From our experience, almost every analysis of an IDS must be stateful to guar-
antee detection reliability. Even if the analyzed protocol is stateless (e.g., UDP),
often it is better to base the analysis on additional contextual information w.r.t. the
actual content of a single packet. A clear example of stateful analysis in the case
of non stateful protocol, is given by the detection of portscan attacks. Portscan
attacks probe the hosts in a network to nd open ports and, therefore, the related
services (e.g. exploitable services). For example, such attacks can be realized by
sending UDP or TCP SYN packets to multiple ports, and evaluating the correspond-
ing responses. A single UDP packet does not necessary imply a portscan attack,
as many applications use this protocol (e.g., video streaming). At the same time, a
single TCP SYN packet can be the rst step of the three-way handshake protocol
used to initiate a TCP session. However, by performing a stateful analysis, that is,
correlating network events occurring at dierent times, it is possible to assess if a
certain UDP or TCP SYN packet is likely to be related to a portscan attack or not.
Now, let us refer to the (now historic) Ping of the Death attack [Kenney (1997)].
This attack is based on the generation of an IP packet larger than the maximum IP
packet size, as reported in [RFC 792 (1981)] (65,535 bytes). A Ping of Death attack
instance is often realized by sending an ICMP echo reply subdivided in multiple
fragments that are reassembled only by the destination host. Even if the ICMP is
not a stateful protocol, this attack instance cannot be detected without a stateful
analysis that evaluate the reassembly of fragments (in this case we suppose that for
each packet an event is generated).
In other cases, a stateful analysis is implied by the stateful protocol. For example,
to perform a complete TCP session analysis, it is needed to keep track of the three-
way handshake protocol between the two hosts, to check whether ack numbers are
consecutive (so as to correctly associate each packet to the specic TCP session),
122 Chapter 5. Intrusion Detection and Adversarial Environment
When Host-based IDS are taken into account, the statefulness of the analysis is
necessary to detect a sophisticated attack against the machine. In this case, state-
fulness is realized by correlating events occurring in the same machine at dierent
time instants.
Typically, anomaly detectors may not provide information about the specic attack
that generated an alarm, because they detect anomalies. Whereas in signature-
based IDS it can be possible to deduce attacker's purposes, the analysis of alerts
produced by anomaly-based approaches can be more dicult. This issue can be an
obstacle when the correlation of outputs from dierent IDS is carried out, and it is
needed to detect a sophisticated attack.
It has also been shown that for a specic host-based anomaly detector, namely
STIDE, it is possible to successfully generate mimicry attacks with an automated
process [Kayacik et al. (2007)]. The authors used a genetic programming approach
to build all components of a mimicry attack against a vulnerable (local buer over-
ow) traceroute application. This is another reason that suggests that the improve-
ment of an anomaly detector should be carried out starting from the early stages of
design of an anomaly detector, i.e., the feature extraction and selection phase.
Mimicry attacks can also be combined with worms. Worms can hide their prop-
agation by mutating so as to mimic the statistic prole of the normal trac (poly-
5.5. Classication and result analysis 123
morphic blending attacks) [Kolesnikov and Lee (2004)]. Generally, the generation
of attacks that optimally match the normal trac prole is a hard problem (NP-
complete), but approximate solvers can be used to nd a near-optimal solution
[Fogla and Lee (2006)].
In the case of Anomaly-based IDS, the problem of false alarm injection is quite
relevant. A pattern might be anomalous even if it does not represent an attack.
Thus, an adversary might conceive such patterns to ood the alert log of an anomaly
124 Chapter 5. Intrusion Detection and Adversarial Environment
detector with false alarms. Intuitively, the patterns that originate false alarms
should exhibit characteristics directly associated with the features used to model
the legitimate trac. In other words, an adversary should generate a well-specied
noise to perform false alarm injection. This noise is conceptually dierent from
the independent noise generated by legitimate patterns (erroneously) classied
as attacks. Whereas the independent noise is associated with false alarms due to
an incomplete model of legitimate patterns, the malicious noise might raise false
alarms because not all anomalous patterns represent attacks. Let us make a simple
example related to an anomaly detector for a web application. Most of the attacks
against web applications leverage on input validation vulnerabilities. Let us refer to
a web application whose URI is /mail/index.php that, using the HTTPS protocol,
receives the user input through the POST method, and instantiate a SQL query
to a database containing all e-mails. The user logs on the system by providing the
username and the password, e.g., user=john&password=3443ssa738dsh345. These
inputs can also be sent to an anomaly-based IDS by the web server. In this example,
there are two inputs: the rst, (john) is given through the user attribute and the
second (3443ssa738dsh345) is given through password attribute. The acquired
input data can be used in the following query:
Alert verication can be either passive or active [Kruegel et al. (2004)]. Passive
alert verication pregure checks based on a priori knowledge regarding network
topology, software installed in the monitored host(s), and available network services.
For example, it can be veried if a known exploit might be actually dangerous for the
destination host by checking if attack prerequisites are satised. Attack prerequisites
are the conditions under which an attack is successful, e.g., vulnerable operating
systems, vulnerable applications, availability of the network services involved, etc.,
and it can also be veried whether certain packets reached a certain destination
or not. The main disadvantage of passive checks is that they might be based on
outdated information, and that some information can not be a priori gathered.
Conversely, active alert verication pregure a set of checks performed after an
alert is raised. For example, it can be veried if new services (e.g., new applications,
and open ports) have been recently activated, whether a denial of service is present,
or whether critical les properties (e.g., permissions, owner, size, content) has been
recently changed. These kind of checks are always based on up-to-date information,
but, as they are gathered on-the-y, they can interfere with the normal operations
performed by the network/host.
they involve characteristics of the host itself such as le system checks, analysis of
les recently added (in particular, executables), le modications, etc. Other checks
may involve modications in the system registry, or the addition of new users.
A misuse-based IDS can use passive check mechanisms to assess if attack prereq-
uisites are satised, and if typical evidences of a specic attack have been observed.
In this case, alert verication can be well-dened because attack characteristics and
the related eects are known in advance. In an anomaly-based IDS, alert verication
mechanisms may be more dicult to be dened, because only legitimate patterns
are known. On the other hand, as anomaly-based system provide protection against
new attacks and mutation of known attacks. The development of these techniques
may reduce the impact of false alarms typically associated to anomaly-based system.
For example, alerts raised by an anomaly-based system designed to protect a web
server can be veried by analyzing the outputs of the web server.
intrusions in computer systems. In the intrusion detection eld, MCS are moti-
vated by the presence of dierent network protocols, multiple concurrent network
connections, distinct host applications and operating systems. Patterns extracted
from this heterogeneous domain are very dicult to characterize. In fact, it is very
dicult to take into account the domain knowledge as a whole in the design of the
classier. In general, by increasing the number of features, the pattern recognition
task become even more complex and less tractable.
MCS provide a solution to address these issues. The intuitive advantage given
by the MCS approach is supported by the results in [Lee and Xiang (2001)], where
the complexity of the classication task is measured by the information theory
approach. The subdivision of the classication problem in multiple sub-problems
turns out to decrease the entropy of each subset of training patterns, which in general
coincides with the ability to construct a more precise model of the normal trac.
The intrusion detection domain can be seen as the union of dierent sub-domains,
each one providing for complementary information. A sub-domain can be charac-
terized by a specic:
abstraction level i.e. a group of network protocols, user logins on dierent hosts;
place i.e. software applications (managing the routing table) in a router, software
applications running in a host;
Each sub-domain can be decomposed and analyzed in more detail. For example,
considering a group of protocols with a specic abstraction level (e.g. HTTP, FTP
and SMTP), the related syntax and semantic can be implemented in the design of
service-specic classiers. This allows for including the sub-domain knowledge, with
a more precise and clear modeling of patterns. Recent works clearly followed this
approach by focussing on the analysis of specic applications or services for this
suitable capability.
A suitable MCS approach may face with the adversarial environment in general.
For example, classiers based on dierent training algorithms can be used for a
specic set of features: for an adversary it could be necessary to inject dierent
types of malicious noise, each one conceived to aect a specic classier of the
ensemble. Also, such a noise could aect some feature subsets, without decreasing
signicantly the overall performance of the MCS. However, to date, the contribution
of MCS against the problem of learning in presence of malicious patterns have to
be further researched. On the other hand, a recent paper showed experimentally
that the MCS approach is able to increase the robustness against an adversarial
environment during the classication phase of an IDS [Perdisci et al. (2006) (b)].
Finally, the MCS approach could be very helpful to implement eective alert
verication mechanisms. Using multiple, specic, classiers it is possible to provide
for specialized alert and more reliable alert verication processes also. For example,
by using an application-specic classier, it is possible to evaluate application oper-
ations and outputs in a more detailed fashion, including the knowledge about this
specic sub-domain.
5.6. Storage box 129
the victim or deny the access to certain services to protect the network. From the
point of view of the legitimate user, the attacker realized a denial of service. In
addition, an adversary can easily infer the detection rules of the IPS if he is the
target of the countermeasure feedback. As a consequence, the adversary can evade
or over-stimulate the IDS.
AIP is a very interesting approach, but for high network bit-rates, what is the
impact of such a solution? Also, it is needed to investigate the robustness of such an
approach. AIP may also suer from the same problems of IPS, i.e., that an attacker
may spot the marked data and thus exploit this information to evade the detection.
As countermeasures are essentially attacks that the defender carries against the
attacker, it should be clear that in this case the attacker plays the role of the
defender, and, as a consequence, all the techniques typically used for detecting
intrusions can be used by the attacker to look for countermeasures. Thus, counter-
measures should be carefully designed as they can be used by the attacker to gain
knowledge about the security mechanisms employed by the protected network.
5.8 Discussion
Intrusion Detection Systems operate in a hostile environment. This aspect cannot
be neglected, if the goal is to design (or choose) reliable and robust IDS solutions.
However, it is clear that this goal is not easy to achieve. For this reason, in this
Section we summarize the key aspects which derive from our analysis.
First of all, each IDS solution should be thoroughly tuned to the specic intru-
sion detection problem. That is, depending on the key asset we need to protect a
dierent IDS solution is necessary. It does not exist a general solution for intru-
sion detection. The more the IDS solution is generic, the less it will be eective.
Thus, the knowledge of strenghts and weaknesses of dierent design choices is of key
5.8. Discussion 131
Figure 5.3: Summary of the pros/cons of host and network data acquisition. Dotted
arrows indicate some proposed solutions to cope with the cons of each acquisition
method
importance.
On the other hand, host sensors should be employed to monitor the host side
applications/operating systems. The deployment of host sensors should be carefully
chosen in order to monitor the behavior of the systems which manage the key asset
(information) we need to protect. Of course, host sensors may be disabled after the
target machine is compromised. Also, if the attacker exploits some vulnerability
on the system which provides the input data to the host sensor, it may be evaded.
As discussed in Section 5.1.2, a robust solution may be based on Virtual Machine
Introspection. In our opinion, this is the most powerful solution to strengthen the
host data acquisition phase, if applicable.
Figure 5.3 summarizes pros and cons of host and network data acquisition. We
highlight some proposed solutions, in order to cope with cons of each acquisition
method. From the gure, it is evident that the practical choice of the acquisition
method should consider many dierent factors. However, this scheme is useful to
quickly focus on the acquisition choices that allow attaining the best tradeo be-
tween IDS reliability and practical sensor deployment.
132 Chapter 5. Intrusion Detection and Adversarial Environment
As well as the data acquisition choice, the choice of the detection method
should thoroughly consider the specic intrusion detection problem. In our opin-
ion, anomaly based intrusion detection is the most promising technique for future
IDS solutions. The key point is that hundreds of new (never-before-seen) attacks
are developed on a daily basis. These attacks are perhaps the most threatening
attacks, since they may not be detected by misuse-based IDS, and their eect(s) is
unknown. Also, automatic training mechanisms for anomaly-based detectors may
be easily (and reliably) applied. Conversely, automatic training mechanisms for
misuse-based detectors may be exposed to attacks, because the main information
source is the attacker itself (see Section 5.5.2). For example, a MCS architecture
may be built providing for independent and specialized anomaly detectors. Such
subdivision may be driven by the a-priori knowledge of the problem, i.e., we may
subdivide the intrusion detection problem in multiple subproblems. In such a way,
each anomaly detector may spot a particular category of attack. Then, for each
anomaly-sensor a well-suited alert verication technique, and a dierent counter-
measure may be dened. Then the correlation of the output from multiple anomaly
sensors may help us to both (1) further reduce the false positive rate, (2) gain a
more thorough analysis of the events occurring on computer network(s)/host(s).
Figure 5.4 summarizes pros and cons of anomaly- and misuse-based detection.
From such a gure, it is easy to see that since the two methods are complementary
they should be used concurrently (if possible). However, in our opinion anomaly-
based detection needs further research, since its pros are really relevant to most of
current intrusion detection problems.
Now, we aim at giving to the reader a brief, practical scheme to support the
design of IDS. This scheme is made up of eight points:
(1) What is the key information (asset) you need to protect? Clearly dene what
is the relevant information.
(2) Identify all (security) relevant systems, i.e. each system which manages or
carries such a piece of information. Assign to each system Si a degree of
5.8. Discussion 133
Figure 5.4: Summary of the pros/cons of anomaly- and misuse-based detection. Dot-
ted arrows indicate some proposed solutions to cope with the cons of each detection
method.
(5) Evaluate carefully the pros and cons of data acquisition methods in g. 5.3
and the typology of input data of Si . Choose the best tradeo between the
reliability of acquired data and the constraints of sensors' deployment imposed
by system Si (and its environment). You may provide for data fusion mech-
anisms, to correlate data acquired from network and host sensors (e.g. using
data reconciliation techniques).
(6) Choose a suitable detection strategy for Si , evaluating carefully pros and cons of
each detection method in g. 5.4. You may correlate the information related
to known attacks (misuse-based) and detected anomalies (anomaly-based), to
further enhance the situational awareness about security-related events.
134 Chapter 5. Intrusion Detection and Adversarial Environment
(7) Provide for automatic alert verication and counteraction techniques, depend-
ing on the type of attacks (or anomalies). The more such techniques are suited
to system Si , the more their reliability. Automatic cunteractions should be
taken in response to events that are classied as attacks (or anomalies) with
high level of condence. In order to validate the alerts, you may need to ac-
quire more data from network or hosts. For example, you may validate an
alert if the output of Si is anomalous, in analogy with the approach proposed
in [Bolzoni et al. (2007)]. On the other hand, for each validated alert, you
should provide for an automatic counteraction. This counteraction should be
aimed at protecting your key asset. For example, you may decide not to per-
form a database query, if such a query is generated by a system for which
the IDS has just raised an alert. Furthermore, you should evaluate whether
automatic actions may be used against the protected asset.
(8) At this point, update the value of wi , after the adoption of the IDS solution for
Si . Go to point (4). You should iterate until the expected security level, which
may be evaluated as 1 − maxi (wi ) is not reached yet. The security budget
should be sucient to reach such a security level.
This aspect cannot be neglected, if the goal is to design reliable and robust IDS
solutions. Our contribution is a detailed study of IDS in the context of the ad-
versarial environment. We subdivided the design process of an intrusion detection
systems into 7 steps, and then we analyzed in detail the impact of the adversarial
environment on intrusion detection systems, in each one of the dierent phases and
components of their design. This analysis has been exploited to gain a wide knowl-
edge of the problem statement, by critically reviewing related work both in terms
of problem formulation, contributions and proposed solutions. Then, we evidenced
5.9. Conclusions and future work 135
Figure 5.5: Our proposed guideline to the design of robust IDS solutions, in order
to cope with an adversarial environment. For details regarding the choice of data
acquisition and detection methods, refer to gg. 5.3 and 5.4, respectively.
136 Chapter 5. Intrusion Detection and Adversarial Environment
the pros and the cons of each one of the main IDS classes, and suggested how to
address the cons. Our study can be employed as a reference to both design robust
IDS solutions or evaluate the quality of dierent IDS solutions.
Future work is necessary to evaluate experimentally (and theoretically) the bene-
ts of an adversary-aware design of IDS solutions. Finally, we hope that the results
of our study could be used as foundations for new, interesting approaches to the
detection of cyber-attacks.
Chapter 6
Concluding remarks
Most of today's Internet security threats are associated to the World Wide Web
(or simply, web). This thesis addressed some of the key problems of today's web
security. In particular, this thesis presented two research tools developed during the
three-years PhD course, namely Flux Buster and Web Guardian. These two tools
have been ideated to improve both client-side and server-side web security.
Through Flux Buster we may accurately characterize and detect fast ux net-
works, regardless the way they are advertised. As mentioned in Section 3.1, fast ux
networks are an emerging, pervasive threat for Internet security. Fast ux networks
are nowadays adopted by criminal organizations to host malicious websites that
support an enormous number of scams. We showed experimentally that by means
of our system we may enhance the security of web users. First, we may comple-
ment the state-of-the-art protection oered by Google safebrowsing to current web
browsers. Furthermore, we may detect suspicious websites in real-time. This may
allow for an advanced real-time protection of web users, but also for an increased
eectiveness of spam lters.
On the other hand, by means of Web Guardian, we may protect web services.
Web Guardian is able to accurately detect web attacks targeting either web server
or web applications, for either encrypted (HTTPS) and unencrypted (HTTP) web
trac. In particular, its features allow the detection of input validation attacks,
the most popular and threatening attacks to date. The key contribution of Web
Guardian is that its training is fast and do not require supervision. Moreover,
its anomaly-based approach allows for the detection of both known and unknown
attacks. Finally, our system provides detailed information about anomalous requests
and may provide for automatic counteractions, to prevent both known and unknown
exploits.
Thus, our research may signicantly benet the state-of-the-art Internet secu-
rity. However, in this thesis we presented a more general contribution. Current
security trends suggest (and we strongly believe) that future IDS solutions must
be adversary-aware, to cope with the increasing sophistication of attacks and ex-
ploitation techniques. That is, it is not sucient to face current attacks, but we
must consider how an hostile adversary may aect the reliability our IDS solution.
In spite of the high number of related works, an overall picture of the problem is
still lacking. Thus, we studied this problem and critically revised previous work
to outline a general guideline for the development/choice of adversary-aware IDS
solutions. This guideline is very helpful (and necessary) since the problem is fairly
complex and depends upon so many uncertain variables. On the other hand, to the
138 Chapter 6. Concluding remarks
best of our knowledge, this is the rst work that performs such an extensive study.
It is worth noting that our detection systems reect many of the key points we
outline for adversary-aware IDS solutions (see Section 5.8):
• Flux Buster
It adopts a passive network data collection. This is suitable since fast ux
networks are entities that can be reliably evidenced at network level. Also,
it works in a stealthy way. Contrary, active approaches (i.e. automatic
resolution of suspicious domain names) to the collection of DNS data
may be easily detected (and thus defeated) by miscreants who control
authoritative DNS servers.
Miscreants may inject noise on the data collected by Flux Buster, but
for them it is counterproductive. This because the domain name resolu-
tion is performed by Internet users and returning legitimate IP addresses
may actually reduce the eectiveness of fast ux domain names. In any
case, we may lter our pool of ux agents, for example, by removing IP
addresses pointing to most popular websites.
Miscreants may tune their ux domain names so that the features used
by Flux Buster are not sucient to distinguish them from legitimate
services, such as CDN. If so, Flux Buster may not detect them. However,
this may be dicult, since miscreants typically have no control on the
uptime of ux agents. In any case, we may easily extend (and improve)
the set of discriminant features modeled by Flux Buster.
• Web Guardian
The design of Web Guardian cope with attacks inside the set of web
requests used to infer the normal (legitimate) trac prole. Thus, under
the reasonable assumption that malicious requests are in lower number
than legitimate requests, for miscreants it is dicult to aect the learning
phase of our system. Also, we keep track of the number of samples of
each model to evaluate its reliability. This is important to cope with false
alarms and to provide for well-suited counteractions.
These points evidence as the design of our systems may eectively face an ad-
versarial environment. Nevertheless, thanks to our general study in Chapter 5, we
recognize some open issues and ways of improvement:
139
• Flux Buster
• Web Guardian
We may cope with false alarm injection attacks. To this end, we may
provide for automatic alert verication mechanisms. Depending on the
type of anomalies, we may provide for a well-suited alert verication tech-
nique. Also, as mentioned in Section 5.9, even if a false alarm injection
attack is performed, automatic counteractions may still prevent attackers
to successfully exploit web services.
Web Guardian may not be able to spot attacks targeting the logic of web
applications. To this end, other features must be added.
We are currently working to address all these issues and further improve our
systems. On the other hand, we obtained promising results and further improvement
is the natural way of research.
Bibliography
[Akritidis et al. (2005)] Akritidis, P., Markatos, E.P., Polychronakis, M., Anagnos-
takis, K. (2005). STRIDE: Polymorphic Sled Detection through Instruction Se-
quence Analysis. Security and Privacy in the Age of Ubiquitous Computing,
Springer, 181, 375-391. 118
[Aleph One] Aleph One. Smashing The Stack For Fun And Prot, Phrack 49, vol.
7, insecure.org ⇒ web link (accessed February 2010) 105
[Almuallim and Dietterich (1992)] Almuallim, H., Dietterich, T.G., (1992). E-
cient algorithms for identifying relevant features. Proceedings of the Ninth Cana-
dian Conference on Articial Intelligence, Vancouver, BC, Morgan Kaufmann,
38-45. 125
[Apache Vulnerabilities] The Apache Software Foundation. Apache httpd 2.0 vul-
nerabilities, ⇒ web link (accessed February 2010) 58
[Antichi et al. (2009)] Antichi, G., Ficara, D., Giordano, S., Procissi, G., Vitucci F.
(2009). Counting bloom lters for pattern matching and anti-evasion at the wire
speed. IEEE Network, 23(1), 30-35. 99
[Asimov (1956)] Asimov I. (1956). I, Robot, Signet, New York, NY, USA. 3
[Atlas] Atlas, Fast Flux Network Detection, Arbor Networks ⇒ web link (accessed
February 2010) 43
[Auger (2010)] Auger, R. (2010). Remote File Inclusion, The Web Application Se-
curity Consortium ⇒ web link (accessed February 2010) 84
[Axelsson (2000)] S. Axelsson (2000). The Base-Rate Fallacy and its Implications
for the Diculty of Intrusion Detection, In Proceedings of the 6th ACM Confer-
ence on Computer and Communications Security, pp. 1-7, November 1-4, 1999,
Kent Ridge Digital Labs, Singapore, ACM. 115
[Barreno et al. (2006)] Barreno, M., Nelson, B., Sears, R., Joseph, A.D., Tygar,
J.D., (2006). Can machine learning be secure?, In Proceedings of the 2006 ACM
Symposium on Information, computer and communications security, ACM, pp.
16-25. 72, 110, 111, 112
142 Bibliography
[Basicevic et al. (2005)] Basicevic, I., Popovic, M., Kovacevic, V., (2005). The Use
of Distributed Network-Based IDS Systems In Detection of Evasion Attacks.
IEEE Proceedings of the Advanced Industrial Conference on Telecommunica-
tions Workshop, IEEE, pp. 78-82. 99
[Bass (2000)] Bass, T. (2000), Intrusion detection systems and multisensor data
fusion. ACM, 43(4), 99-105. 127
[Ben-Asher (2009)] Ben-Asher, N., Meyer J., Möller, S., Englert R. (2009), An Ex-
perimental System for Studying the Tradeo between Usability and Security, In-
ternational Conference on Availability, Reliability and Security, IEEE Computer
Society, pp.882-887. 3
[Bertoni et al. (2004)] Bertoni, A., Folgieri, R., Valentini, G., (2004). Feature selec-
tion combined with random subspace ensemble for gene expression based diagnosis
of malignancies. Biological and Articial Intelligence Environments, B.Apolloni,
M.Marinaro and R. Tagliaferri eds, Springer, 29?36. 108
[Bolzoni et al. (2007)] Bolzoni, D., Crispo, B., Etalle, S. (2007). ATLANTIDES:
An Architecture for Alert Verication in Network Intrusion Detection Systems.
Proceedings of the 21st Large Installation System Administration Conference,
USENIX Association, 141-152. 127, 134
[Bolzoni and Etalle (2008)] Bolzoni, D., Etalle, S. (2008). Boosting Web Intrusion
Detection Systems by Inferring Positive Signatures, In Proceedings of the OTM
2008 Confederated International Conferences, CoopIS, DOA, GADA, IS, and
ODBASE 2008. Part II on On the Move to Meaningful Internet Systems,
Springer-Verlag, pp. 938-955. 61
[Bolzoni et al. (2009)] Bolzoni, D., Etalle, S., Hartel, P.H. (2009). Panacea: Au-
tomating Attack Classication for Anomaly-Based Network Intrusion Detection
Systems, Recent Advances in Intrusion Detection (RAID), 12th International
Symposium, Lecture Notes in Computer Science, Springer. 64, 86, 139
[Borders et al. (2006)] Borders, K., Zhao, I., Prakash, A. (2006). Siren: Catching
Evasive Malware (Short Paper). Proceedings of the 2006 IEEE Symposium on
Security and Privacy, IEEE Computer Society, 78-85. 123
[Bradley (1997)] Bradley, A.P. (1997). The use of the area under the ROC curve in
the evaluation of machine learning algorithms, Pattern Recognition, vol. 30(7),
pp.1145-1159. 42
Bibliography 143
[Brisco (1995)] Brisco, T. (1995). DNS Support for Load Balancing, Network Work-
ing Group, RFC 1794 ⇒ web link (accessed January 2010) 22
[Breunig et al. (2000)] Breunig, M.M., Kriegel H., Ng, R.T., Sander, J. (2000).
LOF: Identifying Density-Based Local Outliers. Proceedings of the 2000 ACM
SIGMOD International Conference on Management of Data, ACM, 93-104. 73
[Brown (2003)] Brown, W., (2003). Evading Network Security Devices Utilizing Se-
cure Shell, SANS Security Essentials (GSEC) Practical Assignment ⇒ web link
(accessed December 2007). 96
[Butler and Hoglund (2004)] Butler J., Hoglund, G. (2004). VICE - Catch the hook-
ers. http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-
04-butler.pdf. Last access: August 2009. 101
[Byeong-Cheol et al. (2004)] Byeong-Cheol, C., Dong-il, S., Sung-Won, S., (2004).
Two-step Rule Estimation (TRE) - Intrusion Detection Method against evading
NIDS. Advanced Communication Technology Conference, IEEE, 1, 504-507. 118
[Casey (2004)] Casey, E. (2004). Digital Evidence and Computer Crime (Electronic
Version), Elsevier, San Diego, CA. 4
[Cenzic (2009)] Cenzic, Inc. (2009). Web Application Security Trends Report ⇒ web
link (accessed January 2010) 13
[CERT (1996)] CERT (1996). TCP SYN Flooding and IP Spoong Attacks, Advi-
sory CA-1996-21 ⇒ web link (accessed February 2010) 58
[CGI v.1.1 (2004)] Robinson, D., Coar, K. (2004). The Common Gateway Interface
(CGI) Version 1.1, The Internet Society. ⇒ web link (accessed December 2009).
10
[Chen and Leneutre (2009)] Chen, L., Leneutre, J. (2009). A Game Theoretical
Framework on Intrusion Detection in Heterogenous Networks. IEEE Transac-
tions on Information Forensics & Security. 93
[CIDF] Staniford-Chen, S., Tung, B., Schnackenberg, D. (1998). The Common In-
trusion Detection Framework (CIDF). Appears in: Proceedings of the Informa-
tion Survivability Workshop, Orlando (USA) ⇒ web link (accessed February
2010) 4
144 Bibliography
[Cisco IPS] Cisco Systems Inc., Intrusion Prevention Systems Help Stop Threats ⇒
web link (accessed January 2010) 5, 102, 117, 129
[Cordasco and Wetzel (2009)] Cordasco, J., Wetzel, S. (2009). An attacker model
for MANET routing security. WiSec '09: Proceedings of the second ACM con-
ference on Wireless network security, ACM, pp. 87-94. 93
[Corona et al. (2008)] Corona, I., Giacinto, G., Roli, F., (2008). Intrusion Detection
in Computer Systems using Multiple Classifer Systems. In Supervised and Unsu-
pervised Ensemble Methods and Their Applications, O. Okun and G. Valentini
(eds), Springer-Verlag, Berlin/Heidelberg. 125
[Corona et al. (2009)] Corona, I., Giacinto, G., Mazzariello, C., Roli, F., Sansone,
C. (2009). Information fusion for computer security: State of the art and open
issues. Information Fusion, 10(4), pp. 274-284. 132
[Corona et al. (2009)] Corona, I., Ariu, D., Giacinto, G. (2009). HMM-Web: a
framework for the detection of attacks against Web applications, IEEE ICC 2009,
Dresden, Germany. 18, 63
[Cretu et al. (2008)] Cretu, G.F., Stavrou, A., Locasto, M.E., Stolfo, S.J.,
Keromytis, A.D. (2008). Casting out Demons: Sanitizing Training Data for
Anomaly Sensors. In the Proceedings of the IEEE Symposium on Security &
Privacy, Oakland, CA. 61, 72, 112
[Debar and Wespi (2001)] Debar, H., Wespi, A., (2001). Aggregation and Correla-
tion of Intrusion-Detection Alerts. Recent Advances in Intrusion Detection Sym-
phosium, Springer-Verlag, 2212, 85-103. 127
[DNSBL] dnsbl.abuse.ch, Fast Flux Tracker ⇒ web link (accessed January 2010)
43, 48, 139
[Donaldson (2002)] Donaldson, M.E. (2002). Inside the Buer Overow Attack:
Mechanism, Method, & Prevention, SANS Institute InfoSec Reading Room,
SANS Whitepaper ⇒ web link (accessed January 2010) 84
[Duda et al. (2000)] Duda, R. O., Hart, P. E., Stork, D. G. (2000). Pattern Classi-
cation (2nd Edition), Wiley-Interscience. 108
[Ezeife et al. (2008)] Ezeife, C.I, Dong, J., Aggarwal, A.K. (2008). SensorWebIDS: a
web mining intrusion detection system, International Journal of Web Information
Systems, vol. 4(1), pp. 97-120. 61, 62
Bibliography 145
[Fogla and Lee (2006)] Fogla, P., Lee, W., (2006). Evading Network Anomaly De-
tection Systems: Formal Reasoning and Practical Techniques. Proceedings of the
13th ACM conference on Computer and communications security, pp. 59-68. 123
[Franklin et al. (2007)] Franklin, J., Paxson, V., Perrig, A., Savage, S. (2007). An
inquiry into the nature and causes of the wealth of internet miscreants. In Pro-
ceedings of the 14th ACM conference on Computer and Communications Secu-
rity, (Alexandria, Virginia, USA, October 28 - 31, 2007). CCS '07. ACM, New
York, NY, 375-388. 12
[Gadaleta et al. (2009)] Gadaleta, F., Younan, Y., Jacobs, B., Joosen, W., De Neve,
E., Beosier, N. (2009). Instruction-level countermeasures against stack-based
buer overow attacks. Proceedings of the 1st EuroSys Workshop on Virtu-
alization Technology for Dependable Systems, ACM, 7-12. 103
[Giacinto et al. (2003)] Giacinto, G., Roli, F., Didaci, L., (2003). Fusion of multiple
classiers for intrusion detection in computer networks. Pattern Recognition
Letters, 24(12), 1795-1803. 125
[Gorton and Champion (2003)] Gorton, A.S., Champion, T.G. (2003). Combining
Evasion Techniques to Avoid Network Intrusion Detection Systems. Skaion,
http://www.skaion.com/research/tgc-rsd-raid.pdf. Last access: 28 September
2007. 99
[Green et al. (2007)] Green, I., Raz, Z., Zviran, M. (2007). Analysis of active In-
trusion Prevention data for Predicting hostile activity in Computer Networks.
ACM, 50(4), 63-68. 130
[Guyet et al. (2009)] Guyet, T., Quiniou, R., Wang, W., Cordier, M. (2009). Self-
adaptive web intrusion detection system, The Computing Research Repository
(CoRR), ACM, vol. abs/0907.3819. 62
[Gyongyi et al. (2005)] Gyongyi, Z., Garcia-Molina, H. (2005). Web spam taxonomy,
In Proceedings of the First International Workshop on Adversarial Information
Retrieval on the Web 28
[Handley et al. (2001)] Handley, M., Paxson, V., Kreibich, C., (2001). Network In-
trusion Detection: Evasion, Trac Normalization, and End-to-End Protocol Se-
mantics. Proceedings of the 10th USENIX Security Symposium, USENIX Asso-
ciation, 10, 9-9. 99
[Hansen (2009)] Hansen, R. (2009). XSS (Cross Site Scripting) Cheat Sheet for lter
evasion, ha.ckers.org ⇒ web link (accessed January 2010) 16, 59, 84
[Harmer et al. (2002)] Harmer, P.K., Williams, P.D, Gunsch, G.H., Lamont, G.B.,
(2002). An articial immune system architecture for computer security applica-
tions, Appears in: IEEE Transactions on Evolutionary Computation, vol. 6(3),
pp. 252-280. 4
[Hedberg, S. (1996)] Hedberg, S., (1996). Combating computer viruses: IBM's new
computer immune system, Parallel & Distributed Technology: Systems & Ap-
plications, IEEE, vol. 4(2), pp. 9-11. 4
[Hernacki et al. (2005)] Hernacki, B., Bennett, J., Hoagland, J., (2005). An
overview of network evasion methods. Information Security Technical Report,
ELSEVIER, 10, 140-149. 96, 97, 98
[Ho (1998)] Ho, T. K., (1998). The Random Subspace Method for Constructing De-
cision Forests. IEEE Transactions on Pattern Analysis and Machine Intelligence,
20(8), 832-844. 125
[Hofmann and Beaumont (2005)] Hofmann, M., Beaumont, L.R. (2005). Content
Networking: Architecture, Protocols, and Practice. Morgan Kaufmann Publisher.
22
[Hoglund and Butler (2006)] Hoglund, G., Butler, J. (2006). Rootkits-Subverting the
windows kernel. Addison-Wesley 101
[Holz et al. (2008)] Holz, T., Gorecki, C., Rieck, K., Freiling, F. (2008). Measur-
ing and Detecting Fast-Flux Service Networks, NDSS '08: Proceedings of the
Network & Distributed System Security Symposium 26, 27, 28
[Hu et al. (2009)] Hu, X., Knysz, M., Shin, K.G. (2009). RB-Seeker: Auto-detection
of Redirection Botnets, Annual Network & Distributed System Security Sympo-
sium (NDSS). 27
Bibliography 147
[IBM ISS IPS] IBM Internet Security Systems, Proventia Network Intrusion Pre-
vention System ⇒ web link (accessed January 2010) 5, 102, 117, 129
[IBM (2009)] IBM Internet Security Systems X-Force 2008 Trend & Risk Report.
⇒ web link (accessed December 2009). 12
[Ingham et al. (2007)] Ingham, K.L., Somayaji, A., Burge, J., Forrest, S. (2007).
Learning dfa representations of http for protecting web applications, Computer
Networks, vol. 51, pp. 1239-1255. 60, 63, 69
[IPv4] Network Sorcery, Inc. Internet Protocol version 4 ⇒ web link (accessed
February 2010) 97
[Jain et al. (1988)] Jain, A.K., Dubes, R.C. (1998). Algorithms for clustering data,
Prentice-Hall, Inc. 33, 35, 39
[Jain et al. (1999)] Jain, A.K., Murty, M.N., Flynn, P. J. (1999). Data clustering:
a review, ACM Computing Surveys, vol. 31(3), pp.264-323. 33, 39
[Jones (1998)] Jones, L. (1998). The Good Times email virus is a hoax! ⇒ web link
(accessed December 2009). 9
[Juniper (2002)] Juniper Networks (2002). HTTP: Apache WebDav PROPFIND Di-
rectory Disclosure ⇒ web link (accessed January 2010) 84
[K-159 (2009)] K-159 (2009). Joomla Hotel Booking System Component XSS/SQL
Injection Multiple Vulnerability, Milw0rm.com ⇒ web link (accessed January
2010) 58
[Kayacik et al. (2006)] Kayacik, H.G., Heywood, M., Zincir-Heywood, N., (2006).
On Evolving Buer Overow Attacks Using Genetic Programming. Proceedings
of the 8th annual conference on Genetic and evolutionary computation, ACM,
1667-1674. 117
[Kearns and Ming (1988)] Kearns, M., Ming, Li (1988). Learning in the presence
of malicious errors. Proceedings of the twentieth annual ACM symposium on
Theory of computing, 267-280. 111
[Kehoe (1992)] Kehoe, B.P. (1992). Zen and the Art of the Internet: a Beginner's
Guide to the Internet, ⇒ web link (accessed January 2010) 9
148 Bibliography
[Kenney (1997)] Kenney, M. (1997). Ping of Death attack, insecure.org ⇒ web link
(accessed January 2010) 121
[Kolesnikov and Lee (2004)] Kolesnikov, O., Lee, W. (2004). Advanced Polymorphic
Worms: Evading IDS by Blending in with Normal Trac, Technical Report,
Georgia Tech. ftp://ftp.cc.gatech.edu/pub/coc/tech_reports/2004/GIT-CC-04-
15.pdf. Last access: July 2009. 123
[Konte et al. (2009)] Konte M., Feamster, N., Jung, J. (2009). Dynamics of Online
Scam Hosting Infrastructure, PAM '09: Proc. Passive and Active Measurement
Conference 26, 27, 28, 37
[Kreibich and Crowcroft (2003)] Kreibich, C., Crowcroft, J., (2003). Honeycomb -
Creating intrusion detection signatures using honeypots. ACM SIGCOMM Com-
puter Communication Review, ACM, 34(1), 51-56. 105
[Kruegel et al. (2004)] Kruegel, C., Robertson, W., Vigna, G., (2004). Using Alert
Verication to Identify Successful Intrusion Attempts. Journal of Practice in
Information Processing and Communication (PIK), 27(4), 219-227. 126
[Kruegel et al. (2005) (a)] Kruegel et al., Vigna, G., Robertson, W. (2005). A multi-
model approach to the detection of web-based attacks. Computer Networks, 48(5),
717-738. 60, 61, 63, 70, 76, 89, 110, 122
[Kruegel et al. (2005) (b)] Kruegel, C., Valeur, V., Vigna, G., (2005). Intrusion De-
tection and Correlation: Challenges and Solutions. Advances in Information Se-
curity, Springer-Verlag TELOS. 127
[Krueger et al. (2010)] Krueger, T., Gehl, C., Rieck, K., Laskov, P. (2010). Tok-
Doc: A Self-Healing Web Application Firewall, In Proceedings of 25th ACM
Symposium on Applied Computing (SAC). 63, 64
[KYE (2007)] The Honeynet Project (2007). Know Your Enemy: Fast-Flux Service
Networks ⇒ web link (accessed January 2010) 25, 31
[Lancaster (2007)] Lancaster, T., (2007). IPv6 & IPv4 Threat Review with Dual-
Stack Considerations, 6journal, Whitepaper. 101
[Lam et al. (2004)] Lam, K., LeBlanc, D., Smith, B., (2004). Assessing Network
Security, Microsoft Press, One Microsoft Way, Redmond, Washington. 3
[Lau (2009)] Lau, K. (2009). Fake security tools still big threat, worms on rise, Com-
puterworld Canada, November 2009 ⇒ web link (accessed January 2010) 10
[Lee and Xiang (2001)] Lee, W., Xiang., D., (2001). Information-theoretic measures
for anomaly detection. IEEE Symposium on Security and Privacy, 130-143. 128
Bibliography 149
[Lee et al. (2005)] Lee, K., Chari, S., Shaikh, A., Sahu, S., Cheng, P. (2005). Pro-
tecting content distribution networks from denial of service attacks, In IEEE
International Conference on Communications, vol. 2, pp. 830-836. 58
[Lee et al. (2008)] Lee, W., Wang, C., Dagon D. Eds. (2008). Botnet Detection:
Countering the Largest Security Threat, Advances in Information Security, vol.
36, Springer. 11
[Lemos (2001)] Lemos, R. (2001). FBI hack raises global security concerns, CNET
News.com ⇒ web link (accessed December 2009). 4
[Linhart et al. (2005)] Linhart, C., Klein, A., Heled, R., Orrin, S. (2005). HTTP
Request Smuggling, Watchre ⇒ web link (accessed January 2010). 84
[Lippman et al. (2000)] Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.
(2000). The 1999 darpa o-line intrusion detection evaluation, Computer Net-
works, vol. 34, pp. 579-595. 60
[Liu et al. (2005)] Liu, Z., Lin, W., Li, N., Lee, D. (2005). Detecting and ltering
instant messaging spam - a global and personalized approach, In Proceedings of
the 1st IEEE ICNP Workshop on Secure Network Protocols 28
[Lunt et al. (1992)] Lunt, T.F., Tamaru, A., Gilham, F., Jagannathan, R., Jalali,
C., Neumann, P.G., Javitz, H.S., Valdes, A., Garvey, T.D. (1992). A Real-time
Intrusion Detection Expert System (IDES), Final Technical Report, February
28, 1992, SRI International. 95
[Mac Vittie (2007)] Mac Vittie, L. (2007). SQL Injection Evasion Detection, F5
Whitepaper ⇒ web link (accessed January 2010) 16, 60, 84
[Mac Vittie (2010)] Mac Vittie, L. (2007). I am in your HTTP headers, attacking
your application, F5 Whitepaper ⇒ web link (accessed January 2010) 84
[Manion (2003)] Manion, A. (2003). Web servers enable HTTP TRACE method by
default, Vulnerability Note VU#867593, US-CERT ⇒ web link (accessed Jan-
uary 2010) 84
[Miller (2007)] Miller C. (2007). The legitimate vulnerability market: Inside the se-
cretive world of 0-day exploit sales. In Sixth Workshop on the Economics of
Information Security, Independent Security Evaluators ⇒ web link (accessed
January 2010) 11
150 Bibliography
[Mills (2009)] Mills, E. (2009). Botnet worm in DOS attacks could wipe data out on
infected PCs, CNET News ⇒ web link (accessed January 2010) 12
[Mishne et al. (2005)] Mishne, G., Carmel, D., Lempel, R. (2005). Blocking Blog
Spam with Language Model Disagreement, In Proceedings of the First Interna-
tional Workshop on Adversarial Information Retrieval on the Web 28
[Mitnick (2002)] Mitnick, K. (2002). The Art of Deception, Wiley Publishing Ltd:
Indianapolis, United States of America. 25
[Modsecurity] Breach security. Modsecurity web application rewall ⇒ web link (ac-
cessed January 2010) 60, 64
[Mutz et al. (2005)] Mutz, D., Kruegel, C., Robertson, W., Vigna, G., Kem-
merer, R.A., (2005). Reverse Engineering of Network Signatures. Proceedings of
the AusCERT Asia Pacic Information Technology Security Conference (Gold
Coast, Australia), University of Queensland. 58, 108, 117, 119
[Nazario et al. (2008)] Nazario J., Holz, T. (2008). As the net churns: Fast-ux
botnet observations, MALWARE '08: Proceedings of the 3rd International Con-
ference on Malicious and Unwanted Software 26, 27, 28
[Newsome et al. (2005)] Newsome, J., Karp, B., Song, D., (2005). Polygraph: Au-
tomatically generating signatures for polymorphic worms. In Proceedings of the
IEEE Symposium on Security and Privacy, 226- 241. 105, 107
[Newsome et al. (2006)] Newsome, J., Karp, B., Song, D., (2006). Paragraph:
Thwarting Signature Learning by Training Maliciously. Recent Advances in In-
trusion Detection, Springer, 4219, 81-105. 105, 107
[Ng (2009)] Ng, V. (2010). New botnet spams links to sites hosted in Beijing and
Seoul, Search Security Asia ⇒ web link (accessed January 2010) 12
[Northcutt (1999)] Northcutt, S. (1999). Intrusion Detection FAQ: What was the
Melissa virus and what can we learn from it?, SANS Flash Report. ⇒ web link
(accessed December 2009). 9
[Northcutt and Novak (2001)] Northcutt, S., Novak J., (2001). Network Intrusion
Detection. New Riders Publishing, 201 West 103rd Street, Indianapolis. 100
[OASIS] OASIS, Overlay Anycast Service InfraStructure ⇒ web link (accessed Jan-
uary 2010). 40
[OWASP (2010)] Open Web Application Security Project (2010).The Ten most
Critical Web Application Security Risks (RC 2010) ⇒ web link (accessed Jan-
uary 2010) 15
[Page (1988)] Page, B. (1988). A report on the Internet Worm, University of Lowell,
Computer Science Department ⇒ web link (accessed January 2010) 9
[Passerini et al. (2008)] Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.
(2008). FluXOR: Detecting and Monitoring Fast-Flux Service Networks, DIMVA
'08: Proceedings of the 5th international conference on Detection of Intrusions
and Malware, and Vulnerability Assessment 26, 27, 28, 36, 38
[Patton et al. (2001)] Patton, S., Yurcik, B., Doss, D., (2001). An Achilles' heel in
signature-based IDS: Squealing false positives in SNORT. Proceedings of RAID
2001 fourth International Symposium on Recent Advances in Intrusion Detec-
tion, Illinois State University. 120
[Paxson and Handley (1999)] Paxson, V., Handley, M. (1999). Defending Against
Network IDS Evasion. Proceedings of RAID 1999 International Symposium on
Recent Advances in Intrusion Detection. 99, 126
[PCI] PCI Security Standards Council. About the PCI Data Security Standard ⇒
web link (accessed January 2010) 15
[Perdisci et al. (2006) (a)] Perdisci, R., Dagon, D., Lee, W., Fogla, P., Sharif, M.,
(2006). Misleading Worm Signature Generators Using Deliberate Noise Injection.
Proceedings of the 2006 IEEE Symposium on Security and Privacy. 105, 107
[Perdisci et al. (2006) (b)] Perdisci, R., Gu, G., Lee, W. (2006). Using an ensemble
of one-class svm classiers to harden payload-based anomaly detection systems,
In Proceedings of the Sixth International Conference on Data Mining, IEEE
Computer Society, pp. 488-498. 64, 125, 128
[Perdisci, Corona et al. (2009)] Perdisci, R., Corona, I., Dagon, D., Lee, W. (2009).
Detecting Malicious Flux Service Networks through Passive Analysis of Recur-
sive DNS Traces, Annual Computer Security Applications Conference (ACSAC),
Honolulu, Hawaii, USA. 17
[Perks (2006)] Perks, M. (2006). Best practices for software development projects,
IBM Software Services for WebSphere, International Business Machines Corpo-
ration ⇒ web link (accessed December 2009). 2
152 Bibliography
[PHP IDS] PHP IDS, PHP-Intrusion Detection System ⇒ web link (accessed Jan-
uary 2010) 60
[PSS (2002)] Packet Storm Security (2002). Apache 2.0 Cross-Site Scripting Vul-
nerability, ⇒ web link (accessed February 2010) 84
[Ptacek and Newsham (1998)] Ptacek, T., Newsham, T.N., (1998). Insertion, Eva-
sion, and Denial of Service: evading Network Intrusion Detection, Secure Net-
works Inc. ⇒ web link (accessed February 2010) 95, 96, 97
[Quinlan (1993)] , Quinlan, J.R. (1993). C4.5: Programs for Machine Learning,
Morgan Kaufmann Publishers. 38, 41
[Rabiner (1989)] Rabiner, L.R. (1989). A tutorial on hidden markov models and
selected applications in speech recognition, In Proceedings of the IEEE, vol. 77(2),
pp. 257-286. 67, 75
[RFC 792 (1981)] Network Working Group (1981). Internet Control Message Pro-
tocol, Internet Society ⇒ web link (accessed February 2010) 121
[RFC 2616 (1999)] Network Working Group (1999). Hypertext Transfer Protocol
HTTP/1.1, Internet Society ⇒ web link (accessed February 2010) 12, 65, 77, 80
[RFC 2818 (2000)] Network Working Group (2008). HTTP Over TLS, Internet So-
ciety ⇒ web link (accessed February 2010) 12, 96
[RFC 4252 (2006)] Network Working Group (2006). The Secure Shell (SSH) Proto-
col Architecture, Internet Society ⇒ web link (accessed February 2010) 96
[Riley et al. (2009)] Riley, R., Jiang, X., Xu, D. (2009). Multi-aspect proling of
kernel rootkit behavior. Proceedings of the fourth ACM european conference on
Computer systems, ACM, 47-60. 103
[Rolando (2006)] Rolando, M., Rossi, M., Sanarico, N., Mandrioli, D., (2006). A
formal approach to sensor placement and conguration in a network intrusion
detection system. Proceedings of the 2006 international workshop on Software
engineering for secure systems, ACM, 65-71. 100
Bibliography 153
[Robertson et al. (2006)] Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.
(2006). Using Generalization and Characterization Techniques in the Anomaly-
based Detection of Web Attacks, In Proceeding of the Network and Distributed
System Security Symposium (NDSS), San Diego, CA. 61, 64, 86, 139
[SAC (2008)] SSAC (2008), SAC 025 - SSAC Advisory on Fast Flux Hosting and
DNS ⇒ web link (accessed January 2010) 22, 25
[SANS (2009)] SANS Institute (2009). The Top Cyber Security Risks - september
2009. ⇒ web link (accessed January 2010) 10, 11, 14, 15
[SH (2010)] Spam Haus (2010). The World's Worst Spammers ⇒ web link (accessed
January 2010) 25
[Shiels, M. (2010)] Shiels, M. (2010). Security experts say Google cyber-attack was
routine, BBC News, Silicon valley ⇒ web link (accessed January 2010) 12
[Shoch and Hupp (1982)] Shoch, J.F., Hupp J.A. (1982). The Worm Programs
Early Experience with a Distributed Computation, Communications of the ACM,
vol. 25(3), pp. 172-180. ⇒ web link (accessed January 2010) 9
[Snort] Sourcere. SNORT Open source network intrusion detection system, ⇒ web
link (accessed January 2010) 60, 104, 117
[Sourcere IPS] Sourcere, Inc., Intrusion Prevention System ⇒ web link (accessed
January 2010) 5
[Spett (2002)] Spett, K. (2002). SQL Injection: Are Your Web Applications Vulner-
able?, A White Paper from SPI Dynamics ⇒ web link (accessed January 2010)
58, 84
[L0t3k] L0t3k, SQL Injection: The Complete Documentation ⇒ web link (accessed
January 2010) 60, 84
[Stephenson and Sikdar (2006)] Stephenson, B., Sikdar, B., (2006). A Quasi-species
Approach for Modeling the Dynamics of Polymorphic Worms. 25th IEEE Inter-
national Conference on Computer Communications, INFOCOM. 118
[Symantec (2006)] Symantec (2006). HTTP Smuggle Get Content Length, attack
signature ⇒ web link (accessed January 2010) 84
[Symantec (2009)] Symantec Internet Security Threat Report Finds Malicious Ac-
tivity Continues to Grow at a Record Pace. ⇒ web link (accessed January 2010)
12
154 Bibliography
[Tandon et al. (2004)] Tandon, G., Chan, P., Mitra, D. (2004). Data Cleaning
and Enriched Representations for Anomaly Detection in System Calls. Machine
Learning and Data Mining for Computer Security, Springer London, 137-156.
105
[Tao et al. (2006)] Tao, D., Tang, X., Li, X., Wu, X., (2006). Asymmetric Bagging
and Random Subspace for Support Vector Machines-Based Relevance Feedback
in Image Retrieval. IEEE Transactions on Pattern Analysis and Machine Intel-
ligence, 28(7), 1088-1099. 108
[Valeur (2006)] Valeur, F., Vigna, G., Kruegel, C., Kirda, E. (2006). An Anomaly-
driven Reverse Proxy for Web Applications, Proceedings of the ACM Symposium
on Applied Computing (SAC), Dijon, France, ACM. 85
[Valiant (1985)] Valiant, L.G., (1985). A teory of the learnable. ACM, 1985. 111
[Vigna et al. (2004)] Vigna, G., Robertson, W., Balzarotti, D. (2004). Testing
Network-based Intrusion Detection Signatures Using Mutant Exploits, ACM Con-
ference on Computer and Communications Security, 21-30. 117
[Vigna et al. (2005)] Vigna, G., Robertson, W., Balzarotti, D. (2005). Testing
network-based intrusion detection signatures using mutant exploits, In ACM Con-
ference on Computer and Communications Security, pp. 21-30. 60
[Wagner and Soto (2002)] Wagner, D., Soto, P., (2002). Mimicry Attacks on Host-
Based Intrusion Detection Systems. ACM, 255-264. 123
[Wang et al. (2004)] Wang, K., Stolfo, S.J. (2004). Anomalous payload-based net-
work intrusion detection. In Proceedings of Recent Advances in Intrusion Detec-
tion (RAID), pp. 203-222. Springer Verlag. 60
[Yong and Yangsheng (2006)] Yong, G., Yangsheng, W., (2006). Boosting in Ran-
dom Subspaces for Face Recognition. Proceedings of the 18th International Con-
ference on Pattern Recognition, 1, 519-522. 108
Bibliography 155
[Zhan et al. (2007)] Zhan, Q., Reeves, D.S., Ning, P., Purushothaman, S. (2007).
Analyzing Network Trac To Detect Self-Decrypting Exploit Code. Proceedings
of the 2nd ACM symposium on Information, computer and communications
security, ACM, 4-12. 119