slide1
Download
Skip this Video
Download Presentation
SecureComm 2013 Fei Wang USTC

Loading in 2 Seconds...

play fullscreen
1 / 31

SecureComm 2013 Fei Wang USTC - PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on

A Novel Web Tunnel Detection Method Based on Protocol Behaviors. Fei Wang Department of Computer Science and Technology University of Science and Technology of China September 27 th , 2013. SecureComm 2013 Fei Wang USTC. Contents. Background Relevant Notions and Techniques

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' SecureComm 2013 Fei Wang USTC' - myra


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

A Novel Web Tunnel Detection Method Based on Protocol Behaviors

Fei Wang

Department of Computer Science and Technology

University of Science and Technology of China

September 27th, 2013

SecureComm 2013 Fei Wang USTC

slide2

Contents

  • Background
  • Relevant Notions and Techniques
  • Our Method
  • Result
  • Conclusion

SecureComm 2013 Fei Wang USTC

slide3

Contents

  • Background
  • Relevant Notions and Techniques
  • Our Method
  • Result
  • Conclusion

SecureComm 2013 Fei Wang USTC

slide4

Background (1)

Web Tunnel

SecureComm 2013 Fei Wang USTC

slide5

Background (2)

Why not Deep Payload Inspection (DPI)?

Clear-Text

Encryption

SecureComm 2013 Fei Wang USTC

slide6

Background (3)

  • Fingerprint-Based Detection
  • Bayesian estimation
  • Packet sequence in interaction
  • Two-class classifier
  • Too many network data
  • Server and client are separated

SecureComm 2013 Fei Wang USTC

slide7

Contents

  • Background
  • Relevant Notions and Techniques
  • Our Method
  • Result
  • Conclusion

SecureComm 2013 Fei Wang USTC

slide8

Notions and Techniques (1)

Similar IP

IP similarity identification

SecureComm 2013 Fei Wang USTC

slide9

Notions and Techniques (2)

Web Flow and Session

Request Timeline

SecureComm 2013 Fei Wang USTC

slide10

Notions and Techniques (3)

  • Kernel Density Estimation (I)
  • If X={x1,x2,…,xn}, we can estimate the density of X by
  • K is the kernel and h is the kernel bandwidth

SecureComm 2013 Fei Wang USTC

slide11

Notions and Techniques (4)

  • Kernel Density Estimation (II)
  • In general, K is selected as the standard Gaussian distribution
  • Then, h can be optimized as

SecureComm 2013 Fei Wang USTC

slide12

Contents

  • Background
  • Relevant Notions and Techniques
  • Our Method
  • Result
  • Conclusion

SecureComm 2013 Fei Wang USTC

slide13

Our Method (1)

Outline

Work Flow

SecureComm 2013 Fei Wang USTC

slide14

Our Method (2)

  • Four First-Order Features
  • Average Request Size (Reqavg)
  • Request Size Variance (Reqvar)
  • Average Response Size (Resavg)
  • Response Size Variance (Resvar)

SecureComm 2013 Fei Wang USTC

slide15

Our Method (3)

TCP Packet Classification (I)

BL bins

BT bins

SecureComm 2013 Fei Wang USTC

slide16

Our Method (4)

  • TCP Packet Classification (II)
  • <t,l,d>, three elements
  • t: inter-packet delay (1 to BT)
  • l: packet size (1 to BL)
  • d: direction (0 or 1)

SecureComm 2013 Fei Wang USTC

slide17

Our Method (5)

N-Range Packet Pair

<2,5>,<2,4>,<5,4>

3-RPP

SecureComm 2013 Fei Wang USTC

slide18

Our Method (6)

Second-Order Features (I)

The K-L divergence of packet distribution between the legitimate and the suspicious, DKL

SecureComm 2013 Fei Wang USTC

slide19

Our Method (7)

Second-Order Feature (II)

The entropy of N-RPP, EN-RPP

SecureComm 2013 Fei Wang USTC

slide20

Our Method (8)

Second-Order Features (III.a)

Pointwise Mutual Information

N-Range Mutual Information (N-RMI)

SecureComm 2013 Fei Wang USTC

slide21

Our Method (8)

  • Second-Order Features (III.b)
  • 2,5,1,3,4,15,103,19,2,3,3 (4-RPP)
  • <2,5>, <2,1>, <2,3>, <5,1>, <5,3>, <5,4>, <1,3>, <1,4>, <1,15>, <3,4>, <3,15>, <3,103>, <4,15>, <4,103>, <4,19>, <15,103>, <15,19>, <15,2>, <103,19>, <103,2>, <103,3>, <19,2>, <19,3>, <19,3>, <2,3>, <2,3>, <3,3>
  • C23=3, C2?=5, C?3=8 and Ctot=27
  • 4-RMI<2,3> = 1.0179

SecureComm 2013 Fei Wang USTC

slide22

Our Method (9)

  • Second-Order Features (III.c)
  • select the first M greatest N-RMIs in a suspicious session
  • N-RMI<i,j>is for the suspicious session
  • is for legitimate sessions

SecureComm 2013 Fei Wang USTC

slide23

Our Method (10)

  • Feature Vector
  • Settings: N = 3, M = 25, BL = 20, BT = 15
  • <Reqavg, Reqvar, Resavg, Resvar,DKL, E3-RPP,D3-RMI>

SecureComm 2013 Fei Wang USTC

slide24

Contents

  • Background
  • Relevant Notions and Techniques
  • Our Method
  • Result
  • Conclusion

SecureComm 2013 Fei Wang USTC

slide25

Result (1)

Data Collection (I)

SecureComm 2013 Fei Wang USTC

slide26

Result (2)

  • Data Collection (II)
  • HTTPTunnel
  • Barracuda HTTPS Tunnel
  • Weekdays 14:00 – 17: 30
  • One month

SecureComm 2013 Fei Wang USTC

slide27

Result (3)

SecureComm 2013 Fei Wang USTC

slide28

Result (4)

SecureComm 2013 Fei Wang USTC

slide29

Contents

  • Background
  • Relevant Notions and Techniques
  • Our Method
  • Result
  • Conclusion

SecureComm 2013 Fei Wang USTC

slide30

Conclusion

  • Web Tunnel Detection
  • 4 First-Order Features
  • 3 Second-Order Features
  • N-RPP and N-RMI

SecureComm 2013 Fei Wang USTC

slide31

Thank You!

SecureComm 2013 Fei Wang USTC

ad