A Novel Web Tunnel Detection Method Based on Protocol Behaviors
Download
1 / 31

SecureComm 2013 Fei Wang USTC - PowerPoint PPT Presentation


  • 125 Views
  • Uploaded on

A Novel Web Tunnel Detection Method Based on Protocol Behaviors. Fei Wang Department of Computer Science and Technology University of Science and Technology of China September 27 th , 2013. SecureComm 2013 Fei Wang USTC. Contents. Background Relevant Notions and Techniques

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' SecureComm 2013 Fei Wang USTC' - myra


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

A Novel Web Tunnel Detection Method Based on Protocol Behaviors

Fei Wang

Department of Computer Science and Technology

University of Science and Technology of China

September 27th, 2013

SecureComm 2013 Fei Wang USTC


Contents Behaviors

  • Background

  • Relevant Notions and Techniques

  • Our Method

  • Result

  • Conclusion

SecureComm 2013 Fei Wang USTC


Contents Behaviors

  • Background

  • Relevant Notions and Techniques

  • Our Method

  • Result

  • Conclusion

SecureComm 2013 Fei Wang USTC


Background (1) Behaviors

Web Tunnel

SecureComm 2013 Fei Wang USTC


Background (2) Behaviors

Why not Deep Payload Inspection (DPI)?

Clear-Text

Encryption

SecureComm 2013 Fei Wang USTC


Background (3) Behaviors

  • Fingerprint-Based Detection

  • Bayesian estimation

  • Packet sequence in interaction

  • Two-class classifier

  • Too many network data

  • Server and client are separated

SecureComm 2013 Fei Wang USTC


Contents Behaviors

  • Background

  • Relevant Notions and Techniques

  • Our Method

  • Result

  • Conclusion

SecureComm 2013 Fei Wang USTC


Notions and Techniques (1) Behaviors

Similar IP

IP similarity identification

SecureComm 2013 Fei Wang USTC


Notions and Techniques (2) Behaviors

Web Flow and Session

Request Timeline

SecureComm 2013 Fei Wang USTC


Notions and Techniques (3) Behaviors

  • Kernel Density Estimation (I)

  • If X={x1,x2,…,xn}, we can estimate the density of X by

  • K is the kernel and h is the kernel bandwidth

SecureComm 2013 Fei Wang USTC


Notions and Techniques (4) Behaviors

  • Kernel Density Estimation (II)

  • In general, K is selected as the standard Gaussian distribution

  • Then, h can be optimized as

SecureComm 2013 Fei Wang USTC


Contents Behaviors

  • Background

  • Relevant Notions and Techniques

  • Our Method

  • Result

  • Conclusion

SecureComm 2013 Fei Wang USTC


Our Method (1) Behaviors

Outline

Work Flow

SecureComm 2013 Fei Wang USTC


Our Method (2) Behaviors

  • Four First-Order Features

  • Average Request Size (Reqavg)

  • Request Size Variance (Reqvar)

  • Average Response Size (Resavg)

  • Response Size Variance (Resvar)

SecureComm 2013 Fei Wang USTC


Our Method (3) Behaviors

TCP Packet Classification (I)

BL bins

BT bins

SecureComm 2013 Fei Wang USTC


Our Method (4) Behaviors

  • TCP Packet Classification (II)

  • <t,l,d>, three elements

  • t: inter-packet delay (1 to BT)

  • l: packet size (1 to BL)

  • d: direction (0 or 1)

SecureComm 2013 Fei Wang USTC


Our Method (5) Behaviors

N-Range Packet Pair

<2,5>,<2,4>,<5,4>

3-RPP

SecureComm 2013 Fei Wang USTC


Our Method (6) Behaviors

Second-Order Features (I)

The K-L divergence of packet distribution between the legitimate and the suspicious, DKL

SecureComm 2013 Fei Wang USTC


Our Method (7) Behaviors

Second-Order Feature (II)

The entropy of N-RPP, EN-RPP

SecureComm 2013 Fei Wang USTC


Our Method (8) Behaviors

Second-Order Features (III.a)

Pointwise Mutual Information

N-Range Mutual Information (N-RMI)

SecureComm 2013 Fei Wang USTC


Our Method (8) Behaviors

  • Second-Order Features (III.b)

  • 2,5,1,3,4,15,103,19,2,3,3 (4-RPP)

  • <2,5>, <2,1>, <2,3>, <5,1>, <5,3>, <5,4>, <1,3>, <1,4>, <1,15>, <3,4>, <3,15>, <3,103>, <4,15>, <4,103>, <4,19>, <15,103>, <15,19>, <15,2>, <103,19>, <103,2>, <103,3>, <19,2>, <19,3>, <19,3>, <2,3>, <2,3>, <3,3>

  • C23=3, C2?=5, C?3=8 and Ctot=27

  • 4-RMI<2,3> = 1.0179

SecureComm 2013 Fei Wang USTC


Our Method (9) Behaviors

  • Second-Order Features (III.c)

  • select the first M greatest N-RMIs in a suspicious session

  • N-RMI<i,j>is for the suspicious session

  • is for legitimate sessions

SecureComm 2013 Fei Wang USTC


Our Method (10) Behaviors

  • Feature Vector

  • Settings: N = 3, M = 25, BL = 20, BT = 15

  • <Reqavg, Reqvar, Resavg, Resvar,DKL, E3-RPP,D3-RMI>

SecureComm 2013 Fei Wang USTC


Contents Behaviors

  • Background

  • Relevant Notions and Techniques

  • Our Method

  • Result

  • Conclusion

SecureComm 2013 Fei Wang USTC


Result (1) Behaviors

Data Collection (I)

SecureComm 2013 Fei Wang USTC


Result (2) Behaviors

  • Data Collection (II)

  • HTTPTunnel

  • Barracuda HTTPS Tunnel

  • Weekdays 14:00 – 17: 30

  • One month

SecureComm 2013 Fei Wang USTC


Result (3) Behaviors

SecureComm 2013 Fei Wang USTC


Result (4) Behaviors

SecureComm 2013 Fei Wang USTC


Contents Behaviors

  • Background

  • Relevant Notions and Techniques

  • Our Method

  • Result

  • Conclusion

SecureComm 2013 Fei Wang USTC


Conclusion Behaviors

  • Web Tunnel Detection

  • 4 First-Order Features

  • 3 Second-Order Features

  • N-RPP and N-RMI

SecureComm 2013 Fei Wang USTC


Thank You! Behaviors

SecureComm 2013 Fei Wang USTC


ad