1 / 31

SecureComm 2013 Fei Wang USTC

A Novel Web Tunnel Detection Method Based on Protocol Behaviors. Fei Wang Department of Computer Science and Technology University of Science and Technology of China September 27 th , 2013. SecureComm 2013 Fei Wang USTC. Contents. Background Relevant Notions and Techniques

myra
Download Presentation

SecureComm 2013 Fei Wang USTC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Novel Web Tunnel Detection Method Based on Protocol Behaviors Fei Wang Department of Computer Science and Technology University of Science and Technology of China September 27th, 2013 SecureComm 2013 Fei Wang USTC

  2. Contents • Background • Relevant Notions and Techniques • Our Method • Result • Conclusion SecureComm 2013 Fei Wang USTC

  3. Contents • Background • Relevant Notions and Techniques • Our Method • Result • Conclusion SecureComm 2013 Fei Wang USTC

  4. Background (1) Web Tunnel SecureComm 2013 Fei Wang USTC

  5. Background (2) Why not Deep Payload Inspection (DPI)? Clear-Text Encryption SecureComm 2013 Fei Wang USTC

  6. Background (3) • Fingerprint-Based Detection • Bayesian estimation • Packet sequence in interaction • Two-class classifier • Too many network data • Server and client are separated SecureComm 2013 Fei Wang USTC

  7. Contents • Background • Relevant Notions and Techniques • Our Method • Result • Conclusion SecureComm 2013 Fei Wang USTC

  8. Notions and Techniques (1) Similar IP IP similarity identification SecureComm 2013 Fei Wang USTC

  9. Notions and Techniques (2) Web Flow and Session Request Timeline SecureComm 2013 Fei Wang USTC

  10. Notions and Techniques (3) • Kernel Density Estimation (I) • If X={x1,x2,…,xn}, we can estimate the density of X by • K is the kernel and h is the kernel bandwidth SecureComm 2013 Fei Wang USTC

  11. Notions and Techniques (4) • Kernel Density Estimation (II) • In general, K is selected as the standard Gaussian distribution • Then, h can be optimized as SecureComm 2013 Fei Wang USTC

  12. Contents • Background • Relevant Notions and Techniques • Our Method • Result • Conclusion SecureComm 2013 Fei Wang USTC

  13. Our Method (1) Outline Work Flow SecureComm 2013 Fei Wang USTC

  14. Our Method (2) • Four First-Order Features • Average Request Size (Reqavg) • Request Size Variance (Reqvar) • Average Response Size (Resavg) • Response Size Variance (Resvar) SecureComm 2013 Fei Wang USTC

  15. Our Method (3) TCP Packet Classification (I) BL bins BT bins SecureComm 2013 Fei Wang USTC

  16. Our Method (4) • TCP Packet Classification (II) • <t,l,d>, three elements • t: inter-packet delay (1 to BT) • l: packet size (1 to BL) • d: direction (0 or 1) SecureComm 2013 Fei Wang USTC

  17. Our Method (5) N-Range Packet Pair <2,5>,<2,4>,<5,4> 3-RPP SecureComm 2013 Fei Wang USTC

  18. Our Method (6) Second-Order Features (I) The K-L divergence of packet distribution between the legitimate and the suspicious, DKL SecureComm 2013 Fei Wang USTC

  19. Our Method (7) Second-Order Feature (II) The entropy of N-RPP, EN-RPP SecureComm 2013 Fei Wang USTC

  20. Our Method (8) Second-Order Features (III.a) Pointwise Mutual Information N-Range Mutual Information (N-RMI) SecureComm 2013 Fei Wang USTC

  21. Our Method (8) • Second-Order Features (III.b) • 2,5,1,3,4,15,103,19,2,3,3 (4-RPP) • <2,5>, <2,1>, <2,3>, <5,1>, <5,3>, <5,4>, <1,3>, <1,4>, <1,15>, <3,4>, <3,15>, <3,103>, <4,15>, <4,103>, <4,19>, <15,103>, <15,19>, <15,2>, <103,19>, <103,2>, <103,3>, <19,2>, <19,3>, <19,3>, <2,3>, <2,3>, <3,3> • C23=3, C2?=5, C?3=8 and Ctot=27 • 4-RMI<2,3> = 1.0179 SecureComm 2013 Fei Wang USTC

  22. Our Method (9) • Second-Order Features (III.c) • select the first M greatest N-RMIs in a suspicious session • N-RMI<i,j>is for the suspicious session • is for legitimate sessions SecureComm 2013 Fei Wang USTC

  23. Our Method (10) • Feature Vector • Settings: N = 3, M = 25, BL = 20, BT = 15 • <Reqavg, Reqvar, Resavg, Resvar,DKL, E3-RPP,D3-RMI> SecureComm 2013 Fei Wang USTC

  24. Contents • Background • Relevant Notions and Techniques • Our Method • Result • Conclusion SecureComm 2013 Fei Wang USTC

  25. Result (1) Data Collection (I) SecureComm 2013 Fei Wang USTC

  26. Result (2) • Data Collection (II) • HTTPTunnel • Barracuda HTTPS Tunnel • Weekdays 14:00 – 17: 30 • One month SecureComm 2013 Fei Wang USTC

  27. Result (3) SecureComm 2013 Fei Wang USTC

  28. Result (4) SecureComm 2013 Fei Wang USTC

  29. Contents • Background • Relevant Notions and Techniques • Our Method • Result • Conclusion SecureComm 2013 Fei Wang USTC

  30. Conclusion • Web Tunnel Detection • 4 First-Order Features • 3 Second-Order Features • N-RPP and N-RMI SecureComm 2013 Fei Wang USTC

  31. Thank You! SecureComm 2013 Fei Wang USTC

More Related