1 / 11

Intrusion Detection for Web Services

Intrusion Detection for Web Services. Yang Sha ys2280@columbia.edu. Intrusion detections. Host-based IDS (HIDS) Scan logs on local system Network-based IDS (NIDS) Analyze network packets Impossible to check all packets Misuse detection IDS Rule-based IDS Anomaly detection IDS

zudora
Download Presentation

Intrusion Detection for Web Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection for Web Services Yang Sha ys2280@columbia.edu

  2. Intrusion detections • Host-based IDS (HIDS) • Scan logs on local system • Network-based IDS (NIDS) • Analyze network packets • Impossible to check all packets • Misuse detection IDS • Rule-based IDS • Anomaly detection IDS • Learn the patterns of user and malicious behaviors

  3. Threat models for web services • XML DoS and DDoS • Jumbo payloads, Recursive elements, XML flood • Unauthorized access • Data integrity • XML hijacks • System compromise • Attacker gets the admin permission

  4. XML DoS Example <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY ha "Ha !"> <!ENTITY ha2 "&ha; &ha;"> <!ENTITY ha3 "&ha2; &ha2;"> <!ENTITY ha4 "&ha3; &ha3;"> <!ENTITY ha5 "&ha4; &ha4;"> ... <!ENTIY ha128 "&ha127; &ha127;"> ]> <root>&ha128;</root> </xml>

  5. IDS solution to XML DoS and DDoS • Rule-based NIDS (like Snort) • Sample rules for detecting DoS and DDoS

  6. XML Hijack Example • One of the most common attacks

  7. IDS solution to XML hijack • Trying all the possible cryptography algorithms • Very time-consuming

  8. IDS solution to other data integrity issues • Impossible for network based IDS to identify the data integrity • Without private key or session key, IDS can hardly analyze the encrypted XML documents

  9. IDS solution to unauthorized access • Build up the user behavior pattern based on past operations • Compare new behaviors with past patterns, and pop up alert whenever there is a huge mismatch

  10. Can IDS solve the problem?

  11. Conclusion • IDS can only solve part of the problem • Hard to avoid zero-day attack • Future improvement • packet sampling • Real-time classification of user behavior patterns

More Related