View
216
Download
0
Category
Preview:
Citation preview
8/3/2019 Fit Presentation 2011
1/18
Rana Faisal Munir, Nabeel Ahmed, Abdul Razzaq, Ali Hur, Farooq Ahmad
Detect HTTP Specification Attacks using
Ontology
School of Electrical Engineering and ComputerScience (SEECS),
National University of Sciences and Technology(NUST),
Islamabad, Pakistan
8/3/2019 Fit Presentation 2011
2/18
Agenda
Introduction
HTTP Protocol
Attacks
HTTP request smuggling
HTTP response splitting
Overview
Existing Solutions
Proposed Solution
A Closer Look
Data Set and Evaluation
Limitations
The End
8/3/2019 Fit Presentation 2011
3/18
8/3/2019 Fit Presentation 2011
4/18
HTTP
HTTP message have two types
Request
Response HTTP Request
Sending client request to the web server
HTTP Response Sending response from the web server back to
client
8/3/2019 Fit Presentation 2011
5/18
HTTP Request
HTTP Request Format
Start Line
Method URI Version
Headers
Body [Options]
8/3/2019 Fit Presentation 2011
6/18
HTTP Response
HTTP Response Format
StatusLine
Version StatusCode StatusPharase
Headers
Body
8/3/2019 Fit Presentation 2011
7/18
HTTP
* http://www.tcpipguide.com/free/t_HTTPResponseMessageFormat.htm
8/3/2019 Fit Presentation 2011
8/18
HTTP request smuggling
Encapsulates multiple requests into one
To bypass the web application rewall
8/3/2019 Fit Presentation 2011
9/18
HTTP response splitting
Submit a value that also contains the
malicious response within it
Server generates two responses one fornormal request and second as attacker
desired
8/3/2019 Fit Presentation 2011
10/18
Existing Solutions
Signature based solutions
Snort and Mod Security
Protocol analysis in intrusion detection using decision
tree (2004) Grammar based solution
Context based application level intrusion detection(2006)
Ontology based solution Ontology based application level intrusion detection
system by using Bayesian lter (2009)
8/3/2019 Fit Presentation 2011
11/18
Proposed Solution
8/3/2019 Fit Presentation 2011
12/18
HTTP Ontology
8/3/2019 Fit Presentation 2011
13/18
Semantic Rules
[responsesplitting1: (?r rdf:type Request), (?h
rdf:type ResponseHeader), (?r ex:hasHeader
?h) -> (?r rdf:type MaliciousRequest)]
[malformed1: (?r rdf:type HTTP-Request), (?p
rdf:type Payload),(?g rdf:Type GET) ,(?r
ex:hasMethodType ?g), (?r contain ?p) -> (?r
rdf:type MaliciousRequest)]
8/3/2019 Fit Presentation 2011
14/18
Semantic Rules
[malformed2: (?r rdf:type HTTP-Request), (?erdf:type Entity),(?g rdf:Type GET) ,(?rex:hasMethodType ?g), (?r containHeaders ?e)
-> (?r rdf:type MaliciousRequest)]
[malformed3: (?r rdf:type HTTP-Request), (?p
rdf:type Payload),(?h rdf:Type HEAD) ,(?rex:hasMethodType ?h), (?r contain ?p) -> (?rrdf:type MaliciousRequest)]
8/3/2019 Fit Presentation 2011
15/18
Data Set
We gather the data set from a real world
application used to store and view student
information, this system knows as System
Information System
We gather normal requests and also malicious
requests that we generate using different
tools to make a good dataset
8/3/2019 Fit Presentation 2011
16/18
Evaluation Results
Attack Name Total Requests Total Normal
Requests
False Alarm
Rate
False Positive
Response
Splitting
1000 700 0.1428 1
Request
Smuggling
900 850 0.2852 2
Malformed 900 800 0.25 2
Detection Rate = [(TA-FN)/TA]*100
False Alarm Rate = [FP/TN]*100
8/3/2019 Fit Presentation 2011
17/18
Limitations
Performance
Load time
Request time out
8/3/2019 Fit Presentation 2011
18/18
Questions?Thank You
Recommended