Autonomic Application Security Management

Network monitoring systems can be broadly classified into two types, namely signature based systems and anomaly based systems. Signature based systems are limited by the number of anomalies they can detect (which depends on the number of signatures in the database) while anomaly based systems have a high false positive rate. The existing payload anomaly detection systems use either byte distributions or work on the first line of the payload. Such an approach limits the number of attacks that can be detected and works only for certain protocols (say GET request of HTTP).

Our payload-based anomaly detection system that is a part of the Autonomic Network Defense (AND) System classifies the network traffic into various objects such as headers, text, images, audio and video. The system consists of three major routines: (i) A sniffer module that collects the normal traffic and stores it in a database, (ii) a model generator routine which uses the collected traffic to model each of the objects mentioned above and (iii) a detector routine which then scans the traffic to see deviations from the normal behavior.

We have implemented various models for http headers. Some of them are:

• Language model: This model is used to profile the byte distribution of the http headers. It helps us in detecting anomalies such as shell code injection as HTTP uses ASCII based headers and presence of code will alter the byte distributions present in the packets.
• Keyword/Value based model: These models divide the headers into "keyword-value" pairs. The standard keywords are specified in the HTTP specification (rfc-2616). The keywords are profiled and the various statistics are generated for the values of these keywords. From these statistics, we build the following models.
  • Average, maximum and mode: The mode, the average length and the maximum length of the value for each keyword are determined during the model building stage. During the detection phase, the profiled values are checked against the real time values and any deviation is flagged.
  • New keywords: HTTP allows users to define new keywords. But the interpretation of the keywords depends on the server and the client. Hence, the presence of any new keywords denotes a deviation from the normal behavior (especially since we profile the normal behavior of the traffic).
  • Keyword ordering: We look at the ordering of keywords in the normal case. The ordering is profiled and any deviation from the normal ordering is flagged. The change in the ordering can be attributed hand crafted packets or buffer overflow attacks.
• Time window based model: Our detection routine works in a time window. The traffic is collected for certain duration, say 10 seconds and then the models are verified. At the same time, the traffic is analyzed over the time window. Any similarity of packets is flagged as it can correspond to scanning or denial of service attack.

Javascript Malware

With the advancement of Web 2.0 and the widespread adoption of AJAX, there has been a substantial increase in Javascript malware. These client side scripts can be used to carry out a variety of web attacks which include monitoring web activities, hijack sessions, crash application programs as well as install other malware such as Trojans and viruses. Online databases such as Bugtraq list more than 500 Javascript vulnerabilities.

A normal anomaly detection system will not be able to detect these attacks, as they are a part of normal text payload. The current systems that try to prevent such attacks include Google's Safe Browsing protocol that lists the sites carrying malware and is implemented in browsers worldwide. There also exist systems that look at monitoring the execution of code and report vulnerabilities when the execution pattern happens to be abnormal. But both these signature-based systems are restricted by their inability to detect novel attacks.

Our approach aims at profiling the bytecode generated by the spidermonkey (of Mozilla) web engine. These bytecodes are profiled for both normal and abnormal case. For generating abnormal traffic, we mine the sites known to carry javascript malware. During the detection phase, attacks are launched with web pages containing javascript malware. The attacks are representative of known javascript malware such as DoS, XSS and hijacking.