Post on 15-Apr-2017
An IDS for Browser Hijacking
@diogomonica
- The problem- Our approach- The algorithm- Results- Conclusions
Agenda
The problem
➔ Detect malicious behavior that does not directly target the user’s browser:
- Unintended participation in botnet C&C [Diogo, WOOT13]- Browser based DDoS (GitHub attacks)- Javascript scanning (internal network)- Bitcoin mining (malicious ad-networks)
The problem
➔ Increased browser capabilities➔ Users send traffic on the attacker's behalf
- Malicious command propagation- DoS traffic
➔ Defusing this threat implies user empowerment
Our approach
➔ Trust but verify- Browser extension- Active monitoring of browser behavior- Per-tab granularity- Detect suspicious behavior and alert the user- Don’t block, the user has more context than we do
Our approach (per browser tab)
Real time browser tab behaviour
data
sliding window
time
Indicator 1 Classifier
Ok
Attack
Indicator 2
Indicator 3
Indicator n
Classifier
Ok
AttackOk
Attack
time (s)
Our approach (per browser tab)
Q1: Can we use a linear classifier to do the job?- Simple and fast to compute - Non linear classifiers sometimes generate overfitting to the training data- Optimal, if the problem can be construed as linearly separable
Our approach
The question(s) we proposed to answer:
Q1a: Can we find a low cardinality set of internal browser indicators capable of producing a linearly separable problem in the feature space?
The algorithm
1. Obtain a set of indicators which ensures that the problem is linearly separable in the output space, and, hence, amenable to linear classifiers.
2. Use as few indicators as possible, to alleviate the computational complexity of the overall algorithm.
OBJECTIVES:
Use only raw data available per-tab from the browserCONSTRAINT:
The choice of indicators:
The algorithmIndicator 1 - Computational effort (sampling period - 1s)
- The easiest to obtain- The fractional computational load is integrated throughout the full segment to
avoid the influence of load profiling; only the total load for the period pn is, therefore, considered
0
1
Cool
Humm...
The algorithmIndicator 2 - Periodicity
- How do new HTTP requests appear?
Randomly? Periodically?
Cool Humm...
The algorithmIndicator 2 - Periodicity
Kolmogorov-Smirnovtest variables
sample mean and variance of interarrival times
0 Cool
Humm...
The algorithmIndicator 3 - The sequence of IP addresses on new HTTP requests
2)
0
Cool
Humm...
- DoS- Sequential scanning Random scanning
The algorithm (per browser tab)
Real time browser tab
data
5-secsliding window
time
Computational effort
Periodicity
Addressing profile
simpleperceptron
Ok
Attack
Why did we opt for a simple perceptron?
1. It´s one linear classifier and, for the purpose in hand in this “proof of concept” phase, it is as good as any other.
2. Easy training;3. Good performance, given a proper training set;
The algorithm
Results
- 50 multi-tab browser sessions were logged. - From these sessions, 450 five seconds periods were extracted, to be used as training set (D);
- 150 correspond to regular browser use;- 150 to a simulated DOS attack;- 150 to forced random scanning periods;
- 50 other periods were obtained, to be used as a test set. - The three indicators x1, x2, and x3 for the training 450 periods were fed to the perceptron, for
supervised training; 100 iterations (epochs) were used in training, with a learning factor α = 0.1; the perceptron weights w were randomly initialized.
Results- 450 training periods;
- 0 classification errors in the training set- This indicates that the training set was, in fact, linearly separable.
- 50 test periods- Classification was also 100% successful, with no misclassifications.
Even though the number of examples used in this paper is limited, and no real life attacks have been used, the obtained results seem to indicate that:
Conclusions
- It is possible to detect the type of attacks in the proposed setup using only information available to the user’s browser
- It is implementable as a browser extension, and it can, thus, empower users allowing them to autonomously detect and prevent the hijack of their browser
- It is possible to devise a small set of indicators which allow the use of a simple linear classifier, implementable by simple, lighweight, browser extensions.
Thank you
@diogomonica