An IDS for Browser Hijacking

@diogomonica

- The problem- Our approach- The algorithm- Results- Conclusions

Agenda

The problem

➔ Detect malicious behavior that does not directly target the user’s browser:

- Unintended participation in botnet C&C [Diogo, WOOT13]- Browser based DDoS (GitHub attacks)- Javascript scanning (internal network)- Bitcoin mining (malicious ad-networks)

The problem

➔ Increased browser capabilities➔ Users send traffic on the attacker's behalf

- Malicious command propagation- DoS traffic

➔ Defusing this threat implies user empowerment

Our approach

➔ Trust but verify- Browser extension- Active monitoring of browser behavior- Per-tab granularity- Detect suspicious behavior and alert the user- Don’t block, the user has more context than we do

Our approach (per browser tab)

Real time browser tab behaviour

data

sliding window

time

Indicator 1 Classifier

Ok

Attack

Indicator 2

Indicator 3

Indicator n

Classifier

Ok

AttackOk

Attack

time (s)

Our approach (per browser tab)

Q1: Can we use a linear classifier to do the job?- Simple and fast to compute - Non linear classifiers sometimes generate overfitting to the training data- Optimal, if the problem can be construed as linearly separable

Our approach

The question(s) we proposed to answer:

Q1a: Can we find a low cardinality set of internal browser indicators capable of producing a linearly separable problem in the feature space?

The algorithm

1. Obtain a set of indicators which ensures that the problem is linearly separable in the output space, and, hence, amenable to linear classifiers.

2. Use as few indicators as possible, to alleviate the computational complexity of the overall algorithm.

OBJECTIVES:

Use only raw data available per-tab from the browserCONSTRAINT:

The choice of indicators:

The algorithmIndicator 1 - Computational effort (sampling period - 1s)

- The easiest to obtain- The fractional computational load is integrated throughout the full segment to

avoid the influence of load profiling; only the total load for the period pn is, therefore, considered

0

1

Cool

Humm...

The algorithmIndicator 2 - Periodicity

- How do new HTTP requests appear?

Randomly? Periodically?

Cool Humm...

The algorithmIndicator 2 - Periodicity

Kolmogorov-Smirnovtest variables

sample mean and variance of interarrival times

0 Cool

Humm...

The algorithmIndicator 3 - The sequence of IP addresses on new HTTP requests

2)

0

Cool

Humm...

- DoS- Sequential scanning Random scanning

The algorithm (per browser tab)

Real time browser tab

data

5-secsliding window

time

Computational effort

Periodicity

Addressing profile

simpleperceptron

Ok

Attack

Why did we opt for a simple perceptron?

1. It´s one linear classifier and, for the purpose in hand in this “proof of concept” phase, it is as good as any other.

2. Easy training;3. Good performance, given a proper training set;

The algorithm

Results

- 50 multi-tab browser sessions were logged. - From these sessions, 450 five seconds periods were extracted, to be used as training set (D);

- 150 correspond to regular browser use;- 150 to a simulated DOS attack;- 150 to forced random scanning periods;

- 50 other periods were obtained, to be used as a test set. - The three indicators x1, x2, and x3 for the training 450 periods were fed to the perceptron, for

supervised training; 100 iterations (epochs) were used in training, with a learning factor α = 0.1; the perceptron weights w were randomly initialized.

Results- 450 training periods;

- 0 classification errors in the training set- This indicates that the training set was, in fact, linearly separable.

- 50 test periods- Classification was also 100% successful, with no misclassifications.

Even though the number of examples used in this paper is limited, and no real life attacks have been used, the obtained results seem to indicate that:

Conclusions

- It is possible to detect the type of attacks in the proposed setup using only information available to the user’s browser

- It is implementable as a browser extension, and it can, thus, empower users allowing them to autonomously detect and prevent the hijack of their browser

- It is possible to devise a small set of indicators which allow the use of a simple linear classifier, implementable by simple, lighweight, browser extensions.

Thank you

@diogomonica