Fit Presentation 2011

8/3/2019 Fit Presentation 2011

1/18

Rana Faisal Munir, Nabeel Ahmed, Abdul Razzaq, Ali Hur, Farooq Ahmad

Detect HTTP Specification Attacks using

Ontology

School of Electrical Engineering and ComputerScience (SEECS),

National University of Sciences and Technology(NUST),

Islamabad, Pakistan


2/18

Agenda

Introduction

HTTP Protocol

Attacks

HTTP request smuggling

HTTP response splitting

Overview

Existing Solutions

Proposed Solution

A Closer Look

Data Set and Evaluation

Limitations

The End


3/18


4/18

HTTP

HTTP message have two types

Request

Response HTTP Request

Sending client request to the web server

HTTP Response Sending response from the web server back to

client


5/18

HTTP Request

HTTP Request Format

Start Line

Method URI Version

Headers

Body [Options]


6/18

HTTP Response

HTTP Response Format

StatusLine

Version StatusCode StatusPharase

Headers

Body


7/18

HTTP

* http://www.tcpipguide.com/free/t_HTTPResponseMessageFormat.htm


8/18

HTTP request smuggling

Encapsulates multiple requests into one

To bypass the web application rewall


9/18

HTTP response splitting

Submit a value that also contains the

malicious response within it

Server generates two responses one fornormal request and second as attacker

desired


10/18

Existing Solutions

Signature based solutions

Snort and Mod Security

Protocol analysis in intrusion detection using decision

tree (2004) Grammar based solution

Context based application level intrusion detection(2006)

Ontology based solution Ontology based application level intrusion detection

system by using Bayesian lter (2009)


11/18

Proposed Solution


12/18

HTTP Ontology


13/18

Semantic Rules

[responsesplitting1: (?r rdf:type Request), (?h

rdf:type ResponseHeader), (?r ex:hasHeader

?h) -> (?r rdf:type MaliciousRequest)]

[malformed1: (?r rdf:type HTTP-Request), (?p

rdf:type Payload),(?g rdf:Type GET) ,(?r

ex:hasMethodType ?g), (?r contain ?p) -> (?r

rdf:type MaliciousRequest)]


14/18

Semantic Rules

[malformed2: (?r rdf:type HTTP-Request), (?erdf:type Entity),(?g rdf:Type GET) ,(?rex:hasMethodType ?g), (?r containHeaders ?e)

-> (?r rdf:type MaliciousRequest)]

[malformed3: (?r rdf:type HTTP-Request), (?p

rdf:type Payload),(?h rdf:Type HEAD) ,(?rex:hasMethodType ?h), (?r contain ?p) -> (?rrdf:type MaliciousRequest)]


15/18

Data Set

We gather the data set from a real world

application used to store and view student

information, this system knows as System

Information System

We gather normal requests and also malicious

requests that we generate using different

tools to make a good dataset


16/18

Evaluation Results

Attack Name Total Requests Total Normal

Requests

False Alarm

Rate

False Positive

Response

Splitting

1000 700 0.1428 1

Request

Smuggling

900 850 0.2852 2

Malformed 900 800 0.25 2

Detection Rate = [(TA-FN)/TA]*100

False Alarm Rate = [FP/TN]*100


17/18

Limitations

Performance

Load time

Request time out


18/18

Questions?Thank You

Fit Presentation 2011

Documents

Transcript of Fit Presentation 2011