Flow-Based Web Application Brute-Force Attack and Compromise Detection

In the early days of network and service management, researchers paid much attention to the design of management frameworks and protocols. Since then the focus of research has shifted from the development of management technologies towards the analysis of management data. From the five FCAPS areas, security of networks and services has become a key challenge. For example, brute-force attacks against Web applications, and compromises resulting thereof, are widespread. Talks with several Top-10 Web hosting companies in the Netherlands reflect that detection of these attacks is often done based on log file analysis on servers, or by deploying host-based intrusion detection systems (IDSs) and firewalls. However, such host-based solutions have several problems. In this paper we therefore investigate the feasibility of a network-based monitoring approach, which detects brute-force attacks against and compromises of Web applications, even in encrypted environments. Our approach is based on per-connection histograms of packet payload sizes in flow data that are exported using IPFIX. We validate our approach using datasets collected in the production network of a large Web hoster in the Netherlands.

[1]  Vern Paxson,et al.  Detecting stealthy, distributed SSH brute-forcing , 2013, CCS.

[2]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[3]  Mattijs Jonker,et al.  A first look at HTTP(S) intrusion detection using NetFlow/IPFIX , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[4]  Xenofontas A. Dimitropoulos,et al.  Histogram-based traffic anomaly detection , 2009, IEEE Transactions on Network and Service Management.

[5]  Xiao Hu,et al.  Anomaly detection using data clustering and neural networks , 2008, 2008 IEEE International Joint Conference on Neural Networks (IEEE World Congress on Computational Intelligence).

[6]  Antonio Nucci,et al.  Detecting malicious HTTP redirections using trees of user browsing activity , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[7]  Pavel Piskac,et al.  Using of Time Characteristics in Data Flow for Traffic Classification , 2011, AIMS.

[8]  Ali S. Hadi,et al.  Finding Groups in Data: An Introduction to Chster Analysis , 1991 .

[9]  Sung-Hyuk Cha,et al.  On measuring the distance between histograms , 2002, Pattern Recognit..

[10]  P. Rousseeuw Silhouettes: a graphical aid to the interpretation and validation of cluster analysis , 1987 .

[11]  Jan Vykopal,et al.  Flow-based detection of RDP brute-force attacks , 2013 .

[12]  Aiko Pras,et al.  SSH Compromise Detection using NetFlow/IPFIX , 2014, CCRV.

[13]  Jan Vykopal Flow-based Brute-force Attack Detection in Large and High-speed Networks , 2013 .

[14]  Peter J. Rousseeuw,et al.  Finding Groups in Data: An Introduction to Cluster Analysis , 1990 .

[15]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information , 2013, RFC.

[16]  Robert Koch,et al.  Systemarchitektur zur Ein- und Ausbruchserkennung in verschlüsselten Umgebungen , 2011 .

[17]  T. Caliński,et al.  A dendrite method for cluster analysis , 1974 .

[18]  Aiko Pras,et al.  Unveiling flat traffic on the Internet: An SSH attack case study , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[19]  Jan Vykopal,et al.  Network-Based Dictionary Attack Detection , 2009, 2009 International Conference on Future Networks.

[20]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[21]  Martin Drasar Protocol-Independent Detection of Dictionary Attacks , 2013, EUNICE.