Article

Web tap: detecting covert web traffic

Authors:

Atul PrakashAuthors Info & Claims

CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

Pages 110 - 120

https://doi.org/10.1145/1030083.1030100

Published: 25 October 2004 Publication History

Abstract

As network security is a growing concern, system administrators lock down their networks by closing inbound ports and only allowing outbound communication over selected protocols such as HTTP. Hackers, in turn, are forced to find ways to communicate with compromised workstations by tunneling through web requests. While several tools attempt to analyze inbound traffic for denial-of-service and other attacks on web servers, Web Tap's focus is on detecting attempts to send significant amounts of information out via HTTP tunnels to rogue Web servers from within an otherwise firewalled network. A related goal of Web Tap is to help detect spyware programs, which often send out personal data to servers using HTTP transactions and may open up security holes in the network. Based on the analysis of HTTP traffic over a training period, we designed filters to help detect anomalies in outbound HTTP traffic using metrics such as request regularity, bandwidth usage, inter-request delay time, and transaction size. Subsequently, Web Tap was evaluated on several available HTTP covert tunneling programs as well as a test backdoor program, which creates a remote shell from outside the network to a protected machine using only outbound HTTP transactions. Web Tap's filters detected all the tunneling programs tested after modest use. Web Tap also analyzed the activity of approximately thirty faculty and students who agreed to use it as a proxy server over a 40 day period. It successfully detected a significant number of spyware and aware programs. This paper presents the design of Web Tap, results from its evaluation, as well as potential limits to Web Tap's capabilities.

References

[1]

Ad-Aware, http://www.lavasoftusa.com/software/adaware/, 2004.]]

[2]

D. Barbara, R. Goel, and S. Jajodia. Mining Malicious Data Corruption with Hidden Markov Models. 16th Annual IFIP WG 11.3 Working Conference on Data and Application Security, July 2002.]]

[3]

P. Barford, A. Bestavros, A. Bradley, and M. Crovella, Changes in Web client access patterns: Characteristics and caching implications, BU Computer Science Technical Report, BUCS-TR-1998-023, 1998.]]

Digital Library

[4]

J. Berman, Prepared Statement of Jerry Berman, President, the Center For Democracy & Technology On the SPY BLOCK Act, Before the Senate Committee On Commerce, Science, And Transportation Subcommittee on Communication, March 2004.]]

[5]

BlackICE PC Protection, http://blackice.iss.net/, 2004.]]

[6]

CERT Vulnerability Note VN-98.07, http://www.cert .org/vulnotes/VN-98.07.backorifice.html, October 1998.]]

[7]

CERT Advisory CA-2003-22 Multiple Vulnerabilities in Microsoft Internet Explorer,http://www.cert.org/advisories/ CA-2003-22.html, August 2003.]]

[8]

B. Cheswick, An Evening with Berferd in which a cracker is Lured, Endured, and Studied, USENIX proceedings, January 1990.]]

[9]

D.E. Denning, An Intrusion Detection Model. IEEE Transactions on Software Engineering, 13(2):222--232, February 1987.]]

Digital Library

[10]

B. Duska, D. Marwood, and M. J. Feeley, The measured access characteristics of World Wide Web client proxy caches, Proc. of USENIX Symposium on Internet Technology and Systems, December 1997.]]

Digital Library

[11]

A. Dyatlov, Firepass, http://www.gray-world.net/pr_firepass. shtml, 2004.]]

[12]

A. Dyatlov, S. Castro, Wsh 'Web Shell', http://www.gray-world.net/pr_wsh.shtml, 2004.]]

[13]

EyeOnSecurity, http://eyeonsecurity.org/advisories/Gator/, 2002.]]

[14]

R. Fielding, J. Gettys, J. C. Mogul, H. Frystyk, L. Masinter, P. Leach and T. Berners-Lee. Hypertext Transfer Protocol HTTP/1.1, RFC 2616, June 1999.]]

Digital Library

[15]

S. Forrest, A. Hofmeyr, A. Somayaji, and T. A. Longstaff, A Sense of Self for Unix Processes, Proc. of the IEEE Symposium on Security and Privacy, pp. 120--128, May 1996.]]

Digital Library

[16]

A.K. Ghosh, J. Wanken, and F. Charron. Detecting Anomalous and Unknown Intrusions Against Programs. Proc. of the Annual Computer Security Applications Conference (ACSAC'98), pp. 259--267, December 1998.]]

Digital Library

[17]

S. Hisao, Tiny HTTP Proxy, http://mail.python.org/ pipermail/python-list/2003-June/168957.html, June 2003.]]

[18]

Hopster, http://www.hopster.com/, 2004.]]

[19]

H.S. Javitz and A. Valdes. The SRI IDES Statistical Anomaly Detector, Proc. of the IEEE Symposium on Security and Privacy, May 1991.]]

[20]

T. Kelly, Thin-client Web access patterns: Measurements from a cache-busting proxy, Computer Communications, 25(4):357--366, March 2002.]]

Digital Library

[21]

C. Kruegel, T. Toth, and E. Kirda. Service-specific Anomaly Detection for Network Intrusion Detection. Symposium on Applied Computing (SAC), ACM Scientific Press, March 2002.]]

Digital Library

[22]

C. Kruegel and G. Vigna, Anomaly Detection of Web-based Attacks, Proceedings of ACM CCS'03, pp. 251--261, 2003.]]

Digital Library

[23]

T. Lane and C.E. Brodley, Temporal sequence learning and data reduction for anomaly detection, Proc. of the 5th ACM Conference on Computer and Communications Security, pp. 150--158, 1998.]]

Digital Library

[24]

J. McHugh, "Covert Channel Analysis", Handbook for the computer Security Certification of Trusted Systems, 1995.]]

[25]

MIMEsweeper,http://www.mimesweeper.com/products/msw/msw_web/default.aspx, 2004.]]

[26]

I. S. Moskowitz and M. H. Kang, Covert channels --- Here to stay?, Proc. of COMPASS '94, pp. 235--243, 1994.]]

[27]

V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Proc. of the 7th Usenix Security Symposium, January 1998.]]

Digital Library

[28]

V. Paxson and S. Floyd, "Wide-Area Traffic: The Failure of Poisson Modeling," IEEE/ACMTransactions on Networking, 3(3), pp. 226--244, June 1995.]]

Digital Library

[29]

F. A. P. Petitcolas, R. J. Anderson, and M. G. Kuhn, Information hiding---A survey, Proceedings of the IEEE, special issue on protection of multimedia content, 87(7):1062-1078, July 1999.]]

[30]

S. Saroiu, S. D. Gribble, and H. M. Levy, Measurement and Analysis of Spyware in a University Environment, Proc. of the First Symposium on Networked Systems Design and Implementation, pp. 141--153, March 2004.]]

Digital Library

[31]

M. Roesch. Snort - Lightweight Intrusion Detection for Networks. Proc. of the USENIX LISA '99 Conference, November 1999.]]

Digital Library

[32]

Spybot - Search and Destroy, http://www.safer-networking.org/, 2004.]]

[33]

SpywareBlaster,http://www.javacoolsoftware.com/ spywareblaster.html/, 2004.]]

[34]

K. Tan and R. Maxion. Why 6? Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector. Proc. of the IEEE Symposium on Security and Privacy, pp. 188--202, May 2002.]]

Digital Library

[35]

Websense, http://www.websense.com/products/about/ howitworks/index.cfm, 2004.]]

[36]

N. Ye, Y. Zhang, and C.M. Borror. Robustness of Markov chain model for cyber attack detection. IEEE Transactions on Reliability, 52(3), September 2003.]]

[37]

Y. Zhang, V. Paxson, "Detecting Backdoors", Proc. of the 9th USENIX Security Symposium, August 2000.]]

Digital Library

Cited By

Rathore HChari SVerma NSahay SSewak M(2023)Android Malware Detection Based on Static Analysis and Data Mining Techniques: A Systematic Literature ReviewBroadband Communications, Networks, and Systems10.1007/978-3-031-40467-2_4(51-71)Online publication date: 30-Jul-2023
https://doi.org/10.1007/978-3-031-40467-2_4
徐志(2022)A Survey of Host-Based Advanced Persistent Threat Detection TechnologyComputer Science and Application10.12677/CSA.2022.12102412:01(233-251)Online publication date: 2022
https://doi.org/10.12677/CSA.2022.121024
Al-Eidi SDarwish OHusari GChen YElkhodr M(2022)Convolutional Neural Network Structure to Detect and Localize CTC Using Image Processing2022 IEEE International IOT, Electronics and Mechatronics Conference (IEMTRONICS)10.1109/IEMTRONICS55184.2022.9795734(1-7)Online publication date: 1-Jun-2022
https://doi.org/10.1109/IEMTRONICS55184.2022.9795734
Show More Cited By

Index Terms

Web tap: detecting covert web traffic

Recommendations

A methodology for designing accurate anomaly detection systems
LANC '07: Proceedings of the 4th international IFIP/ACM Latin American conference on Networking

Anomaly detection systems have the potential to detect zero-day attacks. However, these systems can suffer from high rates of false positives and can be evaded through through mimicry attacks. The key to addressing both problems is careful control of ...
Adaptive Detection of Covert Communication in HTTP Requests
EC2ND '11: Proceedings of the 2011 Seventh European Conference on Computer Network Defense

The infection of computer systems with malicious software is an enduring problem of computer security. Avoiding an infection in the first place is a hard task, as computer systems are often vulnerable to a multitude of attacks. However, to explore and ...
Intrusion detection using GSAD model for HTTP traffic on web services
IWCMC '10: Proceedings of the 6th International Wireless Communications and Mobile Computing Conference

Intrusion detection systems are widely used security tools to detect cyber-attacks and malicious activities in computer systems and networks. Hypertext Transport Protocol (HTTP) is used for new applications without much interference. In this paper, we ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

October 2004

376 pages

ISBN:1581139616

DOI:10.1145/1030083

General Chair:
Vijay Atluri
Rutgers University
,
Program Chairs:
Birgit Pfitzmann
IBM Research, Switzerland
,
Patrick McDaniel
AT&T Labs

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 October 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS04

Sponsor:

CCS04: 11th ACM Conference on Computer and Communications Security 2004

October 25 - 29, 2004

Washington DC, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

79
Total Citations
View Citations
3,162
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)4

Reflects downloads up to 14 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Rathore HChari SVerma NSahay SSewak M(2023)Android Malware Detection Based on Static Analysis and Data Mining Techniques: A Systematic Literature ReviewBroadband Communications, Networks, and Systems10.1007/978-3-031-40467-2_4(51-71)Online publication date: 30-Jul-2023
https://doi.org/10.1007/978-3-031-40467-2_4
徐志(2022)A Survey of Host-Based Advanced Persistent Threat Detection TechnologyComputer Science and Application10.12677/CSA.2022.12102412:01(233-251)Online publication date: 2022
https://doi.org/10.12677/CSA.2022.121024
Al-Eidi SDarwish OHusari GChen YElkhodr M(2022)Convolutional Neural Network Structure to Detect and Localize CTC Using Image Processing2022 IEEE International IOT, Electronics and Mechatronics Conference (IEMTRONICS)10.1109/IEMTRONICS55184.2022.9795734(1-7)Online publication date: 1-Jun-2022
https://doi.org/10.1109/IEMTRONICS55184.2022.9795734
Al-Eidi SDarwish OChen YElkhodr M(2022)Covert Timing Channels Detection Based on Image Processing Using Deep LearningAdvanced Information Networking and Applications10.1007/978-3-030-99619-2_51(546-555)Online publication date: 31-Mar-2022
https://doi.org/10.1007/978-3-030-99619-2_51
Qin YWang WZhang SChen K(2021)An Exploit Kits Detection Approach Based on HTTP Message GraphIEEE Transactions on Information Forensics and Security10.1109/TIFS.2021.308008216(3387-3400)Online publication date: 2021
https://doi.org/10.1109/TIFS.2021.3080082
Al-Eidi SDarwish OChen YHusari G(2021)SnapCatch: Automatic Detection of Covert Timing Channels Using Image Processing and Machine LearningIEEE Access10.1109/ACCESS.2020.30462349(177-191)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2020.3046234
McCarthy SSinha ATambe MManadhatha PChatterjee SBrigantic RWaterworth A(2021)Decision Theory for Network Security: Active Sensing for Detection and Prevention of Data ExfiltrationApplied Risk Analysis for Guiding Homeland Security Policy10.1002/9781119287490.ch9(221-251)Online publication date: 28-Jan-2021
https://doi.org/10.1002/9781119287490.ch9
Bortolameotti Rvan Ede TContinella AHupperich TEverts MRafati RJonker WHartel PPeter AHung CCerny TShin DBechini A(2020)HeadPrintProceedings of the 35th Annual ACM Symposium on Applied Computing10.1145/3341105.3373862(1696-1705)Online publication date: 30-Mar-2020
https://dl.acm.org/doi/10.1145/3341105.3373862
Nagendra Babu PRamakrishna S(2020)Critical Review on Privacy and Security Issues in Data MiningEmerging Research in Data Engineering Systems and Computer Communications10.1007/978-981-15-0135-7_21(217-230)Online publication date: 11-Feb-2020
https://doi.org/10.1007/978-981-15-0135-7_21
Chiu CWei TChang HMao C(2019)Counterfeit Fingerprint Detection of Outbound HTTP Traffic with Recurrent Neural Network2019 21st International Conference on Advanced Communication Technology (ICACT)10.23919/ICACT.2019.8701951(533-538)Online publication date: Feb-2019
https://doi.org/10.23919/ICACT.2019.8701951
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten