article

Flow-Based Web Application Brute-Force Attack and Compromise Detection

Authors:

Mattijs Jonker,

Aiko PrasAuthors Info & Claims

Journal of Network and Systems Management, Volume 25, Issue 4

Pages 735 - 758

https://doi.org/10.1007/s10922-017-9421-4

Published: 01 October 2017 Publication History

Abstract

In the early days of network and service management, researchers paid much attention to the design of management frameworks and protocols. Since then the focus of research has shifted from the development of management technologies towards the analysis of management data. From the five FCAPS areas, security of networks and services has become a key challenge. For example, brute-force attacks against Web applications, and compromises resulting thereof, are widespread. Talks with several Top-10 Web hosting companies in the Netherlands reflect that detection of these attacks is often done based on log file analysis on servers, or by deploying host-based intrusion detection systems (IDSs) and firewalls. However, such host-based solutions have several problems. In this paper we therefore investigate the feasibility of a network-based monitoring approach, which detects brute-force attacks against and compromises of Web applications, even in encrypted environments. Our approach is based on per-connection histograms of packet payload sizes in flow data that are exported using IPFIX. We validate our approach using datasets collected in the production network of a large Web hoster in the Netherlands.

References

[1]

Best Host News: cPanel vs. Plesk vs. DirectAdmin comparison. https://www.besthostnews.com/cpanel-vs-plesk-vs-directadmin/ (2015). Accessed 9 June 2017

[2]

Burnett, M.: Yes, 123456 is the most common password, but here's why that's misleading. http://arstechnica.com/security/2015/01/yes-123456-is-the-most-common-password-but-heres-why-thats-misleading/ (2015). Accessed 9 June 2017

[3]

Caliński, T., Harabasz, J.: A dendrite method for cluster analysis. Commun. Stat. Theory Methods 3(1), 1---27 (1974)

[4]

Cha, S.H., Srihari, S.N.: On measuring the distance between histograms. Pattern Recognit. 35(6), 1355---1370 (2002)

[5]

Cid, D.: WordPress malware--active VisitorTracker campaign. https://blog.sucuri.net/2015/09/wordpress-malware-active-visitortracker-campaign.html (2015). Accessed 9 June 2017

[6]

Claise, B., Trammell, B., Aitken, P.: Specification of the IP flow information export (IPFIX) protocol for the exchange of flow information. RFC 7011 (Internet Standard). http://www.ietf.org/rfc/rfc7011.txt (2013)

[7]

Dell'Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. Proc. IEEE INFOCOM 2010, 1---9 (2010)

Digital Library

[8]

Drašar, M.: Protocol-independent detection of dictionary attacks. In: Proceedings of the 19th EUNICE/IFIP WG 6.6 International Workshop, EUNICE'13, pp. 304---309 (2013)

[9]

Drašar, M.: Behavioral detection of distributed dictionary attacks. Ph.D. thesis, Masaryk University, Brno, Czech Republic (2015)

[10]

Gooding, S.: 100,000+ WordPress sites compromised using the slider revolution security vulnerability. http://wptavern.com/100000-wordpress-sites-compromised-using-the-slider-revolution-security-vulnerability (2014). Accessed 9 June 2017

[11]

Hofstede, R., Hendriks, L., Sperotto, A., Pras, A.: SSH compromise detection using NetFlow/IPFIX. ACM SIGCOMM Comput. Commun. Rev. 44(5), 20---26 (2014)

Digital Library

[12]

Huckaby, J.: How to scan WordPress like a hacker. http://www.rackaid.com/blog/scan-wordpress/ (2014). Accessed 9 June 2017

[13]

Javed, M., Paxson, V.: Detecting stealthy, distributed SSH brute-forcing. In: Proceedings of the 2013 ACM SIGSAC conference on Computer and Communications Security, CCS'13, pp. 85---96 (2013)

Digital Library

[14]

Jonker, M., Hofstede, R., Sperotto, A., Pras, A.: Unveiling flat traffic on the internet: an SSH attack case study. In: Proceedings of the 14th IFIP/IEEE Symposium on Integrated Network and Service Management, IM'15 (2015)

[15]

Kaufman, L., Rousseeuw, P.J.: Finding Groups in Data: An Introduction to Cluster Analysis, vol. 344. Wiley, Hoboken (2009)

[16]

Kind, A., Stoecklin, M.P., Dimitropoulos, X.: Histogram-based traffic anomaly detection. IEEE Trans. Netw. Serv. Manag. 6(2), 110---121 (2009)

Digital Library

[17]

Koch, R.H.: Systemarchitektur zur Ein- und Ausbruchserkennung in verschlüsselten Umgebungen. Ph.D. thesis, Universität der Bundeswehr München, München, Germany (2015)

[18]

Mekky, H., Torres, R., Zhang, Z.L., Sabyasachi, Nucci, A.: Detecting malicious HTTP redirections using trees of user browsing activity. In: Proceedings of IEEE INFOCOM 2014, pp. 1159---1167 (2014)

[19]

Perez, T.: Understanding denial of service and brute force attacks--WordPress, Joomla, Drupal, vBulletin. https://blog.sucuri.net/2014/03/understanding-denial-of-service-and-brute-force-attacks-wordpress-joomla-drupal-vbulletin.html (2014). Accessed 9 June 2017

[20]

Piskac, P., Novotny, J.: Using of time characteristics in data flow for traffic classification. In: Proceedings of the 5th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2011. Lecture Notes in Computer Science, vol. 6734, pp. 173---176. Springer, Berlin (2011)

Digital Library

[21]

Qiu, H., Eklund, N., Hu, X., Yan, W., Iyer, N.: Anomaly detection using data clustering and neural networks. In: Proceedings of the IEEE International Joint Conference on Neural Networks, 2008, IJCNN'08, pp. 3627---3633 (2008)

[22]

Rousseeuw, P.J.: Silhouettes: a graphical aid to the interpretation and validation of cluster analysis. J. Comput. Appl. Math. 20, 53---65 (1987)

Digital Library

[23]

Sucuri: WordPress brute force attacks. https://sucuri.net/security-reports/brute-force/ (2015). Accessed 9 June 2017

[24]

van der Toorn, O., Hofstede, R., Jonker, M., Sperotto, A.: A first look at HTTP(S) intrusion detection using NetFlow/IPFIX. In: Proceedings of the 14th IFIP/IEEE Symposium on Integrated Network and Service Management, IM'15, pp. 862---865 (2015)

[25]

Vizváry, M., Vykopal, J.: Flow-based detection of RDP brute-force attacks. In: Proceedings of 7th International Conference on Security and Protection of Information, SPI'13, pp. 131---137 (2013)

[26]

Vykopal, J.: Flow-based brute-force attack detection in large and high-speed networks. Ph.D. thesis, Masaryk University, Brno, Czech Republic (2013)

[27]

Vykopal, J., Plesnik, T., Minarik, P.: Network-based dictionary attack detection. In: Proceedings of 2009 International Conference on Future Networks, ICFN'09, pp. 23---27 (2009)

Digital Library

[28]

Walker, D.: Botnet of Joomla servers furthers DDoS-for-hire scheme. http://www.scmagazine.com/ddos-campaign-exploits-servers-with-vulnerable-google-maps-plug-in/article/400473/ (2015). Accessed 9 June 2017

Cited By

Koumar JHynek KPešek JČejka T(2024)NetTiSAComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.110147240:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.comnet.2023.110147
Tiwari NHubballi N(2023)Secure Socket Shell Bruteforce Attack Detection With Petri Net ModelingIEEE Transactions on Network and Service Management10.1109/TNSM.2022.321259120:1(697-710)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1109/TNSM.2022.3212591
Dey J(2023)State-of-the-art session key generation on priority-based adaptive neural machine (PANM) in telemedicineNeural Computing and Applications10.1007/s00521-022-08169-235:13(9517-9533)Online publication date: 22-Mar-2023
https://dl.acm.org/doi/10.1007/s00521-022-08169-2
Show More Cited By

Flow-Based Web Application Brute-Force Attack and Compromise Detection
1. Networks
  1. Network services

Recommendations

SSH Compromise Detection using NetFlow/IPFIX

Flow-based approaches for SSH intrusion detection have been developed to overcome the scalability issues of host-based alternatives. Although the detection of many SSH attacks in a flow-based fashion is fairly straightforward, no insight is typically ...
Real-world polymorphic attack detection using network-level emulation
CSIIRW '08: Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead

As state-of-the-art attack detection technology becomes more prevalent, attackers have started to employ techniques such as code obfuscation and polymorphism to defeat these defenses. We have recently proposed network-level emulation, a heuristic ...
Rule generalisation in intrusion detection systems using SNORT

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Journal of Network and Systems Management

Journal of Network and Systems Management Volume 25, Issue 4

October 2017

233 pages

ISSN:1064-7570

Issue’s Table of Contents

Copyright © Copyright © 2017 Springer Science+Business Media, LLC.

Publisher

Plenum Press

United States

Publication History

Published: 01 October 2017

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Koumar JHynek KPešek JČejka T(2024)NetTiSAComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.110147240:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.comnet.2023.110147
Tiwari NHubballi N(2023)Secure Socket Shell Bruteforce Attack Detection With Petri Net ModelingIEEE Transactions on Network and Service Management10.1109/TNSM.2022.321259120:1(697-710)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1109/TNSM.2022.3212591
Dey J(2023)State-of-the-art session key generation on priority-based adaptive neural machine (PANM) in telemedicineNeural Computing and Applications10.1007/s00521-022-08169-235:13(9517-9533)Online publication date: 22-Mar-2023
https://dl.acm.org/doi/10.1007/s00521-022-08169-2
Afzal SAsim MJaved ABeg MBaker T(2021)URLdeepDetect: A Deep Learning Approach for Detecting Malicious URLs Using Semantic Vector ModelsJournal of Network and Systems Management10.1007/s10922-021-09587-829:3Online publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1007/s10922-021-09587-8
Le DZincir-Heywood N(2020)A Frontier: Dependable, Reliable and Secure Machine Learning for Network/System ManagementJournal of Network and Systems Management10.1007/s10922-020-09512-528:4(827-849)Online publication date: 30-Jan-2020
https://dl.acm.org/doi/10.1007/s10922-020-09512-5

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents