intrusion detection-

Download Intrusion Detection-

Post on 14-Jun-2015




1 download

Embed Size (px)


  • 1. Client-Side defense against web-based identity theft Presented by:Mikin Macwan Special Topics in Operating systems and Distributed storage

2. Typical Phishing Characteristics Link as Seen by User Scam Email 3. Typical Phishing Characteristics Confidential information Honest Image 4. Typical Phishing Characteristics Summary Email title: "to users of eBay!" Scam target: eBay usersEmail format: A HTML with only a single picture in it, linking to the phish siteSender: [email_address] Sender spoofed? No Scam call to action: "we could't verify your current information...your access to bid or buy on eBay has been restricted" Scam goal: Getting victim's eBay, credit card and ATM PIN information Call to action format: URL linkVisible link: Called link : http://%61%77%63%67%69%2E%69%6E%66%6F/%69%6E%64%65%78%2E%68%74%6D Resolved site:http://ebaycom.%70%65%2e%6b%67/ Site URL decodes 5. Terminology

  • Spoof site:site or page which is a malicious copy of some legitimate web page
  • Attacker:the person or organization who sets up the spoof site
  • Honest site or honest page:the legitimate site or page that is being spoofed
  • Spoof Index:A measure of the likelihood that a specific page is part of a spoof attack

6. Proposed Solutions

  • Proposed Solutions to detect spoof pages from honest pages [1]
    • Scoring
      • Described in the next slide
    • Stateless page Evaluation
      • Includes tests conducted on the current web page only
    • Stateful page evaluation
      • Browser History file and additional history stored by SpoofGaurd are used to evaluate the referring page
      • No warnings issued for visiting a site that is already in the users history file
    • Evaluating post data
      • User input intercepted by SpoofGaurd and html post data is checked
      • Actual client data post allowed to proceed only if spoof index is below the user specific thresholds for posts
      • Stateful and stateless Page checks are combined with the analysis of the post data to determine the spoof index associated with the web page.

7. Solutions: Scoring

  • Input
    • Downloaded web page
    • Existing browser state
  • Apply
    • Tests T1, T2, , Tn
    • Each test Ti produces number Pi
    • Pi is in the range [0,1](Pi = 1: spoof page, Pi = 0: honest page)
    • Combine test results to generate a Total Spoof Score
  • Product Pi*Pj*Pk
    • Considers combinations of events and determine likelihood of a page being a spoof
    • Example: Consider the following condition
      • Presence of company logo on unauthorized page AND
      • Presence of password and credit card fields

8. Solutions: Stateless page evaluation (1/2)

  • URL check
    • Attackers can produce misleading URLs
    • Consider the following URL
      • http:// dont-care @
      • Text in blue lies between http: and @. Everything between http and @ is irrelevant
      • Text in red is relevant and is the valid URL
  • Image check
    • Spoof sites contains images taken from the honest site.
    • Honest site images used in phish sites give an impression to unsuspecting users that they are communicating with the honest site itself
    • SpoofGaurd plug-in supplied with a database images with their associated domains
    • When browser downloads login page, all images on the page are compared to images stored in the spoof guard database
    • Spoof score increased if a match is found but the pages domain is not valid

9. Solutions: Stateless page evaluation (2/2)

  • Link check
    • All links within a page are examined
    • Link check fails for a page if at least one fourth of the links fail the URL check described above
  • Password check
    • A page is considered suspicious if it asks for a user to enter some password.
    • Also check if secure http is being used and if so whether the certificate check succeeded or failed

10. Solutions: Stateful page evaluation (1/1)

  • Domain check
    • SpoofGaurd currently compares domains by Hamming (edit) distance
    • Example
      • considered as a spoof domain name
      • considered as a legitimate domain name
      • Hamming distance -> ONE
    • Another Example
      • is a legitimate domain name
      • is flagged by SpoofGaurd as spoof page
    • Caveat
      • Outsourced web pages to contractors with different domain names.
      • Leads to false alarms in current version of SpoofGaurd
  • Referring Page
    • Browser maintains a record of the referring page.
    • Since a typical web spoofing attack begins with an E-mail message, a referring page from a web site where the user may have been reading e-mail raises suspicion levels

11. Solutions: Evaluating post data

  • Outgoing password check
    • Spoofguard maintains a database of triplets
    • Is user reuses password on a new domain, this trips password check
  • Interaction with image check
    • Image check interacts with the outgoing password check non-linearly.
    • If E-trade password is entered on a non E-trade page containing an E-trade logo then spoof index is raised.
  • Check of all post data
    • All outgoing post data is checked by SpoofGaurd.
  • Exception for search engines

12. SpoofGaurd Architecture COM Component extends IDeskBand (IE Interface) CWindowImpl class implementations 13. Spoof Guard Architecture

  • Implemented as a browser plug-in or a browser helper object (COM component)
  • SpoofGaurd runs in the same memory context as the browser
  • Access is made to the IE history file
  • Three additional files are stored
    • Read-only file of hostnames of E-mail sites like Hotmail, Yahoo! Etc
    • Hashed password history (domain, user name, password)
    • File of hashed image history

14. Spoofguard Configuration 15. SpoofGuard in Action 16. Server Side Assistance: Confidentiality Tags

  • Confidentiality Tags
    • Add a confidentiality attribute to the html element
    • This will help SpoofGuard to determine how to process the field and thus warn the user
    • Possible confidential fields can be Name, Password, SSN etc.

17. Server Side Assistance: Image Tagging

  • Add a new attribute to IMG element in HTML page
  • Enables honest sites to identify images on their pages that are not supposed to appear outside their domain
  • SpoofGuard attribute indicates that a page is a likely spoof if the image appears on a non honest web page

18. Server Side Assistance: Password Hashing and Site Specific Salt

  • Attackers break into a low security site and recover logins and passwords
  • They then use this information to break into more secure sites
  • Passwords can be made independent of passwords at other sites by adding a password SALT to the html element
  • Site developers need to ensure that salt is unique for that web site

19. Evaluation

  • SpoofGuard evaluated based on the following criteria
    • Detection of Spoof Attacks
      • Tested SpoofGuard on 14 spoof pages (sent US Secret Serv


View more >