Detecting Malicious HTTP Tunneling
The ability to determine if a computer system is being misused is a valuable tool in securing a network. Typically more network traffic (and thus opportunity for detection) results from malicious system use after an attack, than from gaining the foothold for the attack itself. An important class of malicious activity is covert tunnels that exploit the HTTP protocol (which is used by browsers for web access). Requests sent by a web browser for specific web pages, and the responses, can contain hidden information. This "covert" channel can be used for information transfer and to signal commands to a backdoor (Trojan horse) program inside the network, allowing external control of an enterprise computer, or modification, deletion, or theft of sensitive information. This currently exploitable vulnerability of contemporary security architectures eludes detection by current IDS, firewall and proxy technologies. We seek to explore this vulnerability further, and provide new mechanisms to detect its exploitation.
Our methods for detecting covert channels are anomaly-based, i.e. rely on differences from legitimate HTTP traffic. Our approach is to measure a set of primary data attributes of computer network connections as the traffic crosses the enterprise network perimeter near the firewall. Preliminary research [1] shows promising results for fairly homogeneous user computer-use patterns and specific kinds of malicious traffic. New research will focus on measuring secondary traffic attributes derivable from the primary traffic. We plan to use more state information related to the run-time behaviour of applications, e.g. in addition to primary data relating to the properties of individual network connections, the normal relationships (timing, ordering, etc.) between individual connections that are associated with the same application/machine. We plan to explore more sophisticated data mining techniques to characterize and group normal modes of network activity. Non-conformant outlier data potentially indicates malicious activity. We expect to use various mathematical techniques to characterize network traffic.
1. C. Daicos, G.S. Knight, Concerning Enterprise Network Vulnerability to HTTP Tunneling, Proc. IFIP TC11 18th International Conf. on Information Security, Athens, May 2003.