Download - An IDS for browser hijacking
![Page 1: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/1.jpg)
An IDS for Browser Hijacking
@diogomonica
![Page 2: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/2.jpg)
- The problem- Our approach- The algorithm- Results- Conclusions
Agenda
![Page 3: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/3.jpg)
The problem
➔ Detect malicious behavior that does not directly target the user’s browser:
- Unintended participation in botnet C&C [Diogo, WOOT13]- Browser based DDoS (GitHub attacks)- Javascript scanning (internal network)- Bitcoin mining (malicious ad-networks)
![Page 4: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/4.jpg)
The problem
➔ Increased browser capabilities➔ Users send traffic on the attacker's behalf
- Malicious command propagation- DoS traffic
➔ Defusing this threat implies user empowerment
![Page 5: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/5.jpg)
Our approach
➔ Trust but verify- Browser extension- Active monitoring of browser behavior- Per-tab granularity- Detect suspicious behavior and alert the user- Don’t block, the user has more context than we do
![Page 6: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/6.jpg)
Our approach (per browser tab)
Real time browser tab behaviour
data
sliding window
time
Indicator 1 Classifier
Ok
Attack
Indicator 2
Indicator 3
Indicator n
![Page 7: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/7.jpg)
Classifier
Ok
AttackOk
Attack
time (s)
Our approach (per browser tab)
![Page 8: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/8.jpg)
Q1: Can we use a linear classifier to do the job?- Simple and fast to compute - Non linear classifiers sometimes generate overfitting to the training data- Optimal, if the problem can be construed as linearly separable
Our approach
The question(s) we proposed to answer:
Q1a: Can we find a low cardinality set of internal browser indicators capable of producing a linearly separable problem in the feature space?
![Page 9: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/9.jpg)
The algorithm
1. Obtain a set of indicators which ensures that the problem is linearly separable in the output space, and, hence, amenable to linear classifiers.
2. Use as few indicators as possible, to alleviate the computational complexity of the overall algorithm.
OBJECTIVES:
Use only raw data available per-tab from the browserCONSTRAINT:
The choice of indicators:
![Page 10: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/10.jpg)
The algorithmIndicator 1 - Computational effort (sampling period - 1s)
- The easiest to obtain- The fractional computational load is integrated throughout the full segment to
avoid the influence of load profiling; only the total load for the period pn is, therefore, considered
0
1
Cool
Humm...
![Page 11: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/11.jpg)
The algorithmIndicator 2 - Periodicity
- How do new HTTP requests appear?
Randomly? Periodically?
Cool Humm...
![Page 12: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/12.jpg)
The algorithmIndicator 2 - Periodicity
Kolmogorov-Smirnovtest variables
sample mean and variance of interarrival times
0 Cool
Humm...
![Page 13: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/13.jpg)
The algorithmIndicator 3 - The sequence of IP addresses on new HTTP requests
2)
0
Cool
Humm...
- DoS- Sequential scanning Random scanning
![Page 14: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/14.jpg)
The algorithm (per browser tab)
Real time browser tab
data
5-secsliding window
time
Computational effort
Periodicity
Addressing profile
simpleperceptron
Ok
Attack
![Page 15: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/15.jpg)
Why did we opt for a simple perceptron?
1. It´s one linear classifier and, for the purpose in hand in this “proof of concept” phase, it is as good as any other.
2. Easy training;3. Good performance, given a proper training set;
The algorithm
![Page 16: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/16.jpg)
Results
- 50 multi-tab browser sessions were logged. - From these sessions, 450 five seconds periods were extracted, to be used as training set (D);
- 150 correspond to regular browser use;- 150 to a simulated DOS attack;- 150 to forced random scanning periods;
- 50 other periods were obtained, to be used as a test set. - The three indicators x1, x2, and x3 for the training 450 periods were fed to the perceptron, for
supervised training; 100 iterations (epochs) were used in training, with a learning factor α = 0.1; the perceptron weights w were randomly initialized.
![Page 17: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/17.jpg)
Results- 450 training periods;
- 0 classification errors in the training set- This indicates that the training set was, in fact, linearly separable.
- 50 test periods- Classification was also 100% successful, with no misclassifications.
![Page 18: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/18.jpg)
Even though the number of examples used in this paper is limited, and no real life attacks have been used, the obtained results seem to indicate that:
Conclusions
- It is possible to detect the type of attacks in the proposed setup using only information available to the user’s browser
- It is implementable as a browser extension, and it can, thus, empower users allowing them to autonomously detect and prevent the hijack of their browser
- It is possible to devise a small set of indicators which allow the use of a simple linear classifier, implementable by simple, lighweight, browser extensions.
![Page 19: An IDS for browser hijacking](https://reader031.vdocument.in/reader031/viewer/2022030116/587bfec51a28ab7c668b61ad/html5/thumbnails/19.jpg)
Thank you
@diogomonica