Botnet Detection

A Bot is often called a zombie because it is a compromised computer controlled by malware without the consent and knowledge of the user.

A Botnet is a network of bots controlled by a Bot Master

It is a key platform for fraud and other for-profit exploits.

Traditional Anti-Virus Tools, Traditional IDS/IPS, Honeypot

Bots are stealthy on the infected machines
Bot infection is usually a multi-faceted and multi-phased process
Bot are dynamically evolving
Botnets can have very flexible design of C&C channels

Recursive DNS Monitoring at ISP
Analyze DNS traffic from internal hosts to a recursive DNS server of the network

HTTPS

send password – encrypted- e.g. “Xu587Fyis)” -Encrypted – Receives password

-create a sesure channel over an insecure network
-is reasonable protection against man-in-the-middle attacks
-can still provide security even when only one side of the communiction is secure

Crypto slow down web server
some ad-networks do not support HTTPS
– reduced revenue for publishers

Request URL, Query parameters, Headers, Cookies

SSL/TLS
You need to buy an SSL certificate
Mixed modes issue-loading insecure content on a secure site
Proxy caching problems-public caching cannot occure

Upgrade from HTTP to HTTPS
forged certs

mobile device
– smart phone held by person, self driving car, robot

Session Management

A sequence of requests and responses from one browser to one site
– session can be long or short
– without session management, users would constantly re-authenticate

Storing session tokens
-browser cookie, embed in URL, hidden form field

Content Security Policy

Prevent and limit damage of XSS
->
XSS attacks bypass the same origin policy by tricking a site into delivering malicious code along with intended content

Approach: restrict resource loading to a white-list
script-src, connect-src, font-src, frame-src, img-src, media-src, object-src, style-src, default-src

CSP will allow third party widgets(e.g. Google +1 button) to be embedded on your site

Cross origin resource sharing
-A technique for relaxing the same-origin policy, allowing JavaScript on a web page to consume content from a different origin.
-server can inspect origin header and respond with Access-Control-Allow-Origin header

definition of an origin
A combination of URI(UniformResource Identification) scheme hostname, and port number.

Same origin policy for DOM.

Cryptographic Checksums
generate tag: T MACsign(k, SID || name || value)

Web Threat Model

Malware Attacker:
Attacker escapes browser isolation mechanisms and runs separately under control of OS
Browsers may contain exploitable bugs
often enable remote code execution by web site
even if browsersd were bug-free, still lots of vulnerabilities on the web
XSS, SQLi, CSRF, …

Web Threat Models
Malware Attacker, Network Attacker, Web Attacker

Basic Execution Model
1. Loads content
2. Renders
Processes HTML and scripts to display the page. May involve images, subframes, etc.
3. Response to event

Frame Security
windows may contain frames from different sources
Frame:Rigid division as part of frameset
iFrame: floating inline frame


readCookie, writeCookie

Browsing Context
-A frame with its DOM
-A web worker, which does not have a DOM

Modern structuring mechanisms
-HTML5 iframe sandbox
-content security policy
-cross-origin resource sharing
-HTML5 web workers
-sub resource integrity