IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
Temporal sequence learning and data reduction for anomaly detection
CCS '98 Proceedings of the 5th ACM conference on Computer and communications security
Service specific anomaly detection for network intrusion detection
Proceedings of the 2002 ACM symposium on Applied computing
Detecting Anomalous and Unknown Intrusions Against Programs
ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
"Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Changes in Web Client Access Patterns: Characteristics and Caching Implications
Changes in Web Client Access Patterns: Characteristics and Caching Implications
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Anomaly detection of web-based attacks
Proceedings of the 10th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Measurement and analysis of spywave in a university environment
NSDI'04 Proceedings of the 1st conference on Symposium on Networked Systems Design and Implementation - Volume 1
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
The measured access characteristics of world-wide-web client proxy caches
USITS'97 Proceedings of the USENIX Symposium on Internet Technologies and Systems on USENIX Symposium on Internet Technologies and Systems
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Thin-client Web access patterns: Measurements from a cache-busting proxy
Computer Communications
Proceedings of the 9th workshop on Multimedia & security
SpyProxy: execution-based detection of malicious web content
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
VizSec '08 Proceedings of the 5th international workshop on Visualization for Computer Security
Model-Based Covert Timing Channels: Automated Modeling and Evasion
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting
Computer Networks: The International Journal of Computer and Telecommunications Networking
Towards quantification of network-based information leaks via HTTP
HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
A chipset level network backdoor: bypassing host-based firewall & IDS
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
What's in a session: tracking individual behavior on the web
Proceedings of the 20th ACM conference on Hypertext and hypermedia
SpyShield: preserving privacy from spy add-ons
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Classification of audio and video traffic over HTTP protocol
ISCIT'09 Proceedings of the 9th international conference on Communications and information technologies
CLACK: a network covert channel based on partial acknowledgment encoding
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Authentication in 802.11 LANs using a covert side channel
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
An approach towards anomaly based detection and profiling covert TCP/IP channels
ICICS'09 Proceedings of the 7th international conference on Information, communications and signal processing
NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis
Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
A potential HTTP-based application-level attack against Tor
Future Generation Computer Systems
Traffic analysis against low-latency anonymity networks using available bandwidth estimation
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
IPv6 stateless address autoconfiguration considered harmful
MILCOM'06 Proceedings of the 2006 IEEE conference on Military communications
Trust extension as a mechanism for secure code execution on commodity computers
Trust extension as a mechanism for secure code execution on commodity computers
User-Assisted host-based detection of outbound malware traffic
ICICS'09 Proceedings of the 11th international conference on Information and Communications Security
An 802.11 MAC layer covert channel
Wireless Communications & Mobile Computing
Context-aware web security threat prevention
Proceedings of the 2012 ACM conference on Computer and communications security
Using trustworthy host-based information in the network
Proceedings of the seventh ACM workshop on Scalable trusted computing
Cloak: a ten-fold way for reliable covert communications
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Bait a trap: introducing natural killer cells to artificial immune system for spyware detection
ICARIS'12 Proceedings of the 11th international conference on Artificial Immune Systems
Horizon extender: long-term preservation of data leakage evidence in web traffic
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
| Hi-index | 0.00 |
As network security is a growing concern, system administrators lock down their networks by closing inbound ports and only allowing outbound communication over selected protocols such as HTTP. Hackers, in turn, are forced to find ways to communicate with compromised workstations by tunneling through web requests. While several tools attempt to analyze inbound traffic for denial-of-service and other attacks on web servers, Web Tap's focus is on detecting attempts to send significant amounts of information out via HTTP tunnels to rogue Web servers from within an otherwise firewalled network. A related goal of Web Tap is to help detect spyware programs, which often send out personal data to servers using HTTP transactions and may open up security holes in the network. Based on the analysis of HTTP traffic over a training period, we designed filters to help detect anomalies in outbound HTTP traffic using metrics such as request regularity, bandwidth usage, inter-request delay time, and transaction size. Subsequently, Web Tap was evaluated on several available HTTP covert tunneling programs as well as a test backdoor program, which creates a remote shell from outside the network to a protected machine using only outbound HTTP transactions. Web Tap's filters detected all the tunneling programs tested after modest use. Web Tap also analyzed the activity of approximately thirty faculty and students who agreed to use it as a proxy server over a 40 day period. It successfully detected a significant number of spyware and aware programs. This paper presents the design of Web Tap, results from its evaluation, as well as potential limits to Web Tap's capabilities.