Web Tap: Detecting Covert Web Traffic

Kevin Borders, Atul Prakash

CCS 2004

Summary:
  Network Security is a serious issue which has received a
lot of attention over the years. Network administrators try
to secure their networks by locking down inbound connections
and only allowing outbound communication over selected
protocols over HTTP. However, attackers can communicate and
retrieve information from compromised workstations by
tunneling through web requests.
  This paper discusses the design, implementation and
evaluation of Web Tap,a network-level anomaly detection
system that takes advantage of legitimate web request
patterns to detect covert communication,backdoors and
spyware activity that is tunneled through outbound HTTP
connections.
  Web Tap monitors trends in users browsing for a period of
time and then uses the knowledge learnt from these trends to
detect anomalies. It observes a number of characteistics
such as header formatting, delay times of requests,
individual request size, outbound bandwidth usage, request
regularity and request time of day.
  For header formats, Web Tap parses each header and
generates an alert when it sees a header that is indicative
of a non-browser request. It measures the inter-request
arrival time to detect programs that make periodic requests.
For normal communication, individual request sizes are
fairly small(<3KB) and monitoring request size can help
figure out covert communication. Similarly, normal usage
uses limited outbound bandwidth and occurs in short bursts
instead of a regular uniform pattern. This knowledge can
help detect deviations from normal behavior. Additionally,
the times at which users normally browse can lead us to
identify browsing at other times which could be possibly
covert.
  The authors evaluate the performance of web tap over a 40
day period from 30 users. They also develop a backdoor
program to test their filters. Importantly, they give a
clear account of the vulnerabilities of their system and
what future work can be done to make it more secure and
useful.
  Thus, the paper looks at a novel way of detecting attacks
by monitoring and analysing outbound traffic. Their
performance results have fairly low false positive rates for
most cases and this looks like a promising idea for been
widely used.

Pros:
1. Interesting problem.
2. They talk of "real" covert channels, practical research.
3. Good experimentation with actual users.

Cons:
1. They don't discuss performance in terms of how fast
requests are handled.
2. They don't consider the fact that more than one
characteristic might be true at the same time. A
probabilistic measure of different characteristics might be
helpful in such a situation.
3. Web Tap does not discuss adaptivity and how to actually
block traffic.
4. It suffers from a huge number of false positives.
5. Since it stores per-user data, is it scalable to a large
number of users?


Questions

1. What is the biggest contribution of this paper?

2. Is Web Tap a commercially viable tool? What needs to be
improved and ensured before launching it as commercial
product?

3. The paper discusses a number of vulnerabilities of Web
Tap. How serious are some of these vulnerabilities and do
they undermine the purpose that Web Tap aims to serve?

4. Can you suggest some ideas to extend Web Tap by say,
overcoming some of the limitations it has currently?

5. Web tap learns from user's browsing patterns and then
uses this knowledge to detect anomalies. Are user browsing
patterns static or do they change over time? What if its
a public computer?How can Web Tap be made adaptive to these
changes?

6. In some of the cases considered in the paper, Web Tap
shows a high false positive rate(>30%). What can be done to
eliminate/reduce these false positives?

7. Web Tap collects data online and then analyses it
offline. But to detect attacks in realtime, online analysis
is needed. Do you think Web Tap can efficiently achieve that
and what needs to be improved to enable that in an efficient
manner?

8. Can this idea of detecting outbound traffic and analysing
user behavior applied in other domains? If so, what specific
examples can you think of?

9. Web Tap can detect covert web traffic. What steps can we
take after we detect covert communication? Which other
techniques or approaches can Web Tap be combined with, so as
to make comprehensive security system?

Votes:
Strong Reject : 1
Reject : 10
Accept : 5
Strong Accept : 0