1 / 17

Protecting Web 2.0 Services from Botnet Exploitations

Protecting Web 2.0 Services from Botnet Exploitations. Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department of Computing, Macquarie University, Australia. Reporter: 游明軒. Outline . Introduction API Verifier Security analysis

chin
Download Presentation

Protecting Web 2.0 Services from Botnet Exploitations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department of Computing, Macquarie University, Australia Reporter: 游明軒

  2. Outline • Introduction • API Verifier • Security analysis • Conclusion & discussion

  3. Introduction • Web 2.0 • Blog, RSS, Social networking sites, etc. • Web based bots • Use web 2.0 service as a C&C channel • Instead of traditional bots sitting on IRC channel, the connections between web based bots are not permanent • The authors implement a tool, API Verifier, to detect web based bots

  4. Web based botnet

  5. Botnet detection methods • Analysis of network traffic flows • Network traceback • Honeypots • These techniques do not cover web based botnet because the bot activities are indistinguishable and legitimate users and websites

  6. API Verifier • Motivation • Because a web based bot must use Web 2.0 service APIs, API Verifier is implemented to verify whether a user is a person or a bot • Approach • Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) • MAC address as identifier

  7. API Verifier - architecture • Components • API Verifier Client • API Verifier Server

  8. API Verifier - functionality • Authentication • User profile • Session key • Encrypt MAC address • Be generated independently each time when an API call is made • Permanent MAC address • CAPTCHA verification

  9. API Verifier – work flow

  10. Security analysis • Spoofing MAC address • API Verifier Client fraud • DDoSattack • By-passing CAPTCHA verification

  11. Spoofing MAC address • Change MAC address (1a) • Hijacking OS kernel and modifying the OS communication with NIC is expensive • Cause the high risk of being detection • Change the encrypted MAC address (1b) • session key is generated each API call and is a combinationof the secret key and a time token

  12. API Verifier Client fraud • It is hard to recover the secret key of the API Verifier Client • AES 128-bit • it is hard to disassemble the API Verifier Client • Obfuscation technique

  13. DDoS attack • Set limit on the number of verification attempts • Finite times to solve CAPTCHA • A time interval for next MAC address verification

  14. By-passing CAPTCHA verification • Analyze the picture and extract characters on the image • send the image to attacker to solve it

  15. System short coming • API Verifier cannot get permanent MAC address on virtual machine

  16. Conclusion & discussion • Propose a novel approach against web based botnet. The main concept is to identify whether a user is a person or a bot • Implement a system, API Verifier, to detect the bots before they access to web service API • For security, the authors consider all possible attacks and defend • DDoS attack issue still exists • Lack for a convincing proof of statistics in real world

  17. Thanks

More Related