Intrusion Detection: Winter 2011 (COMP 5900X)
- 1 Readings
- 2 Research
Note that many PDF links are via the Carleton University Library's proxy; to access these you need your Carleton ID number and library PIN. However, if you have trouble accessing them, try doing a search on the authors and titles; the same PDFs are generally also available from other websites. You may also want to look at the papers from my last run of this class.
January 25, 2011
- Anderson (1980), Computer Security Threat Monitoring and Surveillance. ([PDF)
- Denning (1986), An Intrusion Detection Model. (PDF)
January 27, 2011
- Smaha (1988), Haystack: An Intrusion Detection System. (PDF)
- Vaccaro & Liepins (1989), Detection of Anomalous Computer Session Activity. (PDF)
January 31, 2011
- Cheswick (1990, USENIX Summer conference), The Design of a Secure Internet Gateway
- Bellovin & Cheswick (1994), Network Firewalls (PDF)
February 2, 2011
Note: class today will end at 9:40 (15 minutes early).
February 7, 2011
- Paxson (1998), Bro: A System for Detecting Network Intruders in Real-Time
- Roesch (1999), Snort - Lightweight Intrusion Detection for Networks
February 14, 2011
- Inoue (2005), Anomaly Detection in Dynamic Execution Environments
March 7, 2011
- Warrender et al. (1999), Detecting Intrusions Using System Calls: Alternative Data Models
- Axelsson (2000), The Base-Rate Fallacy and the Difficulty of Intrusion Detection
- Lippmann et al. (2000), Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation
- Sekar et al. (2001), A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors
- Mahoney & Chan (2003), An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection
- Kruegel et al. (2005), A multi-model approach to the detection of web-based attacks
- Wang et al. (2006), Anagram: A Content Anomaly Detector Resistant To Mimicry Attack
- Kirda et al. (2006), Behavior-based Spyware Detection
- Ingham et al. (2007), Learning DFA representations of HTTP for protecting web applications
March 14, 2011
- Lippmann et al. (2000), Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation for Detecting Network Intruders in Real-Time.
- McHugh (2000), Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory.
Android advertisement services
AdSense: - Advertising program that's used by publishers - Contexual Advertising (to surrouding context)
AdWords: - an ad brokerage system - a pay-per-click advertizing program used by Advertisers - Advertisers create short, text based ads that are very closely relatated to chosen keywords and then allow those ads to be shown on other people's web sites that feature the chosen keyword.
Instead of the traditional model of displaying ads on manually chosen sites, AdWords displays the ads according to the content of the hosting web page (“travel,” “new york giants,” “perfume”), and advertisers pay the host each time a user clicks on an ad. Google makes money from the system both by hosting ads on its own search and other sites and by collecting a commission for all ads hosted on other sites.
AdWords consists of 3 main parts: the ranking part that drives its search and ad lists, the terming part that drives its association of ads with content, and the valuing part that drives its valuation of ads.
AdWords technically refers to only one of several sub-systems (the one that attaches the smartertravel.com ad to the word “smart travel”) that constitute the larger AdWords system, along with Google's search and AdWords ad ranking systems and the AdWords pay-per-click / ad auction payment system.
Publishers get paid by:
- Unique visits - Click-through-rate - Avergage cost-per-click
A code snippet provided by Google and embedded in the publishers page grabs the Ads off Google's Ad server. A third party Ad server can be used through AdSense.[http://www.google.com/adsense/support/bin/answer.py?hl=en&answer=94145 ]
"How will Google prevent malware from third-party ads?
Google is actively working with trusted advertisers and partners to reduce the risk of malware. We specifically forbid fourth-party calls or sub-syndication to advertisers or vendors we haven't certified.
Also, all third-party ads are checked for malware when they're initially entered into our system. Google also employs an automated malware checker that continuously scans all third-party creatives running through the network. Any ad with malware will be automatically pulled from the network to protect our partner websites and their users."
Maleware exploits (Google recommended) 
Google online security blog 
The Ghost In The Browser, Analysis of web-based Malware.
BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation.
Effective and Efficient Malware Detection at the End Host.
Malware Characterization through Alert Pattern Discovery.
A View on Current Malware Behaviors.
Automatic Generation of Remediation Procedures for Malware Infections.
Very good paper with a wealth of technical infromation on how AdWords works: Google AdWords as a Network of Grey Surveillance 
Google Display Network 
AdSense for mobile content 
"AdMob is a mobile advertising company founded by Omar Hamoui. It was incorporated in 2006 and is based in San Mateo, California. In November 2009 it was acquired by Google for $750 million. The acquisition was completed on May 27, 2010. Apple Inc. had also expressed interest in purchasing the company the same year, but they were out-bid by Google, and have since introduced their own iAd advertising platform. Prior to being acquired by Google, AdMob acquired the company AdWhirl, formerly Adrollo, which is a platform for developing advertisements in iPhone applications. AdMob offers advertising solutions for many mobile platforms, including Android, iOS, webOS, Flash Lite, and all standard mobile web browsers.
AdMob is one of the world's largest mobile advertising platforms and claims to serve more than 40 billion mobile banner and text ads per month across mobile Web sites and handset applications" - 
How to publish an ad for mobile application developers
- Create an account on AdMob. - Choose your platform from the list of supported platforms, we will select Android. A screen shot from Admob.com of the list of supported platforms: - After going through some settings screens , you will be given a publisher ID (for example: a14234a2430bff2). - Make sure that Test mode is enabled. This allows testing ads in a test environment. - You will be asked to download a publisher's code file. - The Android SDK documentation can be found here:  - Add the jar file to build path of the Android project - Make sure that the application has Internet access permission by modifying the manifest file. - Add Admob activity tags in the application's manifest file.
Supported API Actions when clicking on an in-application Ad:
- url - (Default) Click-to-Browser for promoting websites - app - Click-to-Market for promoting Android applications - canvas - Click-to-Canvas which is a notice that appears over current screen - call - Click-to-Phone Call - map - Click-to-Google Map - video - Click-to-YouTube
Notes on the decompiled .jar file (information below might now be very accurate):
- http://r.admob.com/ad_source.php is used to get Ad using an HTTP post - References to JSON object in AdWebView, but not 100% sure if they're used in the AdView view - Time Delta enforced between refreshes. You can not get a new Ad before a certain number of seconds.
Wikipage for Admob developers
For request/response structures: http://developer.admob.com/wiki/Requests
FROM: 126.96.36.199 POST /ad_source.php HTTP/1.1\r\n user-agent : Mozilla/5.0 (Linux; U; Android 2.1-update1; en-us; sdk Build/ECLAIR) AppleWebKit/525.10+ (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 (AdMob-ANDROID-20101109) content-type: application/x-www-form-urlencoded HOST: r.admob.com
READ AD REQUEST ------------------------------------
z=1296836916.457 ad_type=bar rt=0 s=a14d34a2470bff5 l=en f=jsonp client_sdk=1 ex=1 v=20101109-ANDROID-3312276cc1406347 so=p screen_width=320 d%5Bcoord_timestamp%5D=1296836916 density=1.0 ic=m%2Ca audio=3 stats%5Breqs%5D=66 stats%5Btime%5D=1463
02-04 09:32:33.358: INFO/AdMobSDK(661): Ad returned (1880 ms): Train for a New Career ------> 2
REAL AD RESPONSE -----------------------------------
<json> <text>Train at Everest College</text> <url>http://c.admob.com/c1/3/EkQQEAsb-REkQ9pA7rB2S4D4C29370C7B50005b8aab9ac9267add8</url> <image_url>http://c.admob.com/i1/3/EkQQEAsb-REkQ9pA7rB2S4D4C29370C7B50005b8aab9ac9267add8</image_url> <jsonp_url>http://c.admob.com/j1/3/EkQQEAsb-REkQ9pA7rB2S4D4C29370C7B50005b8aab9ac9267add8</jsonp_url> <markup> <> <>t</> <> <t>i</t> http://mmv.admob.com/p/i/2d/14/2d149231207f5404a5b0d83206a2f329-i.png </> <a> <t>i</t> http://email@example.com </a> </> <v> <t>bg</t> <ia>0.5</ia> <epy>0.4375</epy> <f>0</f> <f>0</f> <f>320</f> <f>48</f> </v> <v> <t>i</t> <>t</> <f>5</f> <f>5</f> <f>38</f> <f>38</f> true <cav>false</cav> </v> <v> <t>i</t> <>a</> <f>283</f> <f>9</f> <f>30</f> <f>30</f> false <cav>true</cav> </v> <v> <t>l</t> <f>48</f> <f>9</f> <f>226</f> <f>15</f> <x>Train at Everest College</x> <fa>b</fa> <fs>13</fs> <fc>0</fc> <afstfw>true</afstfw> <mfs>5</mfs> </v> <v> <t>l</t> <f>211</f> <f>27</f> <f>67</f> <f>13</f> <x>Ads by AdMob</x> <fs>9.5</fs> <fc>0</fc> </v> </markup> <d>320</d> <d>48</d> <ac> <a>android.intent.action.VIEW</a> <d>http://mobi.everest.ca/?dmredirect=ISAB1212&utm_source=admob&utm_medium=CPC&utm_term=Port%20207767&utm_content=android&utm_campaign=everest_canada_admob</d> <f>0</f> </ac> <>/p/i/2d/14/2d149231207f5404a5b0d83206a2f329-i.png</> <>url</> </json>
76 75.332276 192.168.1.102 188.8.131.52 HTTP GET /firstname.lastname@example.org HTTP/1.1 81 75.531283 192.168.1.102 184.108.40.206 HTTP GET /p/i/2d/14/2d149231207f5404a5b0d83206a2f329-i.png HTTP/1.1
"WebKit is an open source web browser engine."  It is a framework that manages content and presents it on the display of a device. This gives the app developer control over how content is displayed on a specific platform, instead of placing the onus on the web designer to create platform specific content.
The Android API for WebKit can be found here: .
Browsing through the API, you will find the web content display is controlled by the WebView class . Various settings configurable for WebView instances can be controlled through functions provided by the WebSettings class . For example:
- public void setAllowFileAccess (boolean allow) - public void setAllowFileAccess (boolean allow)
Just picked this up from slashdot, trojan horse on android! 
InMobi  claims to be the worlds largest independent ad network, providing solutions for advertisers, producers.
They target the major of platforms, including Android and iPhone
Generally speaking, their ads can take a diverse set forms:
Full screen Expandable Scrolling Touch to enlarge Rotating Video
Banners Text characters
Click to landing page Click to download Click to play video Click to call Click to lead Click to text
Ad Publishers– InMobi supplies PHP-CURL, JSP, .NET, RUBY, PERL and ASP code snippets for acquiring ads. Pasting the basic code into a site creates a space for a single ad. In addition, an advanced code library is available for running multiple ads on a page, and/or for specifying parameters such as demographics, language and location.
Ad Publishers – InMobi provides filtering mechanisms to facilitate the filtering of ad types and/or sources.
Application developers – InMobi supplies SDKs for Android and iPhone applications developers.
Further investigation is require in order to understand the specifics of ad development and their integration into web pages and mobile applications. Only superficial details are provided on the InMobi page.
iOS advertisement services
This is what I could find so far, please feel free to correct any mistakes - Ben
iAd  is an Apple created web advertisement framework integrated to iOS starting with iOS 4. To embed iAds into an iPhone/iPad app, the programmer can use the Xcode IDE  to add "Ad Banners" into their apps. Some tutorials of adding banners can be found in the following links:
Google AdWords on the iPhone/iPod/iPad is the same service as found on PCs save for minor customizations. These customziations include targetting ads for the platform  in addition to key words, and ensuring results fit on the display  of the mobile device.
The rearranging of the ad can be attributed to at least the user-agent (UA) in a web request. This can be tested with changing the user-agent in the browser of a PC and performing searches on Google. Instructions on changing the UA for Mozilla Firefox can be found at: http://johnbokma.com/mexit/2004/04/24/changinguseragent.html and iPhone UAs can be found at: http://www.mattcutts.com/blog/iphone-user-agent/
See the AdWords description in the Android section above for a more detailed description.
Hey guys, this short article from the BBC is of a general interest nature. However, it does demonstrate the importance of early detection of strange behaviour on smartphones.