Intrusion Detection: Winter 2011 (COMP 5900X)

From Soma-notes
Jump to: navigation, search

Readings

Note that many PDF links are via the Carleton University Library's proxy; to access these you need your Carleton ID number and library PIN. However, if you have trouble accessing them, try doing a search on the authors and titles; the same PDFs are generally also available from other websites. You may also want to look at the papers from my last run of this class.

January 25, 2011

January 27, 2011

January 31, 2011

February 2, 2011

Note: class today will end at 9:40 (15 minutes early).

February 7, 2011

February 14, 2011

March 7, 2011

  • Warrender et al. (1999), Detecting Intrusions Using System Calls: Alternative Data Models
  • Axelsson (2000), The Base-Rate Fallacy and the Difficulty of Intrusion Detection
  • Lippmann et al. (2000), Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation
  • Sekar et al. (2001), A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors
  • Mahoney & Chan (2003), An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection
  • Kruegel et al. (2005), A multi-model approach to the detection of web-based attacks
  • Wang et al. (2006), Anagram: A Content Anomaly Detector Resistant To Mimicry Attack
  • Kirda et al. (2006), Behavior-based Spyware Detection
  • Ingham et al. (2007), Learning DFA representations of HTTP for protecting web applications

March 14, 2011

Research

CSET2011 IDS Paper HOWTO

Android advertisement services

Google Adwords

AdSense: - Advertising program that's used by publishers - Contexual Advertising (to surrouding context)

AdWords: - an ad brokerage system - a pay-per-click advertizing program used by Advertisers - Advertisers create short, text based ads that are very closely relatated to chosen keywords and then allow those ads to be shown on other people's web sites that feature the chosen keyword.

Instead of the traditional model of displaying ads on manually chosen sites, AdWords displays the ads according to the content of the hosting web page (“travel,” “new york giants,” “perfume”), and advertisers pay the host each time a user clicks on an ad. Google makes money from the system both by hosting ads on its own search and other sites and by collecting a commission for all ads hosted on other sites.

AdWords consists of 3 main parts: the ranking part that drives its search and ad lists, the terming part that drives its association of ads with content, and the valuing part that drives its valuation of ads.

AdWords technically refers to only one of several sub-systems (the one that attaches the smartertravel.com ad to the word “smart travel”) that constitute the larger AdWords system, along with Google's search and AdWords ad ranking systems and the AdWords pay-per-click / ad auction payment system.

Publishers get paid by:

- Unique visits
- Click-through-rate
- Avergage cost-per-click

A code snippet provided by Google and embedded in the publishers page grabs the Ads off Google's Ad server. A third party Ad server can be used through AdSense.[http://www.google.com/adsense/support/bin/answer.py?hl=en&answer=94145 ]

"How will Google prevent malware from third-party ads?

Google is actively working with trusted advertisers and partners to reduce the risk of malware. We specifically forbid fourth-party calls or sub-syndication to advertisers or vendors we haven't certified.

Also, all third-party ads are checked for malware when they're initially entered into our system. Google also employs an automated malware checker that continuously scans all third-party creatives running through the network. Any ad with malware will be automatically pulled from the network to protect our partner websites and their users."


Maleware exploits (Google recommended) [1]

Google online security blog [2]

The Ghost In The Browser, Analysis of web-based Malware.[3]

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation.[4]

Effective and Efficient Malware Detection at the End Host.[5]

Malware Characterization through Alert Pattern Discovery.[6]

A View on Current Malware Behaviors.[7]

Automatic Generation of Remediation Procedures for Malware Infections.[8]


Very good paper with a wealth of technical infromation on how AdWords works: Google AdWords as a Network of Grey Surveillance [9]

Google Display Network [10]

AdSense for mobile content [11]



Admob



"AdMob is a mobile advertising company founded by Omar Hamoui. It was incorporated in 2006 and is based in San Mateo, California. In November 2009 it was acquired by Google for $750 million. The acquisition was completed on May 27, 2010. Apple Inc. had also expressed interest in purchasing the company the same year, but they were out-bid by Google, and have since introduced their own iAd advertising platform.[6] Prior to being acquired by Google, AdMob acquired the company AdWhirl, formerly Adrollo, which is a platform for developing advertisements in iPhone applications. AdMob offers advertising solutions for many mobile platforms, including Android, iOS, webOS, Flash Lite, and all standard mobile web browsers.

AdMob is one of the world's largest mobile advertising platforms and claims to serve more than 40 billion mobile banner and text ads per month across mobile Web sites and handset applications" - [12]


How to publish an ad for mobile application developers



- Create an account on AdMob.
- Choose your platform from the list of supported platforms, we will select Android. A screen shot from Admob.com of the list of supported platforms:
             Platforms.jpg
- After going through some settings screens , you will be given a publisher ID (for example: a14234a2430bff2).
- Make sure that Test mode is enabled. This allows testing ads in a test environment.
- You will be asked to download a publisher's code file.
- The Android SDK documentation can be found here: [13]
- Add the jar file to build path of the Android project
- Make sure that the application has Internet access permission by modifying the manifest file.
- Add Admob activity tags in the application's manifest file.


Supported API Actions when clicking on an in-application Ad:

- url - (Default) Click-to-Browser for promoting websites
- app - Click-to-Market for promoting Android applications
- canvas - Click-to-Canvas which is a notice that appears over current screen
- call - Click-to-Phone Call
- map - Click-to-Google Map
- video - Click-to-YouTube 

Notes on the decompiled .jar file (information below might now be very accurate):

- http://r.admob.com/ad_source.php is used to get Ad using an HTTP post
- References to JSON object in AdWebView, but not 100% sure if they're used in the AdView view
- Time Delta enforced between refreshes. You can not get a new Ad before a certain number of seconds.


Wikipage for Admob developers[14]


For request/response structures: http://developer.admob.com/wiki/Requests


FROM: 69.31.97.185 POST /ad_source.php HTTP/1.1\r\n user-agent : Mozilla/5.0 (Linux; U; Android 2.1-update1; en-us; sdk Build/ECLAIR) AppleWebKit/525.10+ (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 (AdMob-ANDROID-20101109) content-type: application/x-www-form-urlencoded HOST: r.admob.com


READ AD REQUEST ------------------------------------

z=1296836916.457 ad_type=bar rt=0 s=a14d34a2470bff5 l=en f=jsonp client_sdk=1 ex=1 v=20101109-ANDROID-3312276cc1406347 so=p screen_width=320 d%5Bcoord_timestamp%5D=1296836916 density=1.0 ic=m%2Ca audio=3 stats%5Breqs%5D=66 stats%5Btime%5D=1463

1] format : Values: html, html_no_js (for publishers who do not want javascript ads returned, not recommended because iPhone and Android ads will not be displayed)

JSONP (JavaScript Object Notation with padding) is JSON wrapped in a javascript call


02-04 09:32:33.358: INFO/AdMobSDK(661): Ad returned (1880 ms): Train for a New Career ------> 2


2] X-AdMob-AdSrc: mxr121.dl2.admob.int\r\n Content-Type:text/javascript; charset=utf-8 X-AdMob-Android-Category-Icon: http://mm.admob.com/static/android/tiles/default.png\r\n Server:Jetty(6.1.22) Line-based text data: text/javascript



REAL AD RESPONSE -----------------------------------

<json> <text>Train at Everest College</text> <url>http://c.admob.com/c1/3/EkQQEAsb-REkQ9pA7rB2S4D4C29370C7B50005b8aab9ac9267add8</url> <image_url>http://c.admob.com/i1/3/EkQQEAsb-REkQ9pA7rB2S4D4C29370C7B50005b8aab9ac9267add8</image_url> <jsonp_url>http://c.admob.com/j1/3/EkQQEAsb-REkQ9pA7rB2S4D4C29370C7B50005b8aab9ac9267add8</jsonp_url> <markup> <> <>t</> <> <t>i</t> http://mmv.admob.com/p/i/2d/14/2d149231207f5404a5b0d83206a2f329-i.png </> <a> <t>i</t> http://mmv.admob.com/static/android/img/url@2x.png </a> </> <v> <t>bg</t> <ia>0.5</ia> <epy>0.4375</epy> <f>0</f> <f>0</f> <f>320</f> <f>48</f> </v> <v> <t>i</t> <>t</> <f>5</f> <f>5</f> <f>38</f> <f>38</f> true <cav>false</cav> </v> <v> <t>i</t> <>a</> <f>283</f> <f>9</f> <f>30</f> <f>30</f> false <cav>true</cav> </v> <v> <t>l</t> <f>48</f> <f>9</f> <f>226</f> <f>15</f> <x>Train at Everest College</x> <fa>b</fa> <fs>13</fs> <fc>0</fc> <afstfw>true</afstfw> <mfs>5</mfs> </v> <v> <t>l</t> <f>211</f> <f>27</f> <f>67</f> <f>13</f> <x>Ads by AdMob</x> <fs>9.5</fs> <fc>0</fc> </v> </markup> <d>320</d> <d>48</d> <ac> <a>android.intent.action.VIEW</a> <d>http://mobi.everest.ca/?dmredirect=ISAB1212&utm_source=admob&utm_medium=CPC&utm_term=Port%20207767&utm_content=android&utm_campaign=everest_canada_admob</d> <f>0</f> </ac> <>/p/i/2d/14/2d149231207f5404a5b0d83206a2f329-i.png</> <>url</> </json>


76 75.332276 192.168.1.102 66.185.85.155 HTTP GET /static/android/img/url@2x.png HTTP/1.1 81 75.531283 192.168.1.102 66.185.85.155 HTTP GET /p/i/2d/14/2d149231207f5404a5b0d83206a2f329-i.png HTTP/1.1



Ps2.jpg

WebKit

"WebKit is an open source web browser engine." [15] It is a framework that manages content and presents it on the display of a device. This gives the app developer control over how content is displayed on a specific platform, instead of placing the onus on the web designer to create platform specific content.

The Android API for WebKit can be found here: [16].

Browsing through the API, you will find the web content display is controlled by the WebView class [17]. Various settings configurable for WebView instances can be controlled through functions provided by the WebSettings class [18]. For example:

 - public void setAllowFileAccess (boolean allow)
 - public void setAllowFileAccess (boolean allow)


Recent Exploits

Just picked this up from slashdot, trojan horse on android! [19]



inMobi

InMobi [20] claims to be the worlds largest independent ad network, providing solutions for advertisers, producers.

They target the major of platforms, including Android and iPhone

Generally speaking, their ads can take a diverse set forms:

     Full screen
     Expandable
     Scrolling 
     Touch to enlarge
     Rotating
     Video
     Banners
     Text characters
     Click to landing page
     Click to download
     Click to play video
     Click to call
     Click to lead 
     Click to text

Ad Publishers– InMobi supplies PHP-CURL, JSP, .NET, RUBY, PERL and ASP code snippets for acquiring ads. Pasting the basic code into a site creates a space for a single ad. In addition, an advanced code library is available for running multiple ads on a page, and/or for specifying parameters such as demographics, language and location.

Ad Publishers – InMobi provides filtering mechanisms to facilitate the filtering of ad types and/or sources.

Application developers – InMobi supplies SDKs for Android and iPhone applications developers.

Further investigation is require in order to understand the specifics of ad development and their integration into web pages and mobile applications. Only superficial details are provided on the InMobi page.

iOS advertisement services

iAds

This is what I could find so far, please feel free to correct any mistakes - Ben

iAd [21] is an Apple created web advertisement framework integrated to iOS starting with iOS 4. To embed iAds into an iPhone/iPad app, the programmer can use the Xcode IDE [22] to add "Ad Banners" into their apps. Some tutorials of adding banners can be found in the following links:

  • http://bees4honey.com/blog/tutorial/how-to-add-iad-banner-in-iphoneipad-app/
  • http://www.raywenderlich.com/1371/how-to-integrate-iad-into-your-iphone-app

    iAds are created using web technologies, such as HTML5, CSS, JavaScript, using a tool called iAdProducer [23]. To have advertisements served, the ad creator must join the iAd Network [24], and submit their ad(s) for review. [25] The distribution and selection of ads is done by the Apple iAd network, and does not currently support "house ads" (ads where ad author = app developer), but will allow the app developer to "exclude ads from competitors or other unwanted advertisers based on specific keywords, URLs, and application Apple IDs" [26]

    Google Adwords

    Google AdWords on the iPhone/iPod/iPad is the same service as found on PCs save for minor customizations. These customziations include targetting ads for the platform [27] in addition to key words, and ensuring results fit on the display [28] of the mobile device.

    The rearranging of the ad can be attributed to at least the user-agent (UA) in a web request. This can be tested with changing the user-agent in the browser of a PC and performing searches on Google. Instructions on changing the UA for Mozilla Firefox can be found at: http://johnbokma.com/mexit/2004/04/24/changinguseragent.html and iPhone UAs can be found at: http://www.mattcutts.com/blog/iphone-user-agent/

    See the AdWords description in the Android section above for a more detailed description.

    inMobi

    General Interest

    Hey guys, this short article from the BBC is of a general interest nature. However, it does demonstrate the importance of early detection of strange behaviour on smartphones.

    http://www.bbc.co.uk/news/technology-12238367