Security of web servers and web applications
The widespread deployment of web services makes them a favourite target for cyber-criminals. The complexity of web applications and the lack of security training of web developers expose web services to a wide range of remote attacks. Internet miscreants may submit malicious, unexpected inputs towards web services to gain their control, obtain confidential information, or infect web visitors in a matter of seconds.
Due to the ad-hoc nature of web services, i.e., different services may have different inputs and behaviour, defining good rules on web application firewalls is an error-prone activity which often requires a non-negligible human effort. The key point is that "safe'' firewall rules should be customized according to expected inputs and behaviour of a certain web service.
The PRA Lab developed SuStorID, an intrusion detection system that is able to provide for an advanced, automatic protection of web services. Given a sample of web traffic towards web services, our system automatically learns the profile of legitimate (normal) inputs. Then, SuStorID, by means of high-level rules called anomaly templates, can provide for real-time counteractions against suspicious (anomalous) input traffic, due to either known or unknown attacks against web services. SuStorID is released under open-source licence and can be freely dowloaded.
Security of web users
Today, Fast Flux Service Networks constitute a major threat for Internet users. Fast Flux is a sophisticated technique that associates a public domain name to a set of malware-infected hosts (flux agents) that changes rapidly, potentially at every DNS query. Each flux agent typically acts as an intermediary (proxy) between victim user and the actual source of malicious content, also known as mothership. Cyber-criminal organizations routinely employ the fast flux archi- tecture to diffuse malware and support any kind of scam, such as phishing, malicious adult websites, gaming and pharmacy scams.
Since a single malicious domain name may resolve to thousand of hosts scattered around the world, remediating each flux agent is prac- tically infeasible. Blocking inbound connections to each flux agent is very hard as well, since it would require the real-time detection of flux networks and the collaboration of different ISPs on a worldwide scale. Similarly, taking down fast flux domain names is difficult, as it would require the cooperation with domain name registrars world-wide and hundreds of new fast flux domain names are registered ona a daily basis.
PRA Lab and GeorgiaTech developed Flux Buster, a machine-learning tool which detects flux networks without interacting with them (stealthily) and regardless the way flux domains are advertised. Billions of DNS replies are analyzed, and hundreds of never-before-seen flux agents are detected each day. Flux Buster is able to significantly improve the protection of Internet users, with respect to the most important state-of-the-art mechanisms, such as google safebrowsing, dnsbl.abuse.ch and malwaredomains.com.