A Framework for Reducing Web Server Attacks

This research is supervised by Gary Warner, the Director of Research in Computer Forensics at the University of Alabama at Birmingham. Our research is driven by the need for better tools for reducing and tracking cybercriminal activity. Cybercrime is reaching record highs each year. Cyber-criminals are hacking into systems seamlessly to steal confidential information, host phishing or defacement web sites, and distribute malware. These techniques are made possible by vulnerable systems. Since web servers are commonly involved in the above mentioned cybercrimes, my research goal is to protect web servers from being compromised through distributed large scale attacks. The framework is based on a sensory network which detects the prominent attack patterns in traffic at the time. The framework generates system specific signatures based on the patterns that define the attack and distributes those signatures to the web servers connected to the framework to mitigate the attack. This system will not require additional software installation such as Snort as the signatures are not typical IDS signatures, they are web server rules (e.g., Apache mod_rewrite or IIS's URLRewrite).

This research needs support from the public and private sectors. The greatest need is space to host honeypots and web servers. These systems will be configured so that no malicious activity can be sent from the machines. Another essential component, in the future, is production web servers to attach to the system. These web servers will help to validate the framework, as well as, give a new perspective on potentially targeted attacks (e.g., web sites that are older than 3 years). Additional security for the provided web servers, not to mention, helping to further the security communities ability to reduce cybercrime is what you will get in return. The patterns detected may also be shared with your IT department to help them generate signatures on the latest emerging threats.

Other Helpful Contributions and Ideas:

• Web Log Analysis - Analysis of real world logs can provide knowledge of new exploits for vulnerable applications. Providing logs of attacks for examination will help in finding attack patterns. These patterns are one of the key components to reducing the number of web servers that are compromised.
• Malicious Traffic - One of my goals is to start a blog of malicious web traffic. Posting malicious traffic will give web masters another resource for analyzing their own logs. It will also provide the ability for security professionals to share their own knowledge on the malicious traffic. Shared knowledge such as files installed after the attack, what happened after the attacker compromised the system, and how to make sure everything is removed from the attack.
• Large-Scale Exploits and Attack Tools - The goal is to learn as much as possible about hacker tools and the malicious traffic they generate. The traffic collected through the logs and blog may help to discover the latest and greatest attack tools. Once found, signatures can be generated to stop these attacks from exploiting potentially vulnerable applications.

Brad Wardman
PhD Candidate at UAB
bwardman@uab.edu