The internet through the years has become, not a luxury asset, but a necessary tool for businesses as well as our daily life. Emails, social networking, online shopping and banking are some of the services relying on the Internet to operate. As the popularity of the Internet increased through the decades, a huge surge of viruses and spyware circulating on the web has also been observed. Many network specialists respond to the threats posed by malicious programs by installing antivirus programs and deploying proxy firewalls at the boundary of private networks. The two main functions of proxy firewalls are to lower the risk of computers getting infected by malicious programs as well as defining and enforcing security policies. However, sophisticated tools have been developed to bypass the restrictions of many proxy firewalls, granting unlimited access to internal users contrary to the security policies of their organisation. Here in lays the fundamental problem investigated in this thesis, how to detect traffic emulated by CGI proxies on a private network and thus avoid the bypassing of security policies. This Master's thesis covers the design and evaluation of a detection model of CGI proxies. The detection model is built from four non-payload properties of IP packets: size of embedded object of a webpage, inter-arrival time of inbound packets, average size of TCP packets and the number of TCP flows emulated by a browsing session. The detection system is tested on a virtual network in order to evaluate the correctness of the model. This virtual network reproduces the bypassing scenario involving four parties: a proxy firewall, a blocked web server, a CGI proxy and the client. An initial test is run by accessing directly web pages stored on the blocked server in order to create network traffic profiles. Two sub sequential accesses are made to each webpage in HTTP and HTTPS to find the correlation between direct access, HTTP and HTTPS bypassing accesses. After proving the correctness of the model in a virtual network, bypassing experiments are then conducted in a physical network to evaluate the efficiency of the model in a more realistic situation. The dataset used for the experiments is artificially generated due to the lack of physical users.
Date of Award | 2011 |
---|
Original language | English |
---|
- computer security
- computer networks
- firewalls (computer security)
- CGI (computer network protocol)
Detection of bypassing traffic
Idjalahoue, E. (Author). 2011
Western Sydney University thesis: Master's thesis