chapter 14: virus and content filtering

Chapter 15: Virus and Content Chapter 15: Virus and Content FilteringFiltering

Guide to Computer Network Security

Kizza - Guide to Computer Network SecuriKizza - Guide to Computer Network Securityty

22

Content filtering is a process of Content filtering is a process of removing unwanted, objectionable, removing unwanted, objectionable, and harmful content before it enters and harmful content before it enters the user network or the user PC. the user network or the user PC. The filtering process can be located The filtering process can be located in several locations including on a in several locations including on a user’s PC, on a server within an user’s PC, on a server within an organization, as a service provided organization, as a service provided by an ISP, or by means of a third by an ISP, or by means of a third party site which provides the basis of party site which provides the basis of a closed community a closed community


33

Scanning, Filtering and BlockingScanning, Filtering and BlockingScanning is a systematic process of sweeping Scanning is a systematic process of sweeping through a collection of data looking for a specific through a collection of data looking for a specific pattern. In a network environment, the scanning pattern. In a network environment, the scanning process may involve a program the sweeps process may involve a program the sweeps through thousands of IP addresses looking a through thousands of IP addresses looking a particular IP address string or a string that particular IP address string or a string that represents a vulnerability or a string that represents a vulnerability or a string that represents a vulnerable port number. represents a vulnerable port number. Filtering is a process of using a computer Filtering is a process of using a computer program to stop an Internet browser on a program to stop an Internet browser on a computer from being able to load certain web computer from being able to load certain web pages based upon predetermined criteria like IP pages based upon predetermined criteria like IP addresses. addresses. Blocking is a process of preventing certain types Blocking is a process of preventing certain types of information from being viewed on a of information from being viewed on a computer's screen or stored on a computer’s disk. computer's screen or stored on a computer’s disk.


44

Content ScanningContent Scanning– scanning is very important in content filtering. scanning is very important in content filtering. – There are two forms of scanning: pattern-based and heuristic There are two forms of scanning: pattern-based and heuristic

scanning. scanning. 14.2.1.1 Pattern-based scanning 14.2.1.1 Pattern-based scanning In pattern-based scanning all content coming into or In pattern-based scanning all content coming into or leaving the network, an ISP gateway, or user PC is scanned leaving the network, an ISP gateway, or user PC is scanned and checked against a list of patterns, or definitions, and checked against a list of patterns, or definitions, supplied and kept up to date by the vendor. The technique supplied and kept up to date by the vendor. The technique involves simply comparing the contents, which can be done involves simply comparing the contents, which can be done in several ways. Nearly all anti-virus software packages in several ways. Nearly all anti-virus software packages work this way. This approach can, however, be slow and work this way. This approach can, however, be slow and resource-intensive.resource-intensive.14.2.1.2 Heuristic scanning14.2.1.2 Heuristic scanningHeuristics scanning is done by looking at a section of code Heuristics scanning is done by looking at a section of code and determining what it is doing, then deciding whether and determining what it is doing, then deciding whether the behavior exhibited by the code is unwanted, harmful the behavior exhibited by the code is unwanted, harmful like viral or otherwise malicious. This approach to scanning, like viral or otherwise malicious. This approach to scanning, is complex because it involves modeling the behavior of is complex because it involves modeling the behavior of code and comparing that abstract model to a rule set. code and comparing that abstract model to a rule set.


55

Inclusion FilteringInclusion Filtering– Inclusion filtering is based on the Inclusion filtering is based on the

existence of an inclusion list. existence of an inclusion list. – The inclusion list is a permitted access The inclusion list is a permitted access

list – a “white list” probably vetted and list – a “white list” probably vetted and compiled by a third party. Anything on compiled by a third party. Anything on this list is allowable. this list is allowable.

– The list could be a list of URL for The list could be a list of URL for allowable web sites for example; it could allowable web sites for example; it could be a list of allowable words, or it could be a list of allowable words, or it could be a list of allowable packet signatures be a list of allowable packet signatures for allowable packets. for allowable packets.


66

– Inclusion list approach has problems:Inclusion list approach has problems:The difficulty to come up with a globally The difficulty to come up with a globally accepted set of criteria. This is a direct accepted set of criteria. This is a direct result of the nature of the Internet as a result of the nature of the Internet as a mosaic of a multitude of differing cultures, mosaic of a multitude of differing cultures, religions, and political affiliations. In this religions, and political affiliations. In this case it is almost impossible to come up with case it is almost impossible to come up with a truly accepted global set of moral a truly accepted global set of moral guidelines. guidelines. The size of the inclusion list. As more and The size of the inclusion list. As more and more acceptable items become available more acceptable items become available and qualify to be added on the list, there is a and qualify to be added on the list, there is a potential for the list to grow out of control.potential for the list to grow out of control.Difficulty of finding a central authority to Difficulty of finding a central authority to manage the list. In fact this is one of the manage the list. In fact this is one of the most difficult aspect of the inclusion list most difficult aspect of the inclusion list approach to content filtering. approach to content filtering.


77

Exclusion FilteringExclusion Filtering– Another approach to content filtering is the use of an Another approach to content filtering is the use of an

exclusion list. This is the opposite of the inclusion list exclusion list. This is the opposite of the inclusion list process we have discussed above. An exclusion list is process we have discussed above. An exclusion list is actually a “black list” of all unwanted, objectionable, and actually a “black list” of all unwanted, objectionable, and harmful content. The list may contain URLs of sites, harmful content. The list may contain URLs of sites, words, signatures of packets, patterns of words and words, signatures of packets, patterns of words and phrases. This is a more common form of filtering than phrases. This is a more common form of filtering than inclusion filtering because it deals with manageable lists. inclusion filtering because it deals with manageable lists. Also it does not pre-assume that everything is bad until Also it does not pre-assume that everything is bad until proven otherwise. proven otherwise.

– However, it suffers from a list that may lack constant However, it suffers from a list that may lack constant updates and a list that is not comprehensive enough. In updates and a list that is not comprehensive enough. In fact we see these weaknesses in the virus area. No one fact we see these weaknesses in the virus area. No one will ever have a fully exhaustive list of all known virus will ever have a fully exhaustive list of all known virus signatures, and anti-virus companies are constantly signatures, and anti-virus companies are constantly ever updating their master lists of virus signatures. ever updating their master lists of virus signatures.


88

Other Types of Content FilteringOther Types of Content Filtering– URL FilteringURL Filtering

With this approach, content into or out of a network is With this approach, content into or out of a network is filtered based on the URL . It is the most popular form filtered based on the URL . It is the most popular form of content filtering especially in terms of denial of of content filtering especially in terms of denial of access to the targeted site. One of the advantages of access to the targeted site. One of the advantages of URL filtering is its ability to discriminate and carefully URL filtering is its ability to discriminate and carefully choose a site but leave the IP address of the machine choose a site but leave the IP address of the machine that hosts functioning and, therefore, providing that hosts functioning and, therefore, providing other services to the network or PC. other services to the network or PC.

– Keyword FilteringKeyword FilteringKeyword filtering requires that all the inbound or Keyword filtering requires that all the inbound or outbound content be scanned, and every outbound content be scanned, and every syntactically correct word scanned is compared with syntactically correct word scanned is compared with words either on the inclusive – white list or exclusive words either on the inclusive – white list or exclusive black list depending on the filtering regime used black list depending on the filtering regime used


99

– Packet FilteringPacket FilteringNetwork traffic moves between network Network traffic moves between network nodes based on a packet, as an addressable nodes based on a packet, as an addressable unit, with two IP-addresses: the source unit, with two IP-addresses: the source address and the destination addresses.address and the destination addresses.Content is blocked or denied access based Content is blocked or denied access based on IP-addresses, this means that no content on IP-addresses, this means that no content can come from or go to the machine whose can come from or go to the machine whose address is in the block rules. This kind of address is in the block rules. This kind of blocking is indiscriminate because it blocks blocking is indiscriminate because it blocks a machine based on its addresses not a machine based on its addresses not content, which means that a machine may content, which means that a machine may have other good services but they are all have other good services but they are all blocked. blocked.


1010

– Profile filteringProfile filteringThis is a new brand of content filters based This is a new brand of content filters based on the characteristics of the text “seen” so on the characteristics of the text “seen” so far and the learning cycles “repeats” done far and the learning cycles “repeats” done to discriminate all further text from this to discriminate all further text from this source. However, because of the complexity source. However, because of the complexity of the process and the time involved and of the process and the time involved and needed for the filters to “learn”, this needed for the filters to “learn”, this method, so far, has not gained popularity. In method, so far, has not gained popularity. In the pre-processing phase, it needs to fetch the pre-processing phase, it needs to fetch some parts of the document and scan it – some parts of the document and scan it – either text based or content-based, in order either text based or content-based, in order to “learn”. This may take time. to “learn”. This may take time.


1111

– Image analysis filteringImage analysis filtering– This is a new approach to filter the This is a new approach to filter the

Internet’s new media and formats based Internet’s new media and formats based on analyzed images. Although new, this on analyzed images. Although new, this approach is already facing problems of approach is already facing problems of pre-loading images for analysis, high pre-loading images for analysis, high bandwidth making it extremely slow, bandwidth making it extremely slow, and syntactic filtering making it and syntactic filtering making it indiscriminate semantically.indiscriminate semantically.


1212

Location of Content FiltersLocation of Content Filtersthere are four best locations to install there are four best locations to install content filters. content filters. – Filtering on the end user’s computerFiltering on the end user’s computer– Filtering at the ISP’s computer Filtering at the ISP’s computer – Filtering by an Organization ServerFiltering by an Organization Server– Filtering by a Third Party Filtering by a Third Party


1313

Virus Filtering Virus Filtering VirusVirus– A computer virus is a self-propagating computer A computer virus is a self-propagating computer

program designed to alter or destroy a computer system program designed to alter or destroy a computer system resource. The term resource. The term virusvirus is derived from a Latin word is derived from a Latin word virusvirus which means poison. For generations, even which means poison. For generations, even before the birth of modern medicine, the term had before the birth of modern medicine, the term had remained mostly in medical circles, meaning a foreign remained mostly in medical circles, meaning a foreign agent injecting itself in a living body, feeding on it to agent injecting itself in a living body, feeding on it to grow and multiply grow and multiply

– The virus is, so far the most popular form of computer The virus is, so far the most popular form of computer system attack because of the following factors:system attack because of the following factors:

Ease of generation. Considering all other types of system Ease of generation. Considering all other types of system attacks, viruses are the easiest to generate because the attacks, viruses are the easiest to generate because the majority of them are generated from computer code. majority of them are generated from computer code. Scope of reach. Because of the high degree of Scope of reach. Because of the high degree of interconnection of global computers, the speed at which interconnection of global computers, the speed at which viruses are spread is getting faster and faster viruses are spread is getting faster and faster


1414

– Self-propagating nature of viruses. The new Self-propagating nature of viruses. The new viruses now are far more dangerous than their viruses now are far more dangerous than their counterparts several years ago. New viruses self-counterparts several years ago. New viruses self-propagate which gives them the ability to move propagate which gives them the ability to move fast and create more havoc faster fast and create more havoc faster

– Mutating viruses. The new viruses are not only Mutating viruses. The new viruses are not only self-propagating which gives them speed, they self-propagating which gives them speed, they are also mutating which gives them a double are also mutating which gives them a double punch of delaying quick eradication and punch of delaying quick eradication and consuming great resources and, therefore, consuming great resources and, therefore, destroying more in their wake, fulfilling the destroying more in their wake, fulfilling the intended goals of the developers.intended goals of the developers.

– Difficult to apprehend the developer Difficult to apprehend the developer


1515

Viruses Infection/PenetrationViruses Infection/PenetrationThere are three ways viruses infect There are three ways viruses infect computer systems: boot sector, macro computer systems: boot sector, macro penetration, and parasites penetration, and parasites – Boot Sector Penetration - A boot sector is Boot Sector Penetration - A boot sector is

usually the first sector on every disk. In a usually the first sector on every disk. In a boot disk, the sector contains a chunk of code boot disk, the sector contains a chunk of code that powers up a computer. In a non-bootable that powers up a computer. In a non-bootable disk, the sector contains a File Allocation Table disk, the sector contains a File Allocation Table (FAT), which is automatically loaded first into (FAT), which is automatically loaded first into computer memory to create a roadmap of the computer memory to create a roadmap of the type and contents of the disk for the computer type and contents of the disk for the computer to access the disk. Viruses imbedded in this to access the disk. Viruses imbedded in this sector are assured of automatic loading into sector are assured of automatic loading into the computer memory. the computer memory.


1616

– Macros Penetration - macros are small Macros Penetration - macros are small language programs that can only execute after language programs that can only execute after imbedding themselves into surrogate imbedding themselves into surrogate programs. The rising popularity in the use of programs. The rising popularity in the use of script in web programming is resulting in micro script in web programming is resulting in micro virus penetration as one of the fastest forms of virus penetration as one of the fastest forms of virus transmission. virus transmission.

– Parasites - These are viruses that attach Parasites - These are viruses that attach themselves to a healthy executable program themselves to a healthy executable program and wait for any event where such a program and wait for any event where such a program is executed. Because of spread of the Internet, is executed. Because of spread of the Internet, this method of penetration is the most widely this method of penetration is the most widely used and the most effective. used and the most effective.


1717

Source of Virus InfectionSource of Virus InfectionComputer viruses, just like biological Computer viruses, just like biological viruses have many infection sources. viruses have many infection sources. – Movable Computer Disks Movable Computer Disks – Internet Downloadable Software Internet Downloadable Software – Email Attachments Email Attachments – Platform-Free Executable Applets and Platform-Free Executable Applets and

Scripts Scripts


1818

Types of VirusesTypes of VirusesJust like living viruses, there are several Just like living viruses, there are several types of digital (computer) viruses and types of digital (computer) viruses and there are new brands almost every the there are new brands almost every the other day other day – Virus Classification Based on Transmission Virus Classification Based on Transmission

Trojan horse virusesTrojan horse viruses Polymorphic virusesPolymorphic viruses Stealth virusStealth virus Retro virusRetro virus Multipartite virusMultipartite virus Armored virusArmored virus Companion virusCompanion virus Phage virusPhage virus


1919

– Virus Classification Based on OutcomesVirus Classification Based on OutcomesError-generating VirusError-generating Virus Data and Program DestroyersData and Program Destroyers System CrusherSystem Crusher Computer Time Theft VirusComputer Time Theft Virus Hardware DestroyersHardware Destroyers Logic/Time BombsLogic/Time Bombs


2020

Content FilteringContent FilteringContent filtering takes place at two Content filtering takes place at two levels: levels: – Application level where the filtering is Application level where the filtering is

based on URL which may, for example, based on URL which may, for example, result in blocking a selected web page result in blocking a selected web page or an FTP site, or an FTP site,

– Network level based on packet filtering Network level based on packet filtering which may require routers to examine which may require routers to examine the IP address of the every incoming or the IP address of the every incoming or outgoing traffic packet. outgoing traffic packet.


2121

Application Level FilteringApplication Level Filtering– filtering is based on several things that make filtering is based on several things that make

up a the blocking criteria including URL, up a the blocking criteria including URL, keyword, and pattern. keyword, and pattern.

– also located at a variety of areas including at also located at a variety of areas including at the user’s PC, at the network gateway, at a the user’s PC, at the network gateway, at a third party’s server, and at an ISP third party’s server, and at an ISP

– The effectiveness of application level blocking The effectiveness of application level blocking using proxy servers is limited as a result of using proxy servers is limited as a result of technical and non-technical factors:technical and non-technical factors:

Technical IssuesTechnical Issues– Use of translation services in requests can result in Use of translation services in requests can result in

requested content from unwanted servers and sitesrequested content from unwanted servers and sites – The Domain Name server can be bypassedThe Domain Name server can be bypassed – The reliability of the proxy server may be a problemThe reliability of the proxy server may be a problem


2222

Non-technical issuesNon-technical issues– ISPs problemsISPs problems – The costs of creating and maintaining a black listThe costs of creating and maintaining a black list

Packet Level Filtering and BlockingPacket Level Filtering and Blocking– In packet level filtering and blocking, the In packet level filtering and blocking, the

filtering entity has a black list consisting of filtering entity has a black list consisting of “forbidden” or “bad” IP addresses. “forbidden” or “bad” IP addresses.

– The blocking and filtering processes then work The blocking and filtering processes then work by comparing all incoming and outgoing packet by comparing all incoming and outgoing packet IP addressees against the IP addressees on the IP addressees against the IP addressees on the supplied black list. supplied black list.

– The effectiveness of packet level blocking is The effectiveness of packet level blocking is limited by both technical and non-technical limited by both technical and non-technical problems:problems:


2323

Technical IssuesTechnical Issues– Packet level blocking is indiscriminatePacket level blocking is indiscriminate – Routers can easily be circumventedRouters can easily be circumvented – Black listed IP addresses are constantly changingBlack listed IP addresses are constantly changing – Use of non-standard port numbersUse of non-standard port numbers

Non-technical IssuesNon-technical Issues– Increased operational costs and ISP Increased operational costs and ISP

administrative problemsadministrative problems: :


2424

Filtered MaterialsFiltered MaterialsNudityNudityMature ContentMature Content SexSexGamblingGamblingViolence/Profanity Violence/Profanity Gross Depiction Gross Depiction Drug /Drug Culture and UseDrug /Drug Culture and UseIntolerance/DiscriminationIntolerance/DiscriminationSatanic or Cult Satanic or Cult CrimeCrimeTastelessnessTastelessnessTerrorism/ Militant/ExtremistsTerrorism/ Militant/Extremists


2525

SpamSpamSpam is Spam is unsolicited automated email.unsolicited automated email.Because Internet use is more than 60 Because Internet use is more than 60 percent email, spamming affects a large percent email, spamming affects a large number of Internet users. number of Internet users. There are several ways we can fight spam There are several ways we can fight spam including the following: including the following: – Limit email addresses posted in a public Limit email addresses posted in a public

electronic placeelectronic place – Refrain from filling out online forms that Refrain from filling out online forms that

require email addressrequire email address – Use email addresees that are NOT easy to Use email addresees that are NOT easy to

guessguess – Practice using multiple email addressesPractice using multiple email addresses – Use a Spam filterUse a Spam filter– Spam LawsSpam Laws

chapter 14: virus and content filtering

Documents