By: Michael (Micha) Shafir, CTO, Inventor
‘False Positives' of Alarm generation by security devices signaling a security threat that isn't one at all, is a common phenomenon in many current Web security solutions. It is a false detection or false alarm, and in proactive devices, it can result in total blocking of a user or users to a Web site. ‘False Positives' can be generated in different ways. Intrusion Detection Systems (IDSs), for example, generate logs to alarm administrators of illegal attempts to enter a Web site. Such logs contain in addition to real alarms, countless false alarms that overwhelm the administrator. In contradiction to the passive nature of most IDSs, application security solutions are usually proactive. This means that they are designed to block access to a Web site and in the case of a ‘False Positive' may block legitimate users from accessing a Web site .
The reason that ‘False Positives' occur is simply that security solutions are automated and have only limited intelligence capabilities. Most solutions have a database of known attacks and are constantly comparing incoming traffic to this database, trying to identify an attack. This opens the door to ‘False Positives' since oftentimes the security system views traffic differently than the target system. This may be because of different protocols and operating systems, as well as encryption or fragmented streams. Even harmless requests may be misjudged as ‘malicious' when there is an unusually high and unexpected volume of traffic.
There is a much more important issue rather than why ‘False Positives' are generated. What is the effect of ‘False Positives' on a Web site? More importantly, what is more harmful, a successful attack or ‘False Positives'? An immediate answer may be that a successful attack is more harmful. It seems logical. However, further analysis reveals that in fact ‘False Positives' pose a greater threat. The reason lies in the fact that organizations can evaluate damages resulting from malicious activities and can quantify them. However, damages that occur from a ‘False Positive' created by a third-party is much more difficult to predict and protect against.
Let's look at an example. In most legal systems, if the facts in a case are ambiguous, the legal system would tend towards letting a suspect go, letting a guilty person walk free rather than finding an innocent person guilty. For lawmakers, it has long been clear that such a ‘False Positive' (finding an innocent person guilty), bears a higher price on society than enduring a legal attack.
The problem of ‘False Positives' in the Internet is mainly a result of the way security companies have approached the problem. Current security solutions have looked at how to identify the malicious activities and stop them. In order to do that, these solutions rely on a database with examples of illegal traffic. They try to match incoming traffic against the database and thus look for attacks. There are many problems with this logic. Firstly, they are unable to detect attacks that are not registered in the database. It may be a new kind of attack or a new version of an old attack. Secondly, and much more worrisome, are the ‘False Positives' they create.
Let's examine this issue from another perspective. Let's say that there is a terrorist who is threatening to start shooting in a crowd of people. The authorities want to eliminate this threat bur they will not shoot into the crowd because they may cause innocent bystanders to be hit, i.e. it will create ‘False Positives'. So we arrive back to the question of what is less harmful. A successful attack, or a ‘False Positive'. Now the answer is clearer. Every law enforcement agency would choose to let the terrorist get away and then pursue him later rather than harm innocent people.
Now the question arises, why not adopt this attitude with Web security solutions? Instead of wasting time, money and resources on trying to identify ‘bad' traffic, it would be much more effective to protect the site with positive rather than negative logic. Instead of looking at what is not allowed, one should be looking to understand only what is allowed. This means that the Web security solution ‘understands' what kind of traffic can be forwarded to the site and can automatically block all traffic that is not allowed. True, this is a more complicated solution since it requires the security solution to be much more sophisticated and equipped with more advanced logic. However, this way of protecting the Web site has many advantages over the older methods since, when applied intelligently, it can eliminate ‘False Positives' and protect the site against both unknown and known threats.
Although ‘positive logic' security solutions represent a better way of protecting Web sites against current and future generations of attacks, such solutions fall short of delivering all of the benefits and still create some of the problems of older methods, specifically ‘False Positives'.
Let's take an example from the real world. Some current application security solutions parse a retrieved page from a Web server, dynamically creating a URL list from that page. The user should then request the objects as listed on that HTTP page.
‘Direct access browsing'
Direct access browsing refers to the direct access of a Web object or objects which are not listed on that HTTP page. At first thought, this may appear to be acceptable and not a security issue, but further analysis reveals the problematic nature of the approach. Let's take for example, a case where a user is given a URL link from a search engine into a page deep in the site. Or where the user has bookmarked a link that is not the home page. In this case, the security solution working with this logic may block the user as if he is attacking, since it cannot track the users' actions. While this is not an attack, the security solution may assume it is and may create a ‘False Positive' response.
Another issue that can cause ‘False Positives' is the use of proxies between the user and the Web site. In this case, the requested page may be stored in the cache, sometimes for quite a long time, (usually only static HTTP pages or objects). The requested objects would not be retrieved from the origin site and therefore will not be part of the ‘tracking list' on the security system. ‘False Positives' may be generated and the user's requests may be blocked by the system. In the worse case scenario, the user will be added to the Access Control List (ACL), thereby blocking his IP address completely for future access. From that user's point of view, the site is dead or is under a ‘denial of service' attack.
In order to eliminate this problem, some current application security solutions require that the ‘Meta cache' in the entire site's HTTP page headers will be disabled, forcing all traffic through the Web server alone. If this is the case, what is the point of having a reverse proxy or cache server at all if the site's content is forced to bypass them? In fact, by eliminating the caches and proxies, you are actually paralyzing the network's shock absorbers and may be forced to deal with huge amounts of redundant traffic.
How can you avoid both application attacks and ‘False Positives' at the same time?
There is another issue that we have to bring up. One of the greatest security threats Web site operators face today are attacks that use perfectly legitimate traffic as the means of attack. This kind of attack is called a ‘Fake-Legitimate' attack. To illustrate this, we can take an example from the ‘real' world. Let's say that there are a certain number of good quality fake tickets to a sports event. The guards at the entrances to this event will have the difficult job of not only admitting only the ones who have a valid ticket, but also to look at each and every ticket and try to judge if each ticket is a real one or a forgery.
The problem with these kinds of attacks is that the security system will need to intelligently differentiate between legitimate and ‘Fake-Legitimate' traffic. This requires very sophisticated intelligence as well as fast processing. Today's firewalls and other security systems cannot perform this task. Therefore, they cannot protect the sites from these kinds of attacks. Current solutions try to combat them, but lack the tools to do that effectively. As a consequence, these systems create ‘False Positives' in the process.
It is clear that conventional IDS's do not stand a chance in the fight against either ‘Fake-Legitimate' attacks or ‘False Positives'. These kinds of systems use a signature database of known threats against which they check incoming traffic. This has serious drawbacks, since the method cannot protect against attacks it does not have a record of. It also can generate many ‘False Positives' while it fails to discriminate between legitimate and malicious traffic .
There are also security systems in the market that attempt to detect attacks by identifying traffic anomalies . While the theory is good, one of the major drawbacks of such systems is that they find it difficult to differentiate between legitimate traffic surges and attacks. Such surges can be created by an advertisement that just ran on TV or a breaking story in the press. Thus, they often create ‘False Positives' by inaccurately identifying such surges as attacks.
Another highly problematic area with today's passive security solutions is incident logging. How many times will the network administrator react to false alarms before he will start to ignore them altogether? Our experience has shown that within three to four weeks, administrators virtually ignore all alarms since they are constantly bombarded with false ones. Instead of getting numerous false and minor alarms, they would rather use their tim e more efficiently. For the enterprise, this is a waste of time and resources. Also one of the weaknesses with most third-party anti-spam technologies: they are good at identifying junk mail based on
blacklists, content, and other cues. But filters that catch all spam often snare a fair bit of legitimate email as well, can you accept that? How long? (I bet, no more then few hours).
The weakness of current IDSs/IPSs is clear. Not only do they need to be able to inspect over 600 known attack signatures with minimum delay, they need to reconstruct fragmented streams to avoid partial stream views. Most of the systems on the market resort to some sort of corner-cutting and are applying ‘statistics-based inspections' instead of inspecting every single packet.
For security systems to create false alarms and logs is one thing. But there is a much more serious problem with active security systems. They can actually block the traffic to the site. The problem starts when such systems start creating ‘False Positives' and thus block legitimate users. This is when things really start to get ugly. Imagine if you are regarded by the security system as an attacker and cannot get into your bank account. This will make you very unhappy and will create bad will towards the bank. This is why banks prefer to undergo an attack rather than block a legitimate user. ‘False Positives' are therefore unacceptable.
As mentioned in my previous article "Are WEB applications Trojan horses?" a new security approach is needed. One that can effectively detect and protect against application layer attacks and at the same time, stay free from ‘False Positives' and be intelligent enough to automatically learn to protect against both unknown and known attacks and effectively bar ‘False Negatives'. This is the only way to provide the highest level of security to Web applications.
----------------------------------------------------------------------------
© Michael (Micha) Shafir CTO, MagniFire Websystems Inc.
Email: micha@Innovya.com
Direct: +972 54 4837900