Encoding techniques for evading n-gram based Intrusion Detection Systems

Size: px

Start display at page:

Download "Encoding techniques for evading n-gram based Intrusion Detection Systems"

Alvin Hamilton
6 years ago
Views:

1 Encoding techniques for evding n-grm bsed Intrusion Detection Systems Studienrbeit Moritz Bechler Universität Tübingen Wilhelm Schickrd Institut SPRING Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 1 / 24

2 Outline 1 Introduction Intrusion Detection Systems n-grm nlysis 2 Attcks ginst n-grm bsed IDSs Trget Model 1-to-1 encoding slice-nd-pd cycle encoding Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 2 / 24

3 Introduction Intrusion Detection Systems Intrusion detection systems Aim to detect misuse of computer systems nd networks. This work focuses on network bsed content nomly detectors. Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 3 / 24

4 Introduction Intrusion Detection Systems Intrusion detection systems Aim to detect misuse of computer systems nd networks. This work focuses on network bsed content nomly detectors. Two mjor types, depending on how the dt is nlyzed: Signture-bsed: known ttck ptterns re modeled, these re detected Anomly-bsed: norml ctivity is modeled, devition is detected Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 3 / 24

5 Introduction Intrusion Detection Systems Intrusion detection systems Aim to detect misuse of computer systems nd networks. This work focuses on network bsed content nomly detectors. Two mjor types, depending on how the dt is nlyzed: Signture-bsed: known ttck ptterns re modeled, these re detected Anomly-bsed: norml ctivity is modeled, devition is detected Signture-bsed IDSs re most commonly used tody, but require signture mintennce re useless ginst 0-dy ttcks smll modifictions to the ttck might render the signture useless Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 3 / 24

6 Introduction Anomly-bsed content nlysis Intrusion Detection Systems GET / HTTP/1.1..Host: sploit.org..user-agent: Mozill /5.0 (X11; Linux x86_64; rv: ) Gecko/ Firefox/ Accept: text/html,ppl iction/xhtml+xml,ppliction/ xml;q=0.9,*/*;q=0.8..accept-l nguge: en-us,en;q=0.8,de-de;q =0.5,de;q=0.3..Accept-Encoding : gzip, deflte..dnt: 1..Conne ction: keep-live.. () Innocuous HTTP Request GET / HTTP/1.1..Host: pche-s clp.c..x-ccccccc: AAAAAAAAAAA AAAAA...j.TRj.j...z..u.f.z.09u...D$.. $...u..d$....z...d$.. $..u.h.ok..4$...j.rj.j...h/sh.h/bin..1.pr..pqrp.;...x-cccccc C: AAAAAAAAAAAAAAAA...j.TRj. j...z..u.f.z.09u...d$.. $...u..d$...z...d$.. $..u.h.ok..4$... (b) Prt of Apche OpenBSD Exploit How cn we distinguish between ) nd b)? Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 4 / 24

7 Introduction Intrusion Detection Systems Anomly-bsed content nlysis (cont.) count 10 count vlue () Innocuous HTTP Request vlue (b) Prt of Apche OpenBSD Exploit Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 5 / 24

8 Introduction Intrusion Detection Systems count vlue count vlue PAYL Proposed by Wng nd Stolfo in Anomlous pylod-bsed network intrusion detection. 256 dim. feture spce good trining mlicious Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 6 / 24

9 Introduction Intrusion Detection Systems count vlue count vlue PAYL Proposed by Wng nd Stolfo in Anomlous pylod-bsed network intrusion detection. 256 dim. feture spce But: Byte frequencies cn be djusted by substitution nd pdding. This ttck type is clled mimicry ttck. good trining substitution pdding mlicious Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 6 / 24

10 Introduction n-grm nlysis n-grms n-grms re sequences of n consecutive bytes. n-grms do overlp, thereby reflecting some structurl properties. For nlysis we extrct ll n-grms from the dt. Input: j f h b c f j f h j f h b f h b c h b c f Figure: Exmple of 4-grm extrction Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 7 / 24

11 Introduction n-grm nlysis Angrm Introduced by Wng, Prekh nd Stolfo in ANAGRAM: A Content Anomly Detector Resistnt To Mimicry Attck. Content nomly detector bsed on n-grm nlysis. n = 5 nd n = 6 works best. Trining dt: bcef 3-grms: bc bce cef h2 h1 Bloom filter: Input: bcd Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 8 / 24

12 Introduction n-grm nlysis Angrm Introduced by Wng, Prekh nd Stolfo in ANAGRAM: A Content Anomly Detector Resistnt To Mimicry Attck. Content nomly detector bsed on n-grm nlysis. n = 5 nd n = 6 works best. Trining dt: bcef 3-grms: bc bce cef h2 h1 Bloom filter: h2 h1 Good: bc Input: bcd Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 8 / 24

13 Introduction n-grm nlysis Angrm Introduced by Wng, Prekh nd Stolfo in ANAGRAM: A Content Anomly Detector Resistnt To Mimicry Attck. Content nomly detector bsed on n-grm nlysis. n = 5 nd n = 6 works best. Trining dt: bcef 3-grms: bc bce cef h2 h1 Bloom filter: h1 h2 Good: bc Bd: bcd Input: bcd Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 8 / 24

14 Attcks ginst n-grm bsed IDSs This work tries to find prcticl mimicry ttck ginst Angrm. tried to find suitble byte substitutions by brute-force. Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 9 / 24

15 Attcks ginst n-grm bsed IDSs This work tries to find prcticl mimicry ttck ginst Angrm. tried to find suitble byte substitutions by brute-force. explored scheme to reduce the complexity of this serch. Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 9 / 24

16 Attcks ginst n-grm bsed IDSs This work tries to find prcticl mimicry ttck ginst Angrm. tried to find suitble byte substitutions by brute-force. explored scheme to reduce the complexity of this serch. generlizes nd improves previously known scheme (cycle encoding). Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 9 / 24

17 Attcks ginst n-grm bsed IDSs Obtining trget model Trget Model First step for lunching mimicry ttck is lwys hving something to mimic. For my experiments I used pcket cptures from the 1999 DARPA Intrusion Detection Evlution specificlly, HTTP requests from the clen trining dt. pproximtion rel trining Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 10 / 24

18 Attcks ginst n-grm bsed IDSs Trget Model Construction of n-grm grphs gj k jk gk Model the lnguge ccepted by the detector s deterministic finite utomton (DFA). Ech n 1-grm represents stte. Ech llowed n-grm represents trnsition. l l kl l ll l gl l g lg l Figure: 3-grm grph for the strings gjkll, gkllll nd llgll Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 11 / 24

19 1-to-1 Encoding Attcks ginst n-grm bsed IDSs 1-to-1 encoding A smll portion of code reproduces shellcode of rbitrry length. Originl Shellcode subtitution Decoder Tble Encoded Shellcode Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 12 / 24

20 Attcks ginst n-grm bsed IDSs 1-to-1 encoding 1-to-1 Encoding (cont.) gj k Simple byte substitution: b j c k g l e g g bc g cg g gg g eg e ge g gk l l jk l kl l ll l gl g l lg Figure: 1-to-1 encoding of the string bcggeggg Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 13 / 24

21 Attcks ginst n-grm bsed IDSs 1-to-1 encoding 1-to-1 Encoding (cont.) But, finding subgrph isomorphism is NP-complete problem. the trget grph is huge in rel-world scenrios. Tried brute-forcing 1-to-1 substitution with restricted lphbets. Running the tool on three shellcodes of incresing complexities with 10 hour timeout: Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 14 / 24

22 Attcks ginst n-grm bsed IDSs 1-to-1 encoding 1-to-1 Encoding (cont.) But, finding subgrph isomorphism is NP-complete problem. the trget grph is huge in rel-world scenrios. Tried brute-forcing 1-to-1 substitution with restricted lphbets. Running the tool on three shellcodes of incresing complexities with 10 hour timeout: 2-grm 3-grm 4-grm 5-grm 6-grm Shellcode s 5.915s m timeout omitted Shellcode 2 timeout omitted omitted omitted omitted Shellcode 3 timeout omitted omitted omitted omitted Tble: Running times Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 14 / 24

23 Attcks ginst n-grm bsed IDSs slice-nd-pd slice-nd-pd Tokenize the shellcode into individul instructions. Find vlid substitution for ll tokens. Connect the individul substituted tokens by NOP-equivlent pths. Tries to reduce the complexity of the substitution step. xor ex, ex mov [esi+0xb], l 0x31 0xc0 0x88 0x46 0x0b substitution 0x42 0xc43 0x44 0x45 0x46 0x42 0xc43 0x44 0x45 0x46 inverse substitution 0x31 0xc0 NOP 0x88 0x46 0x0b Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 15 / 24

24 Attcks ginst n-grm bsed IDSs slice-nd-pd: Problems slice-nd-pd 2-grm 3-grm 4-grm 5-grm 6-grm Shellcode 1 timeout s s m x 138m subst. n-grms Shellcode s timeout timeout x 47.5m x 86.10m subst. n-grms Shellcode 3 timeout timeout timeout timeout N/A subst. n-grms Tble: Running times, timeout fter 10 hours Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 16 / 24

25 Attcks ginst n-grm bsed IDSs slice-nd-pd slice-nd-pd: Problems 2-grm 3-grm 4-grm 5-grm 6-grm Shellcode 1 timeout s s m x 138m subst. n-grms Shellcode s timeout timeout x 47.5m x 86.10m subst. n-grms Shellcode 3 timeout timeout timeout timeout N/A subst. n-grms Tble: Running times, timeout fter 10 hours Other problems: Dt segments in shellcode hve to be kept intct. Offsets chnge when introducing NOPs, requires code modifictions. Checking whether sequence is NOP-equivlent is complicted. Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 16 / 24

26 Attcks ginst n-grm bsed IDSs cycle encoding originl cycle encoding Proposed by Fogl, Shrif, Perdisci, Kolesnikov nd Lee in Polymorphic blending ttcks for evding 2-grm bsed systems. Encode 1-bit of informtion by choosing one of two mutully rechble cycles in the trget grph. b d cd b b c bc b c db Encoding 151 = : dbcdbbbbcdbcdbbbcdbcdbcdbc Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 17 / 24

27 Attcks ginst n-grm bsed IDSs cycle encoding improved cycle encoding db d bd b Find node tht lies on 2 k distinct cycles nd encode k-bit t time. Optimiztion: Assign the shorter cycles to the input symbols occuring more often. d b d b c d c b c Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 18 / 24

28 Attcks ginst n-grm bsed IDSs cycle encoding cycle encoding exmple db d bd Input: b d b d b d c c b c Figure: 3-grm 2-bit cycle encoding Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 19 / 24

29 Attcks ginst n-grm bsed IDSs cycle encoding cycle encoding exmple db d bd Input: b Set d d 01, 10 b, b d b c c 11 c, 00 dbd b c Figure: 3-grm 2-bit cycle encoding Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 19 / 24

30 Attcks ginst n-grm bsed IDSs cycle encoding cycle encoding exmple db d bd Input: b Set d d 01, 10 b, b d b c c 11 c, 00 dbd Encoded:.b...c b c Figure: 3-grm 2-bit cycle encoding Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 19 / 24

31 Attcks ginst n-grm bsed IDSs cycle encoding cycle-encoding: choosing k Apply cycle encoding to the shellcodes, originl sizes: 40/107/301 bytes. Expnsion fctors for 5-grm, including decoder tble: 1-bit 2-bit 4-bit 8-bit Shellcode Shellcode Shellcode Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 20 / 24

32 Attcks ginst n-grm bsed IDSs cycle encoding cycle-encoding: prcticl exmple news/cnews/pnews/cnews/clnews/denews/ednews/onews/innews/ news/snews/jnews/grnews/99news/rnews/inews/enews/grnews/ inews/jnews/pnews/inews/ednews/pnews/clnews/cnews/99news/ news/news/onews/denews/innews/cnews/rnews/news/inews/pnew s/snews/news/inews/ednews/news/cnews/snews/news/onews/dene ws/99news/cnews/cnews/grnews/grnews/cnews/snews/news/clnew s/enews/rnews/news/inews/denews/news/cnews/rnews/news/on ews/ednews/99news/cnews/rnews/99news/cnews/news/news/inew s/pnews/inews/enews/enews/enews/enews/enews/enews/enews/c news/cnews/onews/snews/onews/inews/onews/enews/cnews/cln ews/innews/news/onews Figure: Shellcode 1 encoded in 4-bit cycle encoding, including tble, 5-grm model Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 21 / 24

33 Attcks ginst n-grm bsed IDSs cycle encoding Lessons lerned The trget grphs obtined re huge. Fixed-length substitution bsed encodings re computtionlly hrd, propbly NP complete. Adding more complexity didn t help to solve this issue. The vrible-length cycle-encoding scheme works relly well, but cuses up to 20-fold spce expnsion nd requires slightly more complex decoder. Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 22 / 24

34 Attcks ginst n-grm bsed IDSs cycle encoding Open Issues Could highly-optimized or heuristic lgorithms be used or dpted for these problems? The construction of vlid decoder might be difficult. Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 23 / 24

35 Questions? Attcks ginst n-grm bsed IDSs cycle encoding Thnk you for your ttention. Moritz Bechler (Universität Tübingen) Evding Angrm SPRING 7 24 / 24

36 The model Attcks ginst n-grm bsed IDSs cycle encoding 8#10 6 7#10 6 Totl pylod size: 112MB Only HTTP/1.0 GET requests 34 clients/2052 servers distinct 5-grms. 40% of these re vlid instructions. 6#10 6 5#10 6 count 4#10 6 3#10 6 2#10 6 1# vlue Figure: Pcket pylod byte distribution

37 Attcks ginst n-grm bsed IDSs Trget 5-grm grph cycle encoding Nodes: Edges: Density: Avg. in/out Degree: 1.71 Mx. Degree: 91 Avg. shortest pth lenght: Strongly connected components: 3667

38 Attcks ginst n-grm bsed IDSs slice-nd-pd: Tokeniztion cycle encoding Shellcode 1 Shellcode 2 Shellcode 3 Number of tokens Tokens of length Tokens of length Tokens of length Tokens of length Tokens of length Length of dt token Tble: Tokens occuring in shellcodes

In the last lecture, we discussed how valid tokens may be specified by regular expressions.

In the last lecture, we discussed how valid tokens may be specified by regular expressions. LECTURE 5 Scnning SYNTAX ANALYSIS We know from our previous lectures tht the process of verifying the syntx of the progrm is performed in two stges: Scnning: Identifying nd verifying tokens in progrm.