Evading Network Anomaly Detection Sytems - Fogla,Lee. Divya Muthukumaran

Similar documents
Polymorphic Blending Attacks. Slides by Jelena Mirkovic

Polymorphic Blending Attacks

Randomized Anagram Revisited

Polygraph: Automatically Generating Signatures for Polymorphic Worms

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

McPAD and HMM-Web: two different approaches for the detection of attacks against Web applications

Simple Substitution Distance and Metamorphic Detection

(2½ hours) Total Marks: 75

Mahalanobis Distance Map Approach for Anomaly Detection

HUNTING FOR METAMORPHIC ENGINES

2. INTRUDER DETECTION SYSTEMS

Diverse network environments Dynamic attack landscape Adversarial environment IDS performance strongly depends on chosen classifier

Symantec Ransomware Protection

CSCD 303 Essential Computer Security Fall 2018

Developing the Sensor Capability in Cyber Security

IBM Security Network Protection Solutions

eeye Digital Security Payload Anatomy and Future Mutations Riley Hassell

Activating Intrusion Prevention Service

CSCD 303 Essential Computer Security Fall 2017

Measuring Intrusion Detection Capability: An Information- Theoretic Approach

Unit 5. System Security

Undetectable Metamorphic Viruses. COMP 116 Amit Patel

Anagram: A Content Anomaly Detector Resistant to Mimicry Attack 1

Defending against Polymorphic Attacks: Recent Results and Open Questions

An Autonomic Framework for Integrating Security and Quality of Service Support in Databases

Virus Analysis. Introduction to Malware. Common Forms of Malware

CSE543 - Computer and Network Security Module: Intrusion Detection

ANATOMY OF AN ATTACK!

The attacker appears to use an exploit that is derived from the Metasploit FreeBSD Telnet Service Encryption Key ID Buffer Overflow?

Main idea. Demonstrate how malware can increase its robustness against detection by taking advantage of the ubiquitous Graphics Processing Unit (GPU)

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 22

SSL Automated Signatures

Detecting Self-Mutating Malware Using Control-Flow Graph Matching

McPAD : A Multiple Classifier System for Accurate Payload-based Anomaly Detection

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

Endpoint Protection : Last line of defense?

Network Intrusion Detection with Semantics-Aware Capability W. Scheirer, M. Chuah {wjs3, Department of Computer Science and

Handling Web and Database Requests Using Fuzzy Rules for Anomaly Intrusion Detection

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Network Anomaly Detection Using Autonomous System Flow Aggregates

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

Detecting Covert Timing Channels Using Normalizing Weights

Random Code Variation Compilation Automated software diversity s performance penalties

Security Requirements

Authentication System

Network Intrusion Detection with Semantics-Aware Capability

Gladiator Incident Alert

IC32E - Pre-Instructional Survey

CSE543 - Computer and Network Security Module: Intrusion Detection

Computer Security Fall 2006 Joseph/Tygar MT 2 Solutions

Flowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks. Anna Giannakou, Daniel Gunter, Sean Peisert

Artificial Neural Network To Detect Know And Unknown DDOS Attack

Basic Concepts in Intrusion Detection

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

D1.2: Attack Detection and Signature Generation

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

IS-2150/TEL-2810 Introduction to Computer Security Quiz 2 Thursday, Dec 14, 2006

Intrusion Detection Systems

Outline. Intrusion Detection. Intrusion Detection History. Some Challenges. Network-based Host Compromises. Host-based Network Intrusion Detection

Characteristics of Buffer Overflow Attacks Tunneled in HTTP Traffic

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Maximum Security with Minimum Impact : Going Beyond Next Gen

Achieve deeper network security

Reliably Determining the Outcome of Computer Network Attacks

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

Practical Anti-virus Evasion

Improved Signature-Based Antivirus System

Access Control Using Intelligent Application Bypass

Most Common Security Threats (cont.)

Exscind: A Faster Pattern Matching For Intrusion Detection Using Exclusion and Inclusion Filters

Identifying Stepping Stone Attack using Trace Back Based Detection Approach

An Efficient Scheme for Detecting Malicious Nodes in Mobile ad Hoc Networks

Deliverable 4.1: Experimental Evaluation and Real-world Deployment

: Practical Cryptographic Systems March 25, Midterm

Traffic Classification Using Visual Motifs: An Empirical Evaluation

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

writing detection signatures

Introduction Challenges with using ML Guidelines for using ML Conclusions

Collaborative Intrusion Detection System : A Framework for Accurate and Efficient IDS. Outline

Artificial Immune System against Viral Attack

NBA of Obfuscated Network Vulnerabilities Exploitation Hidden into HTTPS Traffic

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

IDS: Signature Detection

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Lecture 12. Application Layer. Application Layer 1

A different kind of Crypto

Selection of Next Generation Anti-Virus against Virus Attacks in Networks Using AHP

SIPS: A Stateful and Flow-Based Intrusion Prevention System for Applications

Firewalls, Tunnels, and Network Intrusion Detection

Operating Systems. Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) alphapeeler.sf.net/pubkeys/pkey.htm

A WICK HILL & FINJAN WHITE PAPER

The GenCyber Program. By Chris Ralph

Evolutionary Algorithm Approaches for Detecting Computer Network Intrusion (Extended Abstract)

CHAPTER 6 EFFICIENT TECHNIQUE TOWARDS THE AVOIDANCE OF REPLAY ATTACK USING LOW DISTORTION TRANSFORM

1) Write the characteristics of a problem with suitable example. 2) Explain Hill climbing and its variant Steepest-ascent hill climbing step by step.

Network Security. Chapter 0. Attacks and Attack Detection

Automated Signature Generation: Overview and the NoAH Approach. Bernhard Tellenbach

Transcription:

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran

Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats Similar to Anti-virus software

Polymorphic attacks To evade detection by a signature based IDS Every instance looks different Payload of every instance can have different byte contents

Anomaly based detection Build a profile of what is Normal Any significant deviation from normal is called an attack Polymorphic attacks Instances differ from each other BUT Are NOT NORMAL GOAL : Make polymorphic attacks look like normal traffic

Polymorphic Blending attacks Attacks blend in with normal traffic Evade payload statistics based IDS Transform each instance - payload char to fit normal profile

PAYL System Analyze and model normal payloads that are expected to be delivered to the network service or application Specific to the site in which the detector is placed Learning Phase: determine the byte frequency distribution of the normal payload Incoming payloads tested against normal profile and classified based on some distance metric

PAYL System n-gram analysis a c q a a b a c q n = 3

Polymorphic attack components ATTACK VECTOR ATTACK BODY POLYMORPHIC DECRYPTOR Exploit vulnerability Malicious action Decrypts attack body and transfers control

How the attacker works Network A Network B Host X Host Y IDSB Artificial Profile Normal Profile

Attack body Encryption Byte substitution Every char in the attack body is substituted by a char observed from normal traffic using a substitution table Pad the encrypted attack body with garbage normal data - better matching Attack Char Freq p 5 q 4.... Normal Char Freq a 6 c 5....

Polymorphic Decryptor Removes extra padding from the encrypted attack body. Use reverse substitution to decrypt attack body to produce original attack code Decoding table: Easy to store one-to-one mappings Array where i th entry represents the normal character used to substitute attack character i

PBA Attack packet Attack Vector Decryptor Encrypted attack code Decryption Key (table) Padding The attack vector, decryptor and substitution table are not encrypted May alter packet statistics--> May deviate from the normal New profile = normal profile - frequencies of characters in the attack vector, decryptor and the substitution table

Problem Given an anomaly IDS and an attack, can we automatically generate its PBA instances? Motivation To provide the defender a means to evaluate an IDS and improve it

Assumptions Applies only to N/W IDS N/W IDS uses only simple statistical measures to model normal traffic Attacker knows the features and algorithms used in the IDS Given normal packets he can generate an artificial profile Attacker can roughly guess the error threshold of the IDS

Modeling IDS Scope is limited to payload based IDS. Why? Polymorphic attacks mutate only packet payload These IDSs can be represented by an FSA. Ex: PAYL system Records average freq of unique n-grams SFSA: Each state represents unique (n-1) gram corresponding to the last n-1 bytes in the packet A (a0,a1..,an-2) A (a1,a2,..,an-1)

To generate a PBA Attacker decides encryption scheme Mutated instance of attack vector and decryptor are generated Identify the encryption key Packet sections of encrypted attack code+decryption key should be accepted by the FSA Adjust FSA for decryptor and attack vector Identify the path taken If multiple paths exist, take the one with highest probabilities Reduce the probabilities of the transition according to the number that occur in the attack vector and decryptor Padding - works as above

The Problem PBA subfsa - Find a one-to-one mapping form attack char to normal char such that S key_ac (key encrypted attack code) is accepted by the FSA of an IDS Prove: PBA subfsa is NP-complete Problem is in NP - verifiable for correctness in polynomial time Problem should be hard

PROVE: Problem is in NP Given a one-to-one mapping Can generate the decryption key (table) and encrypted attack code IDS is represented as an FSA FSA is a decidable language Therefore we can verify in polynomial time

To Prove NP- Hard Reduce the 3-SAT problem to PBA What is 3-SAT? (x1 x2 x4) (x2 x4 x5) (x3 x2 x1) Consider a 3-SAT problem: q variables, q<=128, r clauses Every xi, One attack char atti Two normal char normi, normi+128 eatti Xi = 1, if and only if eatti= normi and eatti+128 = normi+128 = 0, if and only if eatti= normi+128 and eatti+128 = norm

Assignment xi atti 1 0 normi normi+128 3- SAT PBA

To Prove NP- Hard

Heuristic Solutions Reduce SAT to ILP and then find heuristic solutions Hill climbing algorithm: Start with an initial solution and iteratively improve it Choose random encryption key Calculate distance between Skey_ac and FSA Randomly choose Ki and modify it

Performance and Results Tested against PAYL 1 and 2 gram Time taken to solve ILP problem using PAYL 1-gram --> Few seconds PAYL 2-gram --> several minutes Substitution better than XOR for evading IDS Propose a method to harden the IDS against PBA attacks

Future Directions Study PBA by different mutation techniques - metamorphism and code obfuscation Extend current technique to determine best mutation technique and optimal padding bytes

So what is? Big point FOR IDS? The paper brings in some formalism although the attack described may not be very effective Is it a constant arms race? Does IDS really work? Can we beat the attacker?

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback