Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran
Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats Similar to Anti-virus software
Polymorphic attacks To evade detection by a signature based IDS Every instance looks different Payload of every instance can have different byte contents
Anomaly based detection Build a profile of what is Normal Any significant deviation from normal is called an attack Polymorphic attacks Instances differ from each other BUT Are NOT NORMAL GOAL : Make polymorphic attacks look like normal traffic
Polymorphic Blending attacks Attacks blend in with normal traffic Evade payload statistics based IDS Transform each instance - payload char to fit normal profile
PAYL System Analyze and model normal payloads that are expected to be delivered to the network service or application Specific to the site in which the detector is placed Learning Phase: determine the byte frequency distribution of the normal payload Incoming payloads tested against normal profile and classified based on some distance metric
PAYL System n-gram analysis a c q a a b a c q n = 3
Polymorphic attack components ATTACK VECTOR ATTACK BODY POLYMORPHIC DECRYPTOR Exploit vulnerability Malicious action Decrypts attack body and transfers control
How the attacker works Network A Network B Host X Host Y IDSB Artificial Profile Normal Profile
Attack body Encryption Byte substitution Every char in the attack body is substituted by a char observed from normal traffic using a substitution table Pad the encrypted attack body with garbage normal data - better matching Attack Char Freq p 5 q 4.... Normal Char Freq a 6 c 5....
Polymorphic Decryptor Removes extra padding from the encrypted attack body. Use reverse substitution to decrypt attack body to produce original attack code Decoding table: Easy to store one-to-one mappings Array where i th entry represents the normal character used to substitute attack character i
PBA Attack packet Attack Vector Decryptor Encrypted attack code Decryption Key (table) Padding The attack vector, decryptor and substitution table are not encrypted May alter packet statistics--> May deviate from the normal New profile = normal profile - frequencies of characters in the attack vector, decryptor and the substitution table
Problem Given an anomaly IDS and an attack, can we automatically generate its PBA instances? Motivation To provide the defender a means to evaluate an IDS and improve it
Assumptions Applies only to N/W IDS N/W IDS uses only simple statistical measures to model normal traffic Attacker knows the features and algorithms used in the IDS Given normal packets he can generate an artificial profile Attacker can roughly guess the error threshold of the IDS
Modeling IDS Scope is limited to payload based IDS. Why? Polymorphic attacks mutate only packet payload These IDSs can be represented by an FSA. Ex: PAYL system Records average freq of unique n-grams SFSA: Each state represents unique (n-1) gram corresponding to the last n-1 bytes in the packet A (a0,a1..,an-2) A (a1,a2,..,an-1)
To generate a PBA Attacker decides encryption scheme Mutated instance of attack vector and decryptor are generated Identify the encryption key Packet sections of encrypted attack code+decryption key should be accepted by the FSA Adjust FSA for decryptor and attack vector Identify the path taken If multiple paths exist, take the one with highest probabilities Reduce the probabilities of the transition according to the number that occur in the attack vector and decryptor Padding - works as above
The Problem PBA subfsa - Find a one-to-one mapping form attack char to normal char such that S key_ac (key encrypted attack code) is accepted by the FSA of an IDS Prove: PBA subfsa is NP-complete Problem is in NP - verifiable for correctness in polynomial time Problem should be hard
PROVE: Problem is in NP Given a one-to-one mapping Can generate the decryption key (table) and encrypted attack code IDS is represented as an FSA FSA is a decidable language Therefore we can verify in polynomial time
To Prove NP- Hard Reduce the 3-SAT problem to PBA What is 3-SAT? (x1 x2 x4) (x2 x4 x5) (x3 x2 x1) Consider a 3-SAT problem: q variables, q<=128, r clauses Every xi, One attack char atti Two normal char normi, normi+128 eatti Xi = 1, if and only if eatti= normi and eatti+128 = normi+128 = 0, if and only if eatti= normi+128 and eatti+128 = norm
Assignment xi atti 1 0 normi normi+128 3- SAT PBA
To Prove NP- Hard
Heuristic Solutions Reduce SAT to ILP and then find heuristic solutions Hill climbing algorithm: Start with an initial solution and iteratively improve it Choose random encryption key Calculate distance between Skey_ac and FSA Randomly choose Ki and modify it
Performance and Results Tested against PAYL 1 and 2 gram Time taken to solve ILP problem using PAYL 1-gram --> Few seconds PAYL 2-gram --> several minutes Substitution better than XOR for evading IDS Propose a method to harden the IDS against PBA attacks
Future Directions Study PBA by different mutation techniques - metamorphism and code obfuscation Extend current technique to determine best mutation technique and optimal padding bytes
So what is? Big point FOR IDS? The paper brings in some formalism although the attack described may not be very effective Is it a constant arms race? Does IDS really work? Can we beat the attacker?
Thank you