Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran
Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats Similar to Anti-virus software
Polymorphic attacks To evade detection by a signature based IDS Every instance looks different Payload of every instance can have different byte contents
Anomaly based detection Build a profile of what is Normal Any significant deviation from normal is called an attack Polymorphic attacks Instances differ from each other BUT Are NOT NORMAL GOAL : Make polymorphic attacks look like normal traffic
Polymorphic Blending attacks Attacks blend in with normal traffic Evade payload statistics based IDS Transform each instance - payload char to fit normal profile
PAYL System Analyze and model normal payloads that are expected to be delivered to the network service or application Specific to the site in which the detector is placed Learning Phase: determine the byte frequency distribution of the normal payload Incoming payloads tested against normal profile and classified based on some distance metric
PAYL System n-gram analysis n = 3 a c q a a b a c q
Polymorphic attack components ATTACK ATTACK POLYMORPHIC VECTOR BODY DECRYPTOR Decrypts attack Malicious Exploit body and transfers action vulnerability control
How the attacker works Network B Network A Host X Host Y IDS B ≈ Artificial Profile Normal Profile
Attack body Encryption Byte substitution Attack Normal Every char in the attack body is Char Freq Char Freq substituted by a char p 5 a 6 observed from normal q 4 c 5 traffic using a substitution table .. .. Pad the encrypted .. .. attack body with garbage normal data - better matching
Polymorphic Decryptor Removes extra padding from the encrypted attack body. Use reverse substitution to decrypt attack body to produce original attack code Decoding table: Easy to store one-to-one mappings Array where i th entry represents the normal character used to substitute attack character i
PBA Attack packet The attack vector, decryptor Attack Vector and substitution table are not encrypted Decryptor May alter packet statistics--> May deviate from the normal Encrypted attack code New profile = normal profile - Decryption Key frequencies of characters in the (table) attack vector, decryptor and the substitution table Padding
Problem Given an anomaly IDS and an attack, can we automatically generate its PBA instances? Motivation To provide the defender a means to evaluate an IDS and improve it
Assumptions Applies only to N/W IDS N/W IDS uses only simple statistical measures to model normal traffic Attacker knows the features and algorithms used in the IDS Given normal packets he can generate an artificial profile Attacker can roughly guess the error threshold of the IDS
Modeling IDS Scope is limited to payload based IDS. Why? Polymorphic attacks mutate only packet payload These IDSs can be represented by an FSA. Ex: PAYL system Records average freq of unique n -grams SFSA : Each state represents unique (n-1) gram corresponding to the last n-1 bytes in the packet A A’ (a 0 ,a 1 ..,a n-2 ) (a 1 ,a 2 ,..,a n-1 )
To generate a PBA Attacker decides encryption scheme Mutated instance of attack vector and decryptor are generated Identify the encryption key Packet sections of encrypted attack code+decryption key should be accepted by the FSA Adjust FSA for decryptor and attack vector Identify the path taken If multiple paths exist, take the one with highest probabilities Reduce the probabilities of the transition according to the number that occur in the attack vector and decryptor Padding - works as above
The Problem PBA subFSA - Find a one-to-one mapping form attack char to normal char such that S key_ac (key || encrypted attack code) is accepted by the FSA of an IDS Prove: PBA subFSA is NP-complete Problem is in NP - verifiable for correctness in polynomial time Problem should be hard
PROVE: Problem is in NP Given a one-to-one mapping Can generate the decryption key (table) and encrypted attack code IDS is represented as an FSA FSA is a decidable language Therefore we can verify in polynomial time
To Prove NP- Hard Reduce the 3-SAT problem to PBA What is 3-SAT? (x1 ∪ x2 ∪ x4) ∩ (x2 ∪ x4 ∪ x5) ∩ (x3 ∪ x2 ∪ x1) Consider a 3-SAT problem: q variables, q<=128, r clauses Every x i , One attack char att i Two normal char norm i , norm i+ 128 eatt i X i = 1, if and only if eatt i= norm i and eatt i +128 = norm i+ 128 = 0, if and only if eatt i= norm i+128 and eatt i +128 = norm
Assignment att i x i norm i norm i+128 1 0 PBA 3- SAT
To Prove NP- Hard
Heuristic Solutions Reduce SAT to ILP and then find heuristic solutions Hill climbing algorithm: Start with an initial solution and iteratively improve it Choose random encryption key Calculate distance between S key_ac and FSA Randomly choose K i and modify it
Performance and Results Tested against PAYL 1 and 2 gram Time taken to solve ILP problem using PAYL 1-gram --> Few seconds PAYL 2-gram --> several minutes Substitution better than XOR for evading IDS Propose a method to harden the IDS against PBA attacks
Future Directions Study PBA by different mutation techniques - metamorphism and code obfuscation Extend current technique to determine best mutation technique and optimal padding bytes
So what is ? Big point FOR IDS? The paper brings in some formalism although the attack described may not be very effective Is it a constant arms race? Does IDS really work ? Can we beat the attacker?
Thank you
Recommend
More recommend
