Evading Network Anomaly Detection Sytems - Fogla,Lee Divya - - PowerPoint PPT Presentation

Evading Network Anomaly Detection Sytems - Fogla,Lee

Divya Muthukumaran

Intrusion detection Systems

 Signature Based IDS

Monitor packets on the network Compare them against database

• f signatures/attributes from

known threats

Similar to Anti-virus software

Polymorphic attacks

 To evade detection by a signature based

IDS

 Every instance looks different

 Payload of every instance can have different

byte contents

Anomaly based detection

 Build a profile of what is Normal  Any significant deviation from normal is

called an attack

 Polymorphic attacks

 Instances differ from each other

 BUT

 Are NOT NORMAL

GOAL : Make polymorphic attacks look like normal traffic

Polymorphic Blending attacks

 Attacks blend in with

normal traffic

 Evade payload

statistics based IDS

 Transform each

instance - payload char to fit normal profile

PAYL System

 Analyze and model normal payloads that are

expected to be delivered to the network service or application

 Specific to the site in which the detector is

placed

 Learning Phase: determine the byte frequency

distribution of the normal payload

 Incoming payloads tested against normal

profile and classified based on some distance metric

PAYL System n-gram analysis

q c a b a a q c a

n = 3

Polymorphic attack components

ATTACK VECTOR ATTACK BODY POLYMORPHIC DECRYPTOR

Exploit vulnerability Malicious action Decrypts attack body and transfers control

How the attacker works

Network A Network B

Host X

IDSB

Host Y Artificial Profile Normal Profile

≈

Attack body Encryption

 Byte substitution  Every char in the

attack body is substituted by a char

• bserved from normal

traffic using a substitution table

 Pad the encrypted

attack body with garbage normal data - better matching

.. .. 5 c 6 a

Freq Char

.. .. 4 q 5 p

Freq Char

Attack Normal

Polymorphic Decryptor

 Removes extra padding from the

encrypted attack body.

 Use reverse substitution to decrypt

attack body to produce original attack code

 Decoding table:

 Easy to store one-to-one mappings  Array where i th entry represents the normal character used to

substitute attack character i

PBA Attack packet

 The attack vector, decryptor

and substitution table are not encrypted

 May alter packet statistics-->

May deviate from the normal

 New profile = normal profile -

frequencies of characters in the attack vector, decryptor and the substitution table

Attack Vector Decryptor Encrypted attack code Decryption Key (table) Padding

Problem

 Given an anomaly IDS and an

attack, can we automatically generate its PBA instances?

Motivation

 To provide the defender a means to

evaluate an IDS and improve it

Assumptions

 Applies only to N/W IDS  N/W IDS uses only simple statistical measures

to model normal traffic

 Attacker knows the features and algorithms

used in the IDS

 Given normal packets he can generate an

artificial profile

 Attacker can roughly guess the error threshold

• f the IDS

Modeling IDS

 Scope is limited to payload based IDS. Why?

 Polymorphic attacks mutate only packet payload

 These IDSs can be represented by an FSA.

Ex: PAYL system

 Records average freq of unique n-grams  SFSA: Each state represents unique (n-1) gram

corresponding to the last n-1 bytes in the packet

A (a0,a1..,an-2) A’ (a1,a2,..,an-1)

To generate a PBA

 Attacker decides encryption scheme  Mutated instance of attack vector and decryptor are generated  Identify the encryption key  Packet sections of encrypted attack code+decryption key should

be accepted by the FSA

 Adjust FSA for decryptor and attack vector

 Identify the path taken  If multiple paths exist, take the one with highest probabilities  Reduce the probabilities of the transition according to the

number that occur in the attack vector and decryptor

 Padding - works as above

The Problem

 PBAsubFSA - Find a one-to-one mapping

form attack char to normal char such that Skey_ac (key || encrypted attack code) is accepted by the FSA of an IDS

 Prove: PBAsubFSA is NP-complete

 Problem is in NP - verifiable for correctness

in polynomial time

 Problem should be hard

PROVE: Problem is in NP

 Given a one-to-one mapping

 Can generate the decryption key (table) and

encrypted attack code

 IDS is represented as an FSA  FSA is a decidable language  Therefore we can verify in polynomial time

To Prove NP- Hard

 Reduce the 3-SAT problem to PBA  What is 3-SAT?

 (x1 ∪ x2 ∪ x4) ∩ (x2 ∪ x4 ∪x5) ∩ (x3 ∪ x2 ∪ x1)

 Consider a 3-SAT problem:

 q variables, q<=128, r clauses  Every xi,

 One attack char atti  Two normal char normi , normi+128  eatti

Xi = 1, if and only if eatti= normi and eatti+128 = normi+128

= 0, if and only if eatti= normi+128 and eatti+128 = norm

Assignment

xi atti 1 normi normi+128 3- SAT PBA

To Prove NP- Hard

Heuristic Solutions

 Reduce SAT to ILP and then find heuristic

solutions

 Hill climbing algorithm: Start with an initial

solution and iteratively improve it

 Choose random encryption key  Calculate distance between Skey_ac and FSA  Randomly choose Ki and modify it

Performance and Results

 Tested against PAYL 1 and 2 gram  Time taken to solve ILP problem using

PAYL 1-gram --> Few seconds

 PAYL 2-gram --> several minutes  Substitution better than XOR for evading

IDS

 Propose a method to harden the IDS

against PBA attacks

Future Directions

 Study PBA by different mutation

techniques - metamorphism and code

• bfuscation

 Extend current technique to determine

best mutation technique and optimal padding bytes

So what is ?

 FOR IDS?

 The paper brings in some formalism

although the attack described may not be very effective

 Is it a constant arms race?  Does IDS really work ? Can we beat the

attacker? Big point

Thank you