Evading Network Anomaly Detection Sytems - Fogla,Lee Divya - PowerPoint PPT Presentation

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran

Intrusion detection Systems  Signature Based IDS  Monitor packets on the network  Compare them against database of signatures/attributes from known threats  Similar to Anti-virus software

Polymorphic attacks  To evade detection by a signature based IDS  Every instance looks different  Payload of every instance can have different byte contents

Anomaly based detection  Build a profile of what is Normal  Any significant deviation from normal is called an attack  Polymorphic attacks  Instances differ from each other  BUT  Are NOT NORMAL GOAL : Make polymorphic attacks look like normal traffic

Polymorphic Blending attacks  Attacks blend in with normal traffic  Evade payload statistics based IDS  Transform each instance - payload char to fit normal profile

PAYL System  Analyze and model normal payloads that are expected to be delivered to the network service or application  Specific to the site in which the detector is placed  Learning Phase: determine the byte frequency distribution of the normal payload  Incoming payloads tested against normal profile and classified based on some distance metric

PAYL System n-gram analysis n = 3 a c q a a b a c q

Polymorphic attack components ATTACK ATTACK POLYMORPHIC VECTOR BODY DECRYPTOR Decrypts attack Malicious Exploit body and transfers action vulnerability control

How the attacker works Network B Network A Host X Host Y IDS B ≈ Artificial Profile Normal Profile

Attack body Encryption  Byte substitution Attack Normal  Every char in the attack body is Char Freq Char Freq substituted by a char p 5 a 6 observed from normal q 4 c 5 traffic using a substitution table .. ..  Pad the encrypted .. .. attack body with garbage normal data - better matching

Polymorphic Decryptor  Removes extra padding from the encrypted attack body.  Use reverse substitution to decrypt attack body to produce original attack code  Decoding table:  Easy to store one-to-one mappings  Array where i th entry represents the normal character used to substitute attack character i

PBA Attack packet  The attack vector, decryptor Attack Vector and substitution table are not encrypted Decryptor  May alter packet statistics--> May deviate from the normal Encrypted attack code  New profile = normal profile - Decryption Key frequencies of characters in the (table) attack vector, decryptor and the substitution table Padding

Problem  Given an anomaly IDS and an attack, can we automatically generate its PBA instances? Motivation  To provide the defender a means to evaluate an IDS and improve it

Assumptions  Applies only to N/W IDS  N/W IDS uses only simple statistical measures to model normal traffic  Attacker knows the features and algorithms used in the IDS  Given normal packets he can generate an artificial profile  Attacker can roughly guess the error threshold of the IDS

Modeling IDS  Scope is limited to payload based IDS. Why?  Polymorphic attacks mutate only packet payload  These IDSs can be represented by an FSA. Ex: PAYL system  Records average freq of unique n -grams  SFSA : Each state represents unique (n-1) gram corresponding to the last n-1 bytes in the packet A A’ (a 0 ,a 1 ..,a n-2 ) (a 1 ,a 2 ,..,a n-1 )

To generate a PBA  Attacker decides encryption scheme  Mutated instance of attack vector and decryptor are generated  Identify the encryption key  Packet sections of encrypted attack code+decryption key should be accepted by the FSA  Adjust FSA for decryptor and attack vector  Identify the path taken  If multiple paths exist, take the one with highest probabilities  Reduce the probabilities of the transition according to the number that occur in the attack vector and decryptor  Padding - works as above

The Problem  PBA subFSA - Find a one-to-one mapping form attack char to normal char such that S key_ac (key || encrypted attack code) is accepted by the FSA of an IDS  Prove: PBA subFSA is NP-complete  Problem is in NP - verifiable for correctness in polynomial time  Problem should be hard

PROVE: Problem is in NP  Given a one-to-one mapping  Can generate the decryption key (table) and encrypted attack code  IDS is represented as an FSA  FSA is a decidable language  Therefore we can verify in polynomial time

To Prove NP- Hard  Reduce the 3-SAT problem to PBA  What is 3-SAT?  (x1 ∪ x2 ∪ x4) ∩ (x2 ∪ x4 ∪ x5) ∩ (x3 ∪ x2 ∪ x1)  Consider a 3-SAT problem:  q variables, q<=128, r clauses  Every x i ,  One attack char att i  Two normal char norm i , norm i+ 128  eatt i X i = 1, if and only if eatt i= norm i and eatt i +128 = norm i+ 128 = 0, if and only if eatt i= norm i+128 and eatt i +128 = norm

Assignment att i x i norm i norm i+128 1 0 PBA 3- SAT

To Prove NP- Hard

Heuristic Solutions  Reduce SAT to ILP and then find heuristic solutions  Hill climbing algorithm: Start with an initial solution and iteratively improve it  Choose random encryption key  Calculate distance between S key_ac and FSA  Randomly choose K i and modify it

Performance and Results  Tested against PAYL 1 and 2 gram  Time taken to solve ILP problem using PAYL 1-gram --> Few seconds  PAYL 2-gram --> several minutes  Substitution better than XOR for evading IDS  Propose a method to harden the IDS against PBA attacks

Future Directions  Study PBA by different mutation techniques - metamorphism and code obfuscation  Extend current technique to determine best mutation technique and optimal padding bytes

So what is ? Big point  FOR IDS?  The paper brings in some formalism although the attack described may not be very effective  Is it a constant arms race?  Does IDS really work ? Can we beat the attacker?

Thank you