Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Applications of one-class classification

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

SoNIC: Classifying Interference in Sensor Networks Frederik Hermans et al. Uppsala University, Sweden IPSN 2013 Presenter: Jeffrey.

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

By Hiranmayi Pai Neeraj Jain

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.

Block Ciphers and the Data Encryption Standard

Cryptography and Data Security: Long-Term Challenges Burt Kaliski, RSA Security Northeastern University CCIS Mini Symposium on Information Security November.

TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

1 Polymorphic Blending Attacks By Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov and Wenke Lee Presented by Jelena Mirkovic Topic 1.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Adaptive Security for Wireless Sensor Networks Master Thesis – June 2006.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Lecture 23 Symmetric Encryption

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

KAIS T A lightweight secure protocol for wireless sensor networks 윤주범 ELSEVIER Mar

Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.

Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.

Design of a System for Real- Time Worm Detection Bharath Madhusudan, John Lockwood Department of Computer Science and Engineering Washington University,

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009.

Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

Date : 2013/03/18 Author : Jeffrey Pound, Alexander K. Hudek, Ihab F. Ilyas, Grant Weddell Source : CIKM’12 Speaker : Er-Gang Liu Advisor : Prof. Jia-Ling.

Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic Authors: Oleg Kolensnikov and Wenke Lee Published: Technical report, 2005, College.

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection Rachna Vargiya and Philip Chan Department of Computer Sciences Florida.

DTRAB Combating Against Attacks on Encrypted Protocols through Traffic- Feature Analysis.

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.

1 A Network Security Monitor Paper By: Heberlein et. al. Presentation By: Eric Hawkins.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Intrusion Detection System

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS

Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Anomaly Detection. Network Intrusion Detection Techniques. Ştefan-Iulian Handra Dept. of Computer Science Polytechnic University of Timișoara June 2010.

Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom.

Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.

MadeCR: Correlation-based Malware Detection for Cognitive Radio

Roland Kwitt & Tobias Strohmeier

Detecting Targeted Attacks Using Shadow Honeypots

Offense Questions: Botnet detection

Intrusion Detection Systems

Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.

Heavy Hitters in Streams and Sliding Windows

By: Ran Ben Basat, Technion, Israel

Intrusion Detection Systems

Security in Wide Area Networks

Presentation transcript:

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey

Main Theme of the paper  How to attack an anomaly based IDS,which uses payload statistics ?  Are these attacks feasible?  Are these attacks hard?  Staging an actual Attack on PAYL IDS (results and evaluation)  How to protect against such attacks?

Anomaly IDS ? payload statistics ?.. Polymorphic Blending? Never heard of those terms   Anomaly IDS detect deviations from normal traffic that may indicate security breach.  This type of IDS models the normal traffic by computing byte frequency distribution of the packets. (payload statistics)  Such IDS involves learning phase to model the normal traffic.

Polymorphic Blending..  Change the contents of packets to make it look different (same content looks different) and disguise the packets as normal traffic. (blend with normal traffic)  Existing polymorphic techniques focus on making attacks looks different from each other rather than making them look normal.  Questions Arise :- How to polymorph and blend?

How to Attack? 3 Steps Compromised Host on Network A Network B Sniffs to estimate normal profile for Network B Mutates itself to match the normal profile of Network B

Assumptions made…  The adversary has already compromised host inside Network A  Adversary has knowledge of IDS of Network B  Adversary knows the learning algorithm used by IDS of Network B  IDS of Network B is a payload statistics based system.

Step I Learning the IDS Normal profile  Sniff the network traffic going from A to B.  Generates artificial profile (Network A) for himself which is its estimation of normal profile of Network B. Network A already knows modeling technique that network B uses.  Artificial profile will be close to normal profile if number of packets sniffed are more.

Step II Attack Body encryption  Adversary creates new attack instance by encrypting the network traffic to match the normal profile.  Encryption is achieved by substituting every character in the attack body by character from the normal profile. The attack body is also padded with some garbage data to match the normal profile more closely. Such algorithm has to be reversible  A Suitable substitution table is generated.

Step III Polymorphic Decryptor   It removes all the extra padding from the encrypted attack body.  It uses the reverse substitution table to decrypt the contents of the attack body to produce the original attack code.  The decryptor routine is not ecrypted but mutated using shellcode polymorphism processing

Staging an actual Attack  Targets vulnerability in Window Media services.  The size of the attack vector is 99 bytes and is required to be present at start of HTTP request.  Attack needs 10Kb of data to cause buffer overflow.  Trained the IDS for 15 days of http traffic  Attacker was allowed to learn the IDS profile for 1 day

Counter measures  To develop more efficient semantic based IDS that can be deployed on high speed networks.  Using multiple IDS models that use independent features to better represent normal traffic.  To introduce randomness for modeling normal traffic.( Makes it difficult for attacker to model the artificial profile close to normal profile)

Weakness  No Explanation on why only PAYL was selected for case study. ( Maybe that’s the only payload statistics based anomaly IDS available).  The paper operates under the assumption that the attacker knows the learning algorithm of the attacked IDS. Does this assumption seem realistic?  The papers also assumes that the attacker doesn’t know the threshold setting (Seems like contradiction to earlier assumption)

Strengths  Proposes new kind of attack.  Discusses possible counter measures for IDS Designers.  Uses real attack vector to implement polymorphic blending attack and to provide the experimental results.

Suggested Improvements  Explore techniques to determine the behavior of the IDS (Threshold and learning algorithm) assuming to internal knowledge.  Evaluate the attack on other anomaly- payload statistics based IDS.  Explore techniques from querying over continuous data streams to model the normal profile of an IDS.