Download presentation
Presentation is loading. Please wait.
Published byDorthy Mason Modified over 9 years ago
1
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey
2
Main Theme of the paper How to attack an anomaly based IDS,which uses payload statistics ? Are these attacks feasible? Are these attacks hard? Staging an actual Attack on PAYL IDS (results and evaluation) How to protect against such attacks?
3
Anomaly IDS ? payload statistics ?.. Polymorphic Blending? Never heard of those terms Anomaly IDS detect deviations from normal traffic that may indicate security breach. This type of IDS models the normal traffic by computing byte frequency distribution of the packets. (payload statistics) Such IDS involves learning phase to model the normal traffic.
4
Polymorphic Blending.. Change the contents of packets to make it look different (same content looks different) and disguise the packets as normal traffic. (blend with normal traffic) Existing polymorphic techniques focus on making attacks looks different from each other rather than making them look normal. Questions Arise :- How to polymorph and blend?
5
How to Attack? 3 Steps Compromised Host on Network A Network B Sniffs to estimate normal profile for Network B Mutates itself to match the normal profile of Network B
6
Assumptions made… The adversary has already compromised host inside Network A Adversary has knowledge of IDS of Network B Adversary knows the learning algorithm used by IDS of Network B IDS of Network B is a payload statistics based system.
7
Step I Learning the IDS Normal profile Sniff the network traffic going from A to B. Generates artificial profile (Network A) for himself which is its estimation of normal profile of Network B. Network A already knows modeling technique that network B uses. Artificial profile will be close to normal profile if number of packets sniffed are more.
8
Step II Attack Body encryption Adversary creates new attack instance by encrypting the network traffic to match the normal profile. Encryption is achieved by substituting every character in the attack body by character from the normal profile. The attack body is also padded with some garbage data to match the normal profile more closely. Such algorithm has to be reversible A Suitable substitution table is generated.
9
Step III Polymorphic Decryptor It removes all the extra padding from the encrypted attack body. It uses the reverse substitution table to decrypt the contents of the attack body to produce the original attack code. The decryptor routine is not ecrypted but mutated using shellcode polymorphism processing
10
Staging an actual Attack Targets vulnerability in Window Media services. The size of the attack vector is 99 bytes and is required to be present at start of HTTP request. Attack needs 10Kb of data to cause buffer overflow. Trained the IDS for 15 days of http traffic Attacker was allowed to learn the IDS profile for 1 day
12
Counter measures To develop more efficient semantic based IDS that can be deployed on high speed networks. Using multiple IDS models that use independent features to better represent normal traffic. To introduce randomness for modeling normal traffic.( Makes it difficult for attacker to model the artificial profile close to normal profile)
13
Weakness No Explanation on why only PAYL was selected for case study. ( Maybe that’s the only payload statistics based anomaly IDS available). The paper operates under the assumption that the attacker knows the learning algorithm of the attacked IDS. Does this assumption seem realistic? The papers also assumes that the attacker doesn’t know the threshold setting (Seems like contradiction to earlier assumption)
14
Strengths Proposes new kind of attack. Discusses possible counter measures for IDS Designers. Uses real attack vector to implement polymorphic blending attack and to provide the experimental results.
15
Suggested Improvements Explore techniques to determine the behavior of the IDS (Threshold and learning algorithm) assuming to internal knowledge. Evaluate the attack on other anomaly- payload statistics based IDS. Explore techniques from querying over continuous data streams to model the normal profile of an IDS.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.