ABSTRACT
Ptacek and Newsham [14] showed how to evade signature detection at Intrusion Prevention Systems (IPS) using TCP and IP Fragmentation. These attacks are implemented in tools like FragRoute, and are institutionalized in IPS product tests. The classic defense is for the IPS to reassemble TCP and IP packets,and to consistently normalize the output stream. Current IPS standards require keeping state for 1 million connections. Both the state and processing requirements of reassembly and normalization are barriers to scalability for an IPS at speeds higher than 10 Gbps.In this paper, we suggest breaking with this paradigm using an approach we call Split-Detect. We focus on the simplest form of signature, an exact string match, and start by splitting the signature into pieces. By doing so the attacker is either forced to include at least one piece completely in a packet, or to display potentially abnormal behavior (e.g., several small TCP fragments or out-of-order packets) that cause the attacker's flow to be diverted to a slow path. We prove that under certain assumptions this scheme can detect all byte-string evasions. We also show using real traces that the processing and storage requirements of this scheme can be 10% of that required by a conventional IPS, allowing reasonable cost implementations at 20 Gbps. While the changes required by Split-Detect may be a barrier to adoption, this paper exposes the assumptions that must be changed to avoid normalization and reassembly in the fast path.
- Alfred V. Aho and Margaret J. Corasick. "Efficient string matching: An aid to bibliographic search." Communications of the ACM 18(6):333--340, June 1975. Google ScholarDigital Library
- N. Alon, Y. Matias, and M. Szegedy. "The space complexity of approximating the frequency moments". Proceedings 28th ACM Symp. on Theory of Computing pages 20--29, May 1996. Google ScholarDigital Library
- G. Appenzeller, I. Keslassy, and N. McKeown "Sizing Router Buffers". Proceedings of ACM SIGCOMM 2004. Google ScholarDigital Library
- D. Clark, "The Structuring of Systems Using Upcalls". Proceedings of the 10th ACM Symposium on Operating Systems Principles pp. 171--180, December 1-4 1985. Google ScholarDigital Library
- S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. W. Lockwood, "Deep packet inspection using parallel Bloom filters. Hot Interconnects Aug. 2003.Google Scholar
- S. Dharmapurikar, V. Paxson, "Robust TCP stream reassembly in the presence of adversaries". Proceedings of the 14th USENIXSecurity Symposium Baltimore, 2005. Google ScholarDigital Library
- "The Future of the Internet". Red Herring April 10th, 2006.Google Scholar
- M. Handley, C. Kreibich, and V. Paxson. "Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics". Proc. USENIX Security Symposium May 2001. Google ScholarDigital Library
- K. Levchenko, R. Paturi, and G. Varghese. "On the Difficulty of Scalably Detecting Network Attacks". Proc. of the Eleventh ACM Conference on Computer and Communication Security October 2004. Google ScholarDigital Library
- Nikto, http://www.cirt.net/code/nikto.shtmlGoogle Scholar
- NSS Group.Intrusion Prevention Systems (IPS)Group Test (Edition 3), NSS Group, August 2005, http://www.nss.co.ukGoogle Scholar
- V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time". Computer Networks 31(23-24), pp. 2435--2463, 14 Dec 1999 Google ScholarDigital Library
- V. Paxson and M. Handley, "Defending Against NIDS Evasion using Traffic Normalizers". Second International Workshop on the Recent Advances in Intrusion Detection September 1999.Google Scholar
- T. Ptacek and T. Newsham. "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection", Secure Networks, Inc., Jan. 1998.Google Scholar
- M. Roesch, "Snort-Lightweight Intrusion Detection for Networks", LISA 99 Google ScholarDigital Library
- C. Shannon, D. Moore, k. claffy, "Characteristics of Fragmented IP Traffic on Internet Links", Workshop on Passive and Active Measurement 2001.Google Scholar
- Dug Song, 2002, Fragroute, http://www.monkey.org/dugsong/fragroute/Google Scholar
Index Terms
- Detecting evasion attacks at high speeds without reassembly
Recommendations
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends SymposiumAutomated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...
Detecting evasion attacks at high speeds without reassembly
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communicationsPtacek and Newsham [14] showed how to evade signature detection at Intrusion Prevention Systems (IPS) using TCP and IP Fragmentation. These attacks are implemented in tools like FragRoute, and are institutionalized in IPS product tests. The classic ...
Mimicry attacks on host-based intrusion detection systems
CCS '02: Proceedings of the 9th ACM conference on Computer and communications securityWe examine several host-based anomaly detection systems and study their security against evasion attacks. First, we introduce the notion of a mimicry attack, which allows a sophisticated attacker to cloak their intrusion to avoid detection by the IDS. ...
Comments