Article

Evading network anomaly detection systems: formal reasoning and practical techniques

Authors:
Prahlad Fogla

Georgia Institute of Technology, Atlanta, Georgia

Georgia Institute of Technology, Atlanta, Georgia
View Profile

,
Wenke Lee

Georgia Institute of Technology, Atlanta, Georgia

Georgia Institute of Technology, Atlanta, Georgia
View Profile

CCS '06: Proceedings of the 13th ACM conference on Computer and communications securityOctober 2006Pages 59–68https://doi.org/10.1145/1180405.1180414

Published:30 October 2006Publication History

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

Pages 59–68

ABSTRACT

Attackers often try to evade an intrusion detection system (IDS) when launching their attacks. There have been several published studies in evasion attacks, some with available tools, in the research community as well as the "hackers'' community. Our recent empirical case study showed that some payload-based network anomaly detection systems can be evaded by a polymorphic blending attack (PBA). The main idea of a PBA is to create each polymorphic instance in such a way that the statistics of attack packet(s) match the normal traffic profile. In this paper, we present a formal framework for the open problem: given an anomaly detection system and an attack, can one automatically generate its PBA instances? We show that in general, generating a PBA that optimally matches the normal traffic profile is a hard problem (NP-complete). However, the problem of finding a PBA can be reduced to the SAT or ILP problems so that solvers available in those domains can be used to find a near-optimal solution. We also present a heuristic (hill-climbing) to find an approximate solution. Our framework can not only expose how the IDS can be exploited by a PBA but also suggest how the IDS can be improved to prevent the PBA. We have experimented with our framework using the PAYL 1-gram and 2-gram anomaly detection system, and the results have validated our framework.

References

P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis. Stride: Polymorphic sled detection through instruction sequence analysis. In 20th IFIP International Information Security Conference, 2005.Google ScholarCross Ref
M. Barreno, B. Nelson, R. Sears, A. D. Joseph, and J. D. Tygar. Can machine learning be secure? In Proceedings of the ACM Symposium on Information, Computer, and Communication Security (ASIACCS), 2006. Google ScholarDigital Library
M. Christodorescu, S. Jha, S. Seshia, D. Song, and R. Bryant. Semantics-aware malware detection. In Proceedings of the IEEE Symposium on Security and Privacy, 2005. Google ScholarDigital Library
T. H. Cormen, C. E. Leiserson, and R. L. Rivest. Introduction to algorithms. The MIT Press/McGraw-Hill, 1990. Google ScholarDigital Library
T. Detristan, T. Ulenspiegel, Y. Malcom, and M. Underduk. Polymorphic shellcode engine using spectrum analysis. Phrack Issue 0x3d, 2003.Google Scholar
S. T. Eckmann, G. Vigna, and R. A. Kemmerer. Statl: An attack language for state-based intrusion detection. JOURNAL OF COMPUTER SECURITY, 10:71--104, 2002. Google ScholarDigital Library
H. Feng, J. Giffin, Y. Huang, S. Jha, W. Lee, and B. Miller. Formalizing sensitivity in static analysis for intrusion detection. In Proceedings of the IEEE Symposium on Security and Privacy, 2004.Google Scholar
H. Feng, O. Kolesnikov, P. Fogla, W. Lee, and W. Gong. Anomaly detection using call stack information. In Proceedings of the IEEE Symposium on Security and Privacy, 2003. Google ScholarDigital Library
Firew0rker. Windows media services remote command execution exploit. http://www.k-otik.com/exploits/07.01.nsiilog-titbit.cpp.php, 2003.Google Scholar
P. Fogla, M. Sharif, R. Perdisci, O. M. Kolesnikov, and W. Lee. Polymorphic blending attacks. In 15th USENIX Security Symposium, 2006. Google ScholarDigital Library
C. Kaufman, R. Perlman, and M. Speciner. Network security: Private communication in a public world. Prentice Hall, 2002. Google ScholarDigital Library
C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Automating mimicry attacks using static binary analysis. In 14th Usenix Security Symposium, 2005. Google ScholarDigital Library
C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In Recent Advances in Intrusion Detection (RAID), 2005. Google ScholarDigital Library
C. Kruegel, T. Toth, and E. Kirda. Service specific anomaly detection for network intrusion detection. In Proceedings of the ACM SIGSAC, 2002. Google ScholarDigital Library
C. Kruegel and G. Vigna. Anomaly detection of web-based attacks. In Proceedings of the ACM Conference on Computer and Communication Security (ACM CCS), pages 251--261, 2003. Google ScholarDigital Library
Ktwo. Admmutate: Shellcode mutation engine. http://www.ktwo.ca/ADMmutate-0.8.4.tar.gz, 2001.Google Scholar
Z. Liang and R. Sekar. Fast and automated generation of attack signatures: a basis for building self-protecting servers. Proceedings of the 12th ACM Conference on Computer and Communications Security (ACM CCS), pages 213--222, 2005. Google ScholarDigital Library
M. Mahoney. Network traffic anomaly detection based on packet bytes. In Proceedings of the ACM SIGSAC, 2003. Google ScholarDigital Library
M. Mahoney and P.K. Chan. Learning nonstationary models of normal network traffic for detecting novel attacks.Google Scholar
J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy, 2005. Google ScholarDigital Library
Martin Roesch. Snort-lightweight intrusion detection for networks. In Proceedings of the 13th USENIX conference on System administration, pages 229--238, 1999. Google ScholarDigital Library
S. Rubin, S. Jha, and B. P. Miller. Language-based generation and evaluation of nids signatures. In Proceedings of the IEEE Symposium on Security and Privacy, 2005. Google ScholarDigital Library
S. Rubin, S. Jha, and B.P. Miller. Automatic generation and analysis of nids attacks. In Annual Computer Security Applications Conference (ACSAC), 2004. Google ScholarDigital Library
R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy, 2001. Google ScholarDigital Library
R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou. Specification-based anomaly detection: A new approach for detecting network intrusions. In Proceedings of the ACM conference on Computer and communications security (ACM CCS), 2002. Google ScholarDigital Library
C. Sinz. Towards an optimal cnf encoding of boolean cardinality constraints. In Principles and Practice of Constraint Programming, pages 827--831, 2005.Google Scholar
P. Szor. Advanced code evolution techniques and computer virus generator kits. The Art of Computer Virus Research and Defense, 2005.Google Scholar
T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Recent Advances in Intrusion Detection (RAID), 2002. Google ScholarDigital Library
G. Vigna, W. Robertson, and D. Balzarotti. Testing network-based intrusion detection signatures using mutant exploits. In Proceedings of the ACM Conference on Computer and Communication Security (ACM CCS), pages 21--30, 2004. Google ScholarDigital Library
D. Wagner and P. Soto. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the ACM Conference on Computer and Communication Security (ACM CCS), 2002. Google ScholarDigital Library
K. Wang and S. Stolfo. Anomalous payload-based network intrusion detection. In Recent Advances in Intrusion Detection (RAID), 2004.Google ScholarCross Ref
K. Wang and S. Stolfo. Anomalous payload-based worm detection and signature generation. In Recent Advances in Intrusion Detection (RAID), 2005. Google ScholarDigital Library
T. Yetiser. Polymorphic viruses: Implementation, detection, and protection. Technical Report, VDS Advanced Research Group, 1993.Google Scholar

Index Terms

Evading network anomaly detection systems: formal reasoning and practical techniques
1. Security and privacy
  1. Network security

Recommendations

Unknown Attacks Detection Using Feature Extraction from Anomaly-Based IDS Alerts
SAINT '12: Proceedings of the 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet

Intrusion Detection Systems (IDSs) play an important role detecting various kinds of attacks and defend our computer systems from them. There are basically two main types of detection techniques: signature-based and anomaly-based. A signature-based IDS ...
Read More
Rule generalisation in intrusion detection systems using SNORT

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Read More
Mimicry attacks on host-based intrusion detection systems
CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

We examine several host-based anomaly detection systems and study their security against evasion attacks. First, we introduce the notion of a mimicry attack, which allows a sophisticated attacker to cloak their intrusion to avoid detection by the IDS. ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '06: Proceedings of the 13th ACM conference on Computer and communications security
October 2006
434 pages
ISBN:1595935185
DOI:10.1145/1180405
General Chair:
Ari Juels
RSA Laboratories
,
Program Chairs:
Rebecca Wright
Stevens Institute of Technology
,
Sabrina De Capitani di Vimercati
University of Milan, Italy
Copyright © 2006 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 October 2006
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
anomaly detection
mimicry attack
polymorphic blending attack
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,261of6,999submissions,18%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 87
  Total Citations
  View Citations
- 2,296
  Total Downloads
- Downloads (Last 12 months)33
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Evading network anomaly detection systems: formal reasoning and practical techniques

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Unknown Attacks Detection Using Feature Extraction from Anomaly-Based IDS Alerts

Rule generalisation in intrusion detection systems using SNORT

Mimicry attacks on host-based intrusion detection systems