Polymorphic blending attacksPolymorphic blending attacksPrahlad Fogla et alPrahlad Fogla et al

USENIX 2006USENIX 2006

Presented ByPresented ByHimanshu PageyHimanshu Pagey

Main Theme of the paperMain Theme of the paper

How to attack an How to attack an anomaly based anomaly based IDSIDS ,which uses ,which uses payload statisticspayload statistics ? ?

Are these attacksAre these attacks feasible feasible?? Are these attacks hard?Are these attacks hard? Staging an actual Attack on PAYL IDS Staging an actual Attack on PAYL IDS

(results and evaluation)(results and evaluation) How to protect against such attacks?How to protect against such attacks?

Anomaly IDS ? payload Anomaly IDS ? payload statistics ?..statistics ?..

Polymorphic Blending?Polymorphic Blending?Never heard of those terms Never heard of those terms Anomaly IDS detect deviations from Anomaly IDS detect deviations from

normal traffic that may indicate security normal traffic that may indicate security breach.breach.

This type of IDS models the normal traffic This type of IDS models the normal traffic by computing byte frequency distribution by computing byte frequency distribution of the packets. (payload statistics)of the packets. (payload statistics)

Such IDS involves learning phase to Such IDS involves learning phase to model the normal traffic.model the normal traffic.

Polymorphic Blending..Polymorphic Blending.. Change the contents of packets to make it Change the contents of packets to make it

look different (look different (same content looks same content looks differentdifferent) and disguise the packets as ) and disguise the packets as normal traffic. (normal traffic. (blendblend with normal traffic) with normal traffic)

Existing polymorphic techniques focus on Existing polymorphic techniques focus on making attacks looks different from each making attacks looks different from each other rather than making them look normal.other rather than making them look normal.

Questions Arise :- How to polymorph and Questions Arise :- How to polymorph and blend?blend?

How to Attack? 3 StepsHow to Attack? 3 Steps

Compromised Host on Network A

Network B

Sniffs to estimate normal profile for Network B

Mutates itself to match the normal profile of Network B

Assumptions made…Assumptions made…

The adversary has already compromised The adversary has already compromised host inside Network Ahost inside Network A

Adversary has knowledge of IDS of Adversary has knowledge of IDS of Network BNetwork B

Adversary knows the learning algorithm Adversary knows the learning algorithm used by IDS of Network Bused by IDS of Network B

IDS of Network B is a payload statistics IDS of Network B is a payload statistics based system.based system.

Step I Learning the IDS Normal Step I Learning the IDS Normal profileprofile

Sniff the network traffic going from A to B.Sniff the network traffic going from A to B. Generates artificial profile (Network A) for Generates artificial profile (Network A) for

himself which is its estimation of normal himself which is its estimation of normal profile of Network B. Network A already profile of Network B. Network A already knows modeling technique that network B knows modeling technique that network B uses.uses.

Artificial profile will be close to normal Artificial profile will be close to normal profile if number of packets sniffed are profile if number of packets sniffed are more.more.

Step II Attack Body encryptionStep II Attack Body encryption

Adversary creates new attack instance by Adversary creates new attack instance by encrypting the network traffic to match the encrypting the network traffic to match the normal profile.normal profile.

Encryption is achieved by substituting every Encryption is achieved by substituting every character in the attack body by character from character in the attack body by character from the normal profile. The attack body is also the normal profile. The attack body is also padded with some garbage data to match the padded with some garbage data to match the normal profile more closely. Such algorithm has normal profile more closely. Such algorithm has to be to be reversiblereversible

A Suitable A Suitable substitution tablesubstitution table is generated. is generated.

Step III Polymorphic DecryptorStep III Polymorphic Decryptor

It removes all the extra padding from the It removes all the extra padding from the encrypted attack body.encrypted attack body.

It uses the reverse substitution table to It uses the reverse substitution table to decrypt the contents of the attack body to decrypt the contents of the attack body to produce the original attack code.produce the original attack code.

The decryptor routine is not ecrypted but The decryptor routine is not ecrypted but mutated using mutated using shellcode polymorphism shellcode polymorphism processingprocessing

Staging an actual AttackStaging an actual Attack Targets vulnerability in Window Media Targets vulnerability in Window Media

services.services. The size of the attack vector is 99 bytes The size of the attack vector is 99 bytes

and is required to be present at start of and is required to be present at start of HTTP request.HTTP request.

Attack needs 10Kb of data to cause buffer Attack needs 10Kb of data to cause buffer overflow.overflow.

Trained the IDS for 15 days of http trafficTrained the IDS for 15 days of http traffic Attacker was allowed to learn the IDS Attacker was allowed to learn the IDS

profile for 1 dayprofile for 1 day

Counter measuresCounter measures To develop more efficient semantic based To develop more efficient semantic based

IDS that can be deployed on high speed IDS that can be deployed on high speed networks.networks.

Using multiple IDS models that use Using multiple IDS models that use independent features to better represent independent features to better represent normal traffic.normal traffic.

To introduce randomness for modeling To introduce randomness for modeling normal traffic.( Makes it difficult for normal traffic.( Makes it difficult for attacker to model the artificial profile close attacker to model the artificial profile close to normal profile)to normal profile)

WeaknessWeakness No Explanation on why only PAYL was No Explanation on why only PAYL was

selected for case study. ( Maybe that’s the selected for case study. ( Maybe that’s the only payload statistics based anomaly IDS only payload statistics based anomaly IDS available).available).

The paper operates under the assumption The paper operates under the assumption that the attacker knows the learning that the attacker knows the learning algorithm of the attacked IDS. Does this algorithm of the attacked IDS. Does this assumption seem realistic?assumption seem realistic?

The papers also assumes that the attacker The papers also assumes that the attacker doesn’t know the threshold setting (Seems doesn’t know the threshold setting (Seems like contradiction to earlier assumption)like contradiction to earlier assumption)

StrengthsStrengths

Proposes new kind of attack .Proposes new kind of attack . Discusses possible counter measures for Discusses possible counter measures for

IDS Designers.IDS Designers. Uses real attack vector to implement Uses real attack vector to implement

polymorphic blending attack and to polymorphic blending attack and to provide the experimental results.provide the experimental results.

Suggested ImprovementsSuggested Improvements

Explore techniques to determine the Explore techniques to determine the behavior of the IDS (Threshold and behavior of the IDS (Threshold and learning algorithm) assuming to internal learning algorithm) assuming to internal knowledge.knowledge.

Evaluate the attack on other anomaly-Evaluate the attack on other anomaly-payload statistics based IDS.payload statistics based IDS.

Explore techniques from querying over Explore techniques from querying over continuous data streams to model the continuous data streams to model the normal profile of an IDS. normal profile of an IDS.