Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 - PowerPoint PPT Presentation

About This Presentation
Title:

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006

Description:

Sniff the network traffic going from A to B. ... Artificial profile will be close to normal profile if number of packets sniffed are more. ... – PowerPoint PPT presentation

Number of Views:14
Avg rating:3.0/5.0
Slides: 17
Provided by: sha2157
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: Polymorphic blending attacks Prahlad Fogla et al USENIX 2006


1
Polymorphic blending attacksPrahlad Fogla et
alUSENIX 2006
  • Presented By
  • Himanshu Pagey

2
Main Theme of the paper
  • How to attack an anomaly based IDS ,which uses
    payload statistics ?
  • Are these attacks feasible?
  • Are these attacks hard?
  • Staging an actual Attack on PAYL IDS (results and
    evaluation)
  • How to protect against such attacks?

3
Anomaly IDS ? payload statistics ?..Polymorphic
Blending?Never heard of those terms ?
  • Anomaly IDS detect deviations from normal
    traffic that may indicate security breach.
  • This type of IDS models the normal traffic by
    computing byte frequency distribution of the
    packets. (payload statistics)
  • Such IDS involves learning phase to model the
    normal traffic.

4
Polymorphic Blending..
  • Change the contents of packets to make it look
    different (same content looks different) and
    disguise the packets as normal traffic. (blend
    with normal traffic)
  • Existing polymorphic techniques focus on making
    attacks looks different from each other rather
    than making them look normal.
  • Questions Arise - How to polymorph and blend?

5
How to Attack? 3 Steps
Mutates itself to match the normal profile of
Network B
Compromised Host on Network A
Network B
Sniffs to estimate normal profile for Network
B
6
Assumptions made
  • The adversary has already compromised host inside
    Network A
  • Adversary has knowledge of IDS of Network B
  • Adversary knows the learning algorithm used by
    IDS of Network B
  • IDS of Network B is a payload statistics based
    system.

7
Step I Learning the IDS Normal profile
  • Sniff the network traffic going from A to B.
  • Generates artificial profile (Network A) for
    himself which is its estimation of normal profile
    of Network B. Network A already knows modeling
    technique that network B uses.
  • Artificial profile will be close to normal
    profile if number of packets sniffed are more.

8
Step II Attack Body encryption
  • Adversary creates new attack instance by
    encrypting the network traffic to match the
    normal profile.
  • Encryption is achieved by substituting every
    character in the attack body by character from
    the normal profile. The attack body is also
    padded with some garbage data to match the normal
    profile more closely. Such algorithm has to be
    reversible
  • A Suitable substitution table is generated.

9
Step III Polymorphic Decryptor
  • It removes all the extra padding from the
    encrypted attack body.
  • It uses the reverse substitution table to decrypt
    the contents of the attack body to produce the
    original attack code.
  • The decryptor routine is not ecrypted but mutated
    using shellcode polymorphism processing

10
Staging an actual Attack
  • Targets vulnerability in Window Media services.
  • The size of the attack vector is 99 bytes and is
    required to be present at start of HTTP request.
  • Attack needs 10Kb of data to cause buffer
    overflow.
  • Trained the IDS for 15 days of http traffic
  • Attacker was allowed to learn the IDS profile for
    1 day

11
(No Transcript)
12
Counter measures
  • To develop more efficient semantic based IDS that
    can be deployed on high speed networks.
  • Using multiple IDS models that use independent
    features to better represent normal traffic.
  • To introduce randomness for modeling normal
    traffic.( Makes it difficult for attacker to
    model the artificial profile close to normal
    profile)

13
Weakness
  • No Explanation on why only PAYL was selected for
    case study. ( Maybe thats the only payload
    statistics based anomaly IDS available).
  • The paper operates under the assumption that the
    attacker knows the learning algorithm of the
    attacked IDS. Does this assumption seem
    realistic?
  • The papers also assumes that the attacker doesnt
    know the threshold setting (Seems like
    contradiction to earlier assumption)

14
Strengths
  • Proposes new kind of attack .
  • Discusses possible counter measures for IDS
    Designers.
  • Uses real attack vector to implement polymorphic
    blending attack and to provide the experimental
    results.

15
Suggested Improvements
  • Explore techniques to determine the behavior of
    the IDS (Threshold and learning algorithm)
    assuming to internal knowledge.
  • Evaluate the attack on other anomaly-payload
    statistics based IDS.
  • Explore techniques from querying over continuous
    data streams to model the normal profile of an
    IDS.

16
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Polymorphic blending attacks Prahlad Fogla et al USENIX 2006" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!