Mimicry Attacks on Host-Based Intrusion Detection

Mimicry attacks on host based intrusion detection l.jpg
1 / 14
0
0
1194 days ago, 353 views
PowerPoint PPT Presentation
Sneak peak. The point of this discussion:. How would we assess the security of a host-based IDS against modern endeavors to dodge discovery?. . One answer:

Presentation Transcript

Slide 1

Mimicry Attacks on Host-Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley

Slide 2

Preview The point of this discussion: How would we assess the security of a host-based IDS against refined endeavors to avoid location? One answer: "antagonistic grant"

Slide 3

The Cryptographer's Creed Conservative outline Systems ought to be assessed by the most exceedingly terrible disappointment that is at all conceivable under suppositions ideal to the aggressor * Kerkhoff's guideline Systems ought to stay secure notwithstanding when the assailant knows every inner detail of the framework The investigation of assaults We ought to commit impressive push to attempting to break our own frameworks; this is the way we pick up trust in their security * Credits: Gwyn

Slide 4

120 81 100 7 Research Into Attacks We could profit by a more grounded convention of research into assaults on interruption discovery Table 1. Papers distributed in the previous five years, by subject.

Slide 5

In This Talk… How would we assess the security of a host-based IDS against refined endeavors to sidestep location? Association of this discussion: Host-based interruption identification Mimicry assaults, and how to discover them Attacking pH, a host-based IDS Concluding considerations

Slide 6

Host-based Intrusion Detection Anomaly recognition: IDS screens framework call follow from the application DB contains a rundown of subtraces that are permitted to seem Any watched subtrace not in DB sets off cautions App permitted follows IDS Operating System

Slide 7

The Mimicry Attack 1. Take control of the application. e.g., by a cradle invade X App permitted follows 2. Execute payload while imitating ordinary application conduct. On the off chance that endeavor grouping contains just permitted subtraces, the interruption will stay undetected. malignant payload IDS Operating System

Slide 8

When Are Attacks Possible? The focal question for mimicry assaults: Can we create an endeavor succession out of just permitted subtraces and still bring on any mischief? Suppositions: IDS calculation + DB is known to assailant [ Kerkhoff ] Can take control of application undetected [ Conservative outline ]

Slide 9

Disguising the Payload Attacker has numerous degrees of flexibility: Wait until malevolent payload would be permitted Vary the vindictive payload by including no-operations e.g., (void) getpid() or open(NULL,0) truth be told, about all syscalls can be transformed into no-operations Note: the arrangement of decisions can be communicated as a regexp Let N mean the arrangement of no-operation capable syscalls Then open() compose() can be supplanted by anything coordinating N * open() N * compose() N *

Slide 10

M An A Theoretical Framework To check whether there is a mimicry assault: Let Σ = set of security-pertinent occasions, M = set of "awful" follows that do harm to the framework, A = set of follows permitted by the IDS ( M , A  Σ*) If M  A  Ø , then there is a mimicry assault

Slide 11

M An A Theoretical Framework To check whether there is a mimicry assault: Let Σ = set of security-important occasions, M = set of "terrible" follows that do harm to the framework, A = set of follows permitted by the IDS ( M , A  Σ*) If M  A  Ø , then there is a mimicry assault Then simply apply automata hypothesis M : standard expression (customary dialect) A : limited state framework (normal dialect) Works since IDS's are regularly recently limited state machines

Slide 12

… however, after a slight adjustment … Experience: Mimicry in real life The test: pH: a host-based IDS [SF00] autowux: a wuftpd abuse No mimicry assaults with the first payload

Slide 13

A Successful Mimicry Attack We found an altered payload that raises no alerts and similarly affects the framework  pH might be at hazard for mimicry assaults

Slide 14

Conclusions Mimicry assaults: A risk to have based IDS? Reasonable ramifications not known The investigation of assaults is vital Unfortunately, there's so much we don't have the foggiest idea…

SPONSORS