Intrusion detection system evasion techniques: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 17:30, 7 June 2023 edit Musicman103 (talk \| contribs) Extended confirmed users 1,591 edits m →Memory exhaustion: typo ← Previous edit		Latest revision as of 20:15, 25 July 2025 edit undo JCW-CleanerBot (talk \| contribs) Bots 136,797 edits m →Polymorphism: clean up, replaced: IEEE Security Privacy → IEEE Security & Privacy Tag: AWB
(One intermediate revision by one other user not shown)
Line 7: === Encoding === Application layer protocols like [[Hypertext Transfer Protocol\|HTTP]] allow for multiple encodings of data which are interpreted as the same value. For example, the string "cgi-bin" in a [[Uniform Resource Locator\|URL]] can be encoded as "%63%67%69%2d%62%69%6e" (i.e., in hexadecimal).<ref name=":12">{{Cite journal\|last1=Cheng\|first1=Tsung-Huan\|last2=Lin\|first2=Ying-Dar\|last3=Lai\|first3=Yuan-Cheng\|last4=Lin\|first4=Po-Ching\|title=Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems\|journal=IEEE Communications Surveys & Tutorials\|volume=14\|issue=4\|pages=1011–1020\|doi=10.1109/surv.2011.092311.00082\|year=2012\|citeseerx=10.1.1.299.5703\|s2cid=1949199 }}</ref> A web server will view these as the same string and act on them accordingly. An IDS must be aware of all of the possible encodings that its end hosts accept in order to match network traffic to known-malicious ~~sinatures~~signatures.<ref name=":12" /><ref name=":22">{{Cite journal\|last1=Corona\|first1=Igino\|last2=Giacinto\|first2=Giorgio\|last3=Roli\|first3=Fabio\|title=Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues\|journal=Information Sciences\|volume=239\|pages=201–225\|doi=10.1016/j.ins.2013.03.022\|year=2013}}</ref> Attacks on encrypted protocols such as [[HTTPS]] cannot be read by an IDS unless the IDS has a copy of the private key used by the server to encrypt the communication.<ref name=":04">{{Cite journal\|last1=Ptacek\|first1=Thomas H.\|last2=Newsham\|first2=Timothy N.\|date=1998-01-01\|title=Insertion, evasion, and denial of service: Eluding network intrusion detection\|citeseerx=10.1.1.119.399}}</ref> The IDS won't be able to match the encrypted traffic to signatures if it doesn't account for this. === Polymorphism === Signature-based IDS often look for common attack patterns to match malicious traffic to signatures. To detect [[buffer overflow]] attacks, an IDS might look for the evidence of [[NOP slide]]s which are used to weaken the protection of [[address space layout randomization]].<ref name=":32">{{Cite journal\|last1=Chaboya\|first1=D. J.\|last2=Raines\|first2=R. A.\|last3=Baldwin\|first3=R. O.\|last4=Mullins\|first4=B. E.\|date=2006-11-01\|title=Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion\|journal=IEEE Security & Privacy\|volume=4\|issue=6\|pages=36–43\|doi=10.1109/MSP.2006.159\|s2cid=11444752 \|issn=1540-7993}}</ref> To obfuscate their attacks, attackers can use [[Polymorphic code\|polymorphic shellcode]] to create unique attack patterns. This technique typically involves encoding the payload in some fashion (e.g., [[XOR]]-ing each byte with 0x95), then placing a decoder in front of the payload before sending it. When the target executes the code, it runs the decoder which rewrites the payload into its original form which the target then executes.<ref name=":12" /><ref name=":32" />