Revision as of 19:02, 1 April 2022 edit 2001:1c01:2c1c:3600:873:22e:bac8:3bd6 (talk) →Polymorphism ← Previous edit		Revision as of 13:24, 3 August 2022 edit undo Citation bot (talk \| contribs) Bots 5,862,486 edits Add: s2cid, authors 1-1. Removed parameters. Some additions/deletions were parameter name changes. \| Use this bot. Report bugs. \| Suggested by Abductive \| #UCB_webform 2942/3850 Next edit →
Line 7: === Encoding === Application layer protocols like [[Hypertext Transfer Protocol\|HTTP]] allow for multiple encodings of data which are interpreted as the same value. For example, the string "cgi-bin" in a [[Uniform Resource Locator\|URL]] can be encoded as "%63%67%69%2d%62%69%6e" (i.e., in hexadecimal).<ref name=":12">{{Cite journal\|~~last~~last1=Cheng\|~~first~~first1=Tsung-Huan\|last2=Lin\|first2=Ying-Dar\|last3=Lai\|first3=Yuan-Cheng\|last4=Lin\|first4=Po-Ching\|title=Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems\|journal=IEEE Communications Surveys & Tutorials\|volume=14\|issue=4\|pages=1011–1020\|doi=10.1109/surv.2011.092311.00082\|year=2012\|citeseerx=10.1.1.299.5703\|s2cid=1949199 }}</ref> A web server will view these as the same string and act on them accordingly. An IDS must be aware of all of the possible encodings that its end hosts accept in order to match network traffic to known-malicious sinatures.<ref name=":12" /><ref name=":22">{{Cite journal\|~~last~~last1=Corona\|~~first~~first1=Igino\|last2=Giacinto\|first2=Giorgio\|last3=Roli\|first3=Fabio\|title=Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues\|journal=Information Sciences\|volume=239\|pages=201–225\|doi=10.1016/j.ins.2013.03.022\|year=2013}}</ref> Attacks on encrypted protocols such as [[HTTPS]] cannot be read by an IDS unless the IDS has a copy of the private key used by the server to encrypt the communication.<ref name=":04">{{Cite journal\|~~last~~last1=Ptacek\|~~first~~first1=Thomas H.\|last2=Newsham\|first2=Timothy N.\|date=1998-01-01\|title=Insertion, evasion, and denial of service: Eluding network intrusion detection\|citeseerx=10.1.1.119.399}}</ref> The IDS won't be able to match the encrypted traffic to signatures if it doesn't account for this. === Polymorphism === Signature-based IDS often look for common attack patterns to match malicious traffic to signatures. To detect [[buffer overflow]] attacks, an IDS might look for the evidence of [[NOP slide]]s which are used to weaken the protection of [[address space layout randomization]].<ref name=":32">{{Cite journal\|~~last~~last1=Chaboya\|~~first~~first1=D. J.\|last2=Raines\|first2=R. A.\|last3=Baldwin\|first3=R. O.\|last4=Mullins\|first4=B. E.\|date=2006-11-01\|title=Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion\|journal=IEEE Security Privacy\|volume=4\|issue=6\|pages=36–43\|doi=10.1109/MSP.2006.159\|s2cid=11444752 \|issn=1540-7993}}</ref> To obfuscate their attacks, attackers can use [[Polymorphic code\|polymorphic shellcode]] to create unique attack patterns. This technique typically involves encoding the payload in some fashion (e.g., [[XOR]]-ing each byte with 0x95), then placing a decoder in front of the payload before sending it. When the target executes the code, it runs the decoder which rewrites the payload into its original form which the target then executes.<ref name=":12" /><ref name=":32" />

Intrusion detection system evasion techniques: Difference between revisions