Wikipedia

Intrusion detection system evasion techniques: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Pickyt (talk | contribs)
45 edits
Payload obfuscation - encoding and encryption
Pickyt (talk | contribs)
45 edits
Payload obfuscation - polymorphism
Line 19:
Attacks on encrypted protocols such as [[HTTPS]] cannot be read by an IDS unless the IDS has a copy of the private key used by the server to encrypt the communication.<ref name=":04">{{Cite journal|last=Ptacek|first=Thomas H.|last2=Newsham|first2=Timothy N.|date=1998-01-01|title=Insertion, evasion, and denial of service: Eluding network intrusion detection|url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.119.399&rank=1}}</ref> The IDS won't be able to match the encrypted traffic to signatures if it doesn't account for this.
 
=== Polymorphism ===
[[Polymorphic code]] is another means to circumvent signature-based IDSs by creating unique attack patterns, so that the attack does not have a single detectable signature.
Signature-based IDS often look for common attack patterns to match malicious traffic to signatures. To detect [[buffer overflow]] attacks, an IDS might look for the evidence of [[NOP slide|NOP slides]] which are used to weaken the protection of [[address space layout randomization]].<ref name=":32">{{Cite journal|last=Chaboya|first=D. J.|last2=Raines|first2=R. A.|last3=Baldwin|first3=R. O.|last4=Mullins|first4=B. E.|date=2006-11-01|title=Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion|url=http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=4042655|journal=IEEE Security Privacy|volume=4|issue=6|pages=36–43|doi=10.1109/MSP.2006.159|issn=1540-7993}}</ref>
 
To obfuscate their attacks, attackers can use [[Polymorphic code|polymorphic shellcode]] to create unique attack patterns. This technique typically involves encoding the payload in some fashion (e.g., XOR-ing each byte with 0x95), then placing a decoder in front of the payload before sending it. When the target executes the code, it runs the decoder which rewrites the payload into its original form which the target then executes.<ref name=":32" /><ref name=":14">{{Cite journal|last=Cheng|first=Tsung-Huan|last2=Lin|first2=Ying-Dar|last3=Lai|first3=Yuan-Cheng|last4=Lin|first4=Po-Ching|title=Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems|url=http://dx.doi.org.ezproxy.neu.edu/10.1109/SURV.2011.092311.00082|journal=IEEE Communications Surveys & Tutorials|volume=14|issue=4|pages=1011–1020|doi=10.1109/surv.2011.092311.00082}}</ref>
Attacks on encrypted protocols such as HTTPS are obfuscated if the attack is encrypted.
 
Polymorphic attacks don't have a single detectable signature, making them very difficult for signature-based IDS, and even some anomaly-based IDS, to detect.<ref name=":32" /><ref name=":14" /> [[Shikata ga nai]] ("it cannot be helped") is a popular polymorphic encoder in the [[Metasploit Project|Metasploit]] framework used to convert malicious [[shellcode]] into difficult-to-detect polymorphic shellcode using XOR additive feedback.<ref>{{cite web|url=http://www.rapid7.com/db/modules/encoder/x86/shikata_ga_nai|title=Polymorphic XOR Additive Feedback Encoder|work=rapid7.com}}</ref>
Intrusion detection systems are often repetitive and can be avoided by anticipating their predictable patterns. Memorization of said patterns and the subsequent avoidance of such can lead to a successful intrusion.<ref>http://www.youtube.com/watch?v=tyzLHFkdv6E</ref>
 
== Fragmentation and small packets ==
Retrieved from "https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques"