Wikipedia

Intrusion detection system evasion techniques: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Pickyt (talk | contribs)
45 edits
Payload obfuscation
Pickyt (talk | contribs)
45 edits
Payload obfuscation - encoding and encryption
Line 12:
 
==Payload obfuscation==
An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. In this way, an attacker can exploit the end host without alerting the IDS.An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. In the past, an adversary using the [[Unicode]] character could encode attack packets that an IDS would not recognize but that an [[Internet Information Services|IIS web server]] would decode and become attacked.
 
=== Encoding and encryption ===
Application layer protocols like [[Hypertext Transfer Protocol|HTTP]] allow for multiple encodings of data which are interpreted as the same value. For example, the string "cgi-bin" in a [[Uniform Resource Locator|URL]] can be encoded as "%63%67%69%2d%62%69%6e" (i.e., in hexadecimal).<ref name=":12">{{Cite journal|last=Cheng|first=Tsung-Huan|last2=Lin|first2=Ying-Dar|last3=Lai|first3=Yuan-Cheng|last4=Lin|first4=Po-Ching|title=Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems|url=http://dx.doi.org.ezproxy.neu.edu/10.1109/SURV.2011.092311.00082|journal=IEEE Communications Surveys & Tutorials|volume=14|issue=4|pages=1011–1020|doi=10.1109/surv.2011.092311.00082}}</ref> A web server will view these as the same string and act on them accordingly. An IDS must be aware of all of the possible encodings that its end hosts accept in order to match network traffic to known-malicious signatures.<ref name=":12" /><ref name=":22">{{Cite journal|last=Corona|first=Igino|last2=Giacinto|first2=Giorgio|last3=Roli|first3=Fabio|title=Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues|url=http://dx.doi.org.ezproxy.neu.edu/10.1016/j.ins.2013.03.022|journal=Information Sciences|volume=239|pages=201–225|doi=10.1016/j.ins.2013.03.022}}</ref>
 
Attacks on encrypted protocols such as [[HTTPS]] cannot be read by an IDS unless the IDS has a copy of the private key used by the server to encrypt the communication.<ref name=":04">{{Cite journal|last=Ptacek|first=Thomas H.|last2=Newsham|first2=Timothy N.|date=1998-01-01|title=Insertion, evasion, and denial of service: Eluding network intrusion detection|url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.119.399&rank=1}}</ref> The IDS won't be able to match the encrypted traffic to signatures if it doesn't account for this.
 
[[Polymorphic code]] is another means to circumvent signature-based IDSs by creating unique attack patterns, so that the attack does not have a single detectable signature.
Retrieved from "https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques"