Polymorphic Blending Attacks
نویسندگان
چکیده
A very effective means to evade signature-based intrusion detection systems (IDS) is to employ polymorphic techniques to generate attack instances that do not share a fixed signature. Anomaly-based intrusion detection systems provide good defense because existing polymorphic techniques can make the attack instances look different from each other, but cannot make them look like normal. In this paper we introduce a new class of polymorphic attacks, called polymorphic blending attacks, that can effectively evade byte frequencybased network anomaly IDS by carefully matching the statistics of the mutated attack instances to the normal profiles. The proposed polymorphic blending attacks can be viewed as a subclass of the mimicry attacks. We take a systematic approach to the problem and formally describe the algorithms and steps required to carry out such attacks. We not only show that such attacks are feasible but also analyze the hardness of evasion under different circumstances. We present detailed techniques using PAYL, a byte frequency-based anomaly IDS, as a case study and demonstrate that these attacks are indeed feasible. We also provide some insight into possible countermeasures that can be used as defense.
منابع مشابه
On Blending Attacks For Mixes with Memory Extended Version
Blending attacks are a general class of traffic-based attacks, exemplified by the (n − 1)-attack. Adding memory or pools to mixes mitigates against such attacks, however there are few known quantitative results concerning the effect of pools on blending attacks. In this paper we give a precise analysis of the number of rounds required to perform a blending attack for the pool mix, timed pool mi...
متن کاملMahalanobis Distance Map Approach for Anomaly Detection of Web-Based Attacks
Web servers and web-based applications are commonly used as attack targets. The main issues are how to prevent unauthorised access and to protect web servers from the attack. Intrusion Detection Systems (IDSs) are widely used security tools to detect cyber-attacks and malicious activities in computer systems and networks. In this paper, we focus on the detection of various web-based attacks usi...
متن کاملMcPAD: A multiple classifier system for accurate payload-based anomaly detection
Anomaly-based network Intrusion Detection Systems (IDS) are valuable tools for the defense-in-depth of computer networks. Unsupervised or unlabeled learning approaches for network anomaly detection have been recently proposed. Such anomaly-based network IDS are able to detect (unknown) zero-day attacks, although much care has to be dedicated to controlling the amount of false positives generate...
متن کاملSchema blending and stable structure in online social systems
Autonomous online social systems can emerge from the interaction between the stable social practices of soliciting and eavesdropping when they are performed online. These practices are distributed manifestations of the stable mental operation of conceptual blending. The technology mediating the communication in the practices must be polymorphic, noisy and open.
متن کاملAn Empirical Study of Real-world Polymorphic Code Injection Attacks
Remote code injection attacks against network services remain one of the most effective and widely used exploitation methods for malware propagation. In this paper, we present a study of more than 1.2 million polymorphic code injection attacks targeting production systems, captured using network-level emulation. We focus on the analysis of the structure and operation of the attack code, as well...
متن کامل