Polymorphic blending attacks

Polymorphic blending attacks (2006)

Cached

Download Links

by Prahlad Fogla , Monirul Sharif , Roberto Perdisci , Oleg Kolesnikov , Wenke Lee

Venue:	In Proceedings of the 15 th USENIX Security Symposium
Citations:	33 - 5 self

BibTeX

@INPROCEEDINGS{Fogla06polymorphicblending,
    author = {Prahlad Fogla and Monirul Sharif and Roberto Perdisci and Oleg Kolesnikov and Wenke Lee},
    title = {Polymorphic blending attacks},
    booktitle = {In Proceedings of the 15 th USENIX Security Symposium},
    year = {2006},
    pages = {241--256}
}

Years of Citing Articles

Bookmark

OpenURL

Abstract

A very effective means to evade signature-based intrusion detection systems (IDS) is to employ polymorphic techniques to generate attack instances that do not share a fixed signature. Anomaly-based intrusion detection systems provide good defense because existing polymorphic techniques can make the attack instances look different from each other, but cannot make them look like normal. In this paper we introduce a new class of polymorphic attacks, called polymorphic blending attacks, that can effectively evade byte frequencybased network anomaly IDS by carefully matching the statistics of the mutated attack instances to the normal profiles. The proposed polymorphic blending attacks can be viewed as a subclass of the mimicry attacks. We take a systematic approach to the problem and formally describe the algorithms and steps required to carry out such attacks. We not only show that such attacks are feasible but also analyze the hardness of evasion under different circumstances. We present detailed techniques using PAYL, a byte frequency-based anomaly IDS, as a case study and demonstrate that these attacks are indeed feasible. We also provide some insight into possible countermeasures that can be used as defense. 1

Citations

7321	Introduction to Algorithms - Cormen, Leiserson, et al. - 2001
457	A sense of self for unix processes - Forrest, Hofmeyr, et al. - 1996
246	Insertion, evasion, and denial of service: eluding Network intrusion detection,” Secure Networks - Ptacek, Newsham - 1998
245	D (2001) Intrusion detection via static analysis - Wagner, Dean
181	D.: Polygraph: Automatically generating signatures for polymorphic worms - Newsome, Karp, et al. - 2005
160	Anomalous payload-based network intrusion detection - WANG, STOLFO
158	P (2002) Mimicry attacks on host-based intrusion detection systems. In: CCS’02: proc of the 9th ACM conf on comp and comm security - Wagner, Soto
146	Shield: Vulnerability-driven network filters for preventing known vulnerability exploits - Wang, Guo, et al. - 2004
144	Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics,” Proc. Ninth USENIX Security Symp., 2000. 7. AUTHORS PROFILE N. Kannaiya Raja received degree MCA from Alagappa University and ME from Anna University Chennai - Handley, Paxson, et al.
112	Anomaly detection using call stack information - Feng, Koleshnikov, et al.
100	Semantics-aware malware detection - Christodorescu, Jha, et al. - 2005
92	Anomaly detection of web-based attacks - Kruegel, Vigna - 2003
85	Polymorphic worm detection using structural information of executables - Kruegel, Kirda, et al. - 2005
85	Learning nonstationary models of normal network traffic for detecting novel attacks - Mahoney, Chan - 2002
81	Undermining an anomaly-based intrusion detection system using common exploits - Tan, Killourhy, et al. - 2002
77	Accurate buffer overflow detection via abstract payload execution - Toth, Kruegel - 2002
70	S.: Anomalous payload-based worm detection and signature generation - Wang, Cretu, et al.
69	B.: Formalizing Sensitivity in Static Analysis for Intrusion Detection - Feng, Giffin, et al. - 2004
65	Automating mimicry attacks using static binary analysis - Kruegel, Kirda, et al. - 2005
52	Polymorphic shellcode engine using spectrum analysis - Detristan, Ulenspiegel, et al. - 2003
51	E.: Service specific anomaly detection for network intrusion detection - Kruegel, Toth, et al. - 2002
51	Testing Network-based Intrusion Detection Signatures using Mutant Exploits - Vigna, Robertson, et al. - 2004
46	Advanced polymorphic worms: Evading IDS by blending in with normal traffic,” Georgia - Kolesnikov, Dagon, et al. - 2004
36	Network traffic anomaly detection based on packet bytes - Mahoney - 2003
33	Automatic generation and analysis of NIDS attacks - Rubin, Jha, et al. - 2004
32	A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows - Chinchani, Berg - 2005
25	Misleading worm signature generators using deliberate noise injection - Perdisci, Dagon, et al. - 2006
22	STRIDE: Polymorphic sled detection through instruction sequence analysis - Akritidis, Markatos, et al. - 2005
8	Jempiscodes: Polymorphic shellcode generator. www.shellcode.com.ar/en/proyectos.html - Sedalo
8	Polymorphic viruses: Implementation, detection, and protection - Yetiser
5	Intelligence Group. Phatbot Trojan Analysis. Available at www.lurhq.com/phatbot.html - Threat - 2004
5	A look at whisker’s anti- ids tactics just how bad can we ruin a good thing? www.wiretrip.net/rfp/txt/whiskerids.html - Puppy - 1999
5	Advanced code evolution techniques and computer virus generation toolkits - Szor - 2005
4	media services remote command execution exploit - Windows - 2003
2	Admmutate: Shellcode mutation engine - Ktwo - 2001
2	Fragroute: a tcp/ip fragmenter. www.monkey.org/∼dugsong/fragroute - Song - 2002