Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley."— Presentation transcript:

1 Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley

2 Preview The topic of this talk: How do we evaluate the security of a host-based IDS against sophisticated attempts to evade detection? One answer: “adversarial scholarship”

3 The Cryptographer’s Creed Conservative design Systems should be evaluated by the worst failure that is at all plausible under assumptions favorable to the attacker * * Credits: Gwyn Kerkhoff’s principle Systems should remain secure even when the attacker knows all internal details of the system The study of attacks We should devote considerable effort to trying to break our own systems; this is how we gain confidence in their security

4 The Stakes The risk of ignoring attacks: Consider virus scanners Widely deployed despite possible evasion attacks Yet polymorphic and stealthy viruses soon appeared in the wild  The result: An arms race

5 Research Into Attacks We could benefit from a stronger tradition of research into potential attacks on intrusion detection DesignAttacks Block ciphers Intrusion detection Table 1. Papers published in the past five years, by subject. 81100 1207

6 Research Into Attacks We could benefit from a stronger tradition of research into attacks on intrusion detection DesignAttacks Block ciphers Intrusion detection Table 1. Papers published in the past five years, by subject. 1207 81100

7 Research Into Attacks Block ciphersIntrusion detection Table 1. Papers published in the past five years, by subject. We could benefit from a stronger tradition of research into potential attacks on intrusion detection

8 In This Talk… Organization of this talk: Host-based intrusion detection Mimicry attacks, and how to find them Attacking pH, a host-based IDS Concluding thoughts How do we evaluate the security of a host-based IDS against sophisticated attempts to evade detection?

9 Host-based Intrusion Detection Anomaly detection: IDS monitors system call trace from the app DB contains a list of subtraces that are allowed to appear Any observed subtrace not in DB sets off alarms App allowed traces IDS Operating System

10 The Mimicry Attack 1. Take control of the app. e.g., by a buffer overrun App allowed traces IDS Operating System malicious payload 2. Execute payload while mimicking normal app behavior. If exploit sequence contains only allowed subtraces, the intrusion will remain undetected.

11 When Are Attacks Possible? The central question for mimicry attacks: Can we craft an exploit sequence out of only allowed subtraces and still cause any harm? Assumptions: IDS algorithm + DB is known to attacker [Kerkhoff ] Can take control of app undetected [Conservative design ]

12 Disguising the Payload Attacker has many degrees of freedom: Wait until malicious payload would be allowed Vary the malicious payload by adding no-ops e.g., (void) getpid() or open(NULL,0) In fact, nearly all syscalls can be turned into no-ops Note: the set of choices can be expressed as a regexp Let N denote the set of no-op-able syscalls Then open() write() can be replaced by anything matching N * open() N * write() N *

13 A Theoretical Framework Definitions: Σ denotes the set of syscalls; M = {T  Σ * : the malicious trace T does damage}; A = {T  Σ * : T is allowed by the IDS} An undetected malicious sequence exists iff M  A  Ø Testing for mimicry attacks reduces to automata theory IDS’s are typically finite-state  A given by a FSA Hence, M and A are typically regular languages, and then we can efficiently check whether M  A  Ø

14 To check whether there is a mimicry attack: Let Σ = set of security-relevant events, M = set of “bad” traces that do damage to the system, A = set of traces allowed by the IDS ( M, A  Σ*) If M  A  Ø, then there is a mimicry attack A Theoretical Framework A M

15 To check whether there is a mimicry attack: Let Σ = set of security-relevant events, M = set of “bad” traces that do damage to the system, A = set of traces allowed by the IDS ( M, A  Σ*) If M  A  Ø, then there is a mimicry attack Then just apply automata theory M : regular expression (regular language) A : finite-state system (regular language) Works since IDS’s are typically just finite-state machines A Theoretical Framework A M

16 Experience: Mimicry in Action The experiment: pH: a host-based IDS [SF00] autowux: a wuftpd exploit No mimicry attacks with the original payload … but, after a slight modification …

17 A Successful Mimicry Attack We found a modified payload that raises no alarms and has a similar effect on the system  pH may be at risk for mimicry attacks

18 Conclusions Mimicry attacks: A threat to host-based IDS? Practical implications not known The study of attacks is important Unfortunately, there’s so much we don’t know…

Download ppt "Mimicry Attacks on Host- Based Intrusion Detection David Wagner Paolo Soto University of California at Berkeley."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
12-1 Last time Security in Networks Threats in Networks.

12-1 Last time Security in Networks Threats in Networks.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
On the Hardness of Evading Combinations of Linear Classifiers Daniel Lowd University of Oregon Joint work with David Stevens.

On the Hardness of Evading Combinations of Linear Classifiers Daniel Lowd University of Oregon Joint work with David Stevens.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
What Makes for a Successful Protocol? Presented By: Nigel Medforth.

What Makes for a Successful Protocol? Presented By: Nigel Medforth.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Similar presentations

Ads by Google