A mimicry attack is an exploit in which basic behavioral objectives of a minimalist ’core’ attack are used to design multiple attacks achieving the same objective from the same application. Research in mimicry attacks is valuable in determining and eliminating detector weaknesses. In this work, we provide a process for evolving all components of a mimicry attack relative to the Stide (anomaly) detector under a Traceroute exploit. To do so, feedback from the detector is directly incorporated into the fitness function, thus guiding evolution towards potential blind spots in the detector. Results indicate that we are able to evolve mimicry attacks that reduce the detector anomaly rate from ~67% of the original core exploit, to less than 3%, eectively making the attack indistinguishable from normal behaviors.
[1]
David A. Wagner,et al.
Mimicry attacks on host-based intrusion detection systems
,
2002,
CCS '02.
[2]
Christopher Krügel,et al.
Automating Mimicry Attacks Using Static Binary Analysis
,
2005,
USENIX Security Symposium.
[3]
John McHugh,et al.
Hiding Intrusions: From the Abnormal to the Normal and Beyond
,
2002,
Information Hiding.
[4]
Kymie M. C. Tan,et al.
Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits
,
2002,
RAID.
[5]
Malcolm I. Heywood,et al.
Evolving successful stack overflow attacks for vulnerability testing
,
2005,
21st Annual Computer Security Applications Conference (ACSAC'05).