Themis: Ambiguity-Aware Network Intrusion Detection based on Symbolic Model Comparison

Network intrusion detection systems (NIDS) can be evaded by carefully crafted packets that exploit implementation-level discrepancies between how they are processed on the NIDS and at the endhosts. These discrepancies arise due to the plethora of endhost implementations and evolutions thereof. It is prohibitive to proactively employ a large set of implementations at the NIDS and check incoming packets against all of those. Hence, NIDS typically choose simplified implementations that attempt to approximate and generalize across the different endhost implementations. Unfortunately, this solution is fundamentally flawed since such approximations are bound to have discrepancies with some endhost implementations. In this paper, we develop a lightweight system Themis, which empowers the NIDS in identifying these discrepancies and reactively forking its connection states when any packets with "ambiguities" are encountered. Specifically, Themis incorporates an offline phase in which it extracts models from various popular implementations using symbolic execution. During runtime, it maintains a nondeterministic finite automaton to keep track of the states for each possible implementation. Our extensive evaluations show that Themis is extremely effective and can detect all evasion attacks known to date, while consuming extremely low overhead. En route, we also discovered multiple previously unknown discrepancies that can be exploited to bypass current NIDS.

[1]  Ninghui Li,et al.  Analyzing Semantic Correctness with Symbolic Execution: A Case Study on PKCS#1 v1.5 Signature Verification , 2019, NDSS.

[2]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[3]  Kensuke Fukuda,et al.  MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking , 2010, CoNEXT.

[4]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[5]  Ayman M. Bahaa-Eldin,et al.  A survey on deep packet inspection , 2017, 2017 12th International Conference on Computer Engineering and Systems (ICCES).

[6]  Vitaly Shmatikov,et al.  Abusing File Processing in Malware Detectors for Fun and Profit , 2012, 2012 IEEE Symposium on Security and Privacy.

[7]  Eitan M. Gurari,et al.  Introduction to the theory of computation , 1989 .

[8]  George Candea,et al.  Efficient state merging in symbolic execution , 2012, Software Engineering.

[9]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[10]  Salvatore J. Stolfo,et al.  NEZHA: Efficient Domain-Independent Differential Testing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[11]  Vern Paxson,et al.  Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..

[12]  Dave Levin,et al.  Detecting and Evading Censorship-in-Depth: A Case Study of Iran's Protocol Whitelister , 2020, FOCI @ USENIX Security Symposium.

[13]  Roberto Baldoni,et al.  A Survey of Symbolic Execution Techniques , 2016, ACM Comput. Surv..

[14]  Vitaly Shmatikov,et al.  Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations , 2014, 2014 IEEE Symposium on Security and Privacy.

[15]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[16]  Ahmed S. Ghiduk On Symbolic Execution Software Testing , 2016 .

[17]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[18]  Michael D. Bond,et al.  A security policy oracle: detecting security holes using multiple API implementations , 2011, PLDI '11.

[19]  Rupak Majumdar,et al.  Hybrid Concolic Testing , 2007, 29th International Conference on Software Engineering (ICSE'07).

[20]  Ninghui Li,et al.  SymCerts: Practical Symbolic Execution for Exposing Noncompliance in X.509 Certificate Validation Implementations , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[21]  Peter Schachte,et al.  State Joining and Splitting for the Symbolic Execution of Binaries , 2009, RV.

[22]  Jian Jiang,et al.  Host of Troubles: Multiple Host Ambiguities in HTTP Implementations , 2016, CCS.

[23]  James C. King,et al.  A new approach to program testing , 1974, Programming Methodology.

[24]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[25]  Randall R. Stewart,et al.  Improving TCP's Robustness to Blind In-Window Attacks , 2010, RFC.

[26]  Vern Paxson,et al.  Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion , 2013, FOCI.

[27]  Srikanth V. Krishnamurthy,et al.  You do (not) belong here: detecting DPI evasion attacks with context learning , 2020, CoNEXT.

[28]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[29]  Christian Rossow,et al.  DPIFuzz: A Differential Fuzzing Framework to Detect DPI Elusion Strategies for QUIC , 2020, ACSAC.

[30]  Xuan Deng,et al.  Discovering discrepancies in numerical libraries , 2020, ISSTA.

[31]  Srikanth V. Krishnamurthy,et al.  Your state is not mine: a closer look at evading stateful internet censorship , 2017, Internet Measurement Conference.

[32]  Karl N. Levitt,et al.  SELECT - a formal system for testing and debugging programs by symbolic execution , 1975, Reliable Software.

[33]  C. Papadimitriou,et al.  Introduction to the Theory of Computation , 2018 .

[34]  Alan Mislove,et al.  lib•erate, (n): a library for exposing (traffic-classification) rules and avoiding them efficiently , 2017, Internet Measurement Conference.

[35]  Dave Levin,et al.  Come as You Are: Helping Unmodified Clients Bypass Censorship with Server-side Evasion , 2020, SIGCOMM.

[36]  Dave Levin,et al.  Geneva: Evolving Censorship Evasion Strategies , 2019, CCS.

[37]  Zhongjie Wang,et al.  SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery , 2020, NDSS.

[38]  Changwoo Min,et al.  Cross-checking semantic correctness: the case of finding file system bugs , 2015, SOSP.

[39]  Zhenkai Liang,et al.  Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation , 2007, USENIX Security Symposium.

[40]  Vitaly Shmatikov,et al.  A security policy oracle: detecting security holes using multiple API implementations , 2011, PLDI '11.

[41]  Mu Zhang,et al.  Extract Me If You Can: Abusing PDF Parsers in Malware Detectors , 2016, NDSS.