Evaluating intrusion prevention systems with evasions

Summary Intrusion prevention systems have become a common security measure in the past 20 years. Their promise is the possibility to prevent known attacks against vulnerable, unpatched devices inside enterprise networks. However, evasion techniques that enable the attacker to evade the eye of the intrusion prevention system are a potential problem for this capability. These techniques take advantage of the robustness principle that has guided designers to create systems that will try to recreate protocol content from any input they receive. In this work, we evaluated the effectiveness of 35 well-known evasions against 9 commercial and 1 free, state-of-the-art, intrusion prevention systems. We conducted 4 experiments with one million attacks against each device. Each system lets a significant amount (0.1%-45%) of attacks pass through unrecognized. Our results show that most existing intrusion prevention systems are vulnerable against evasions.

[1]  Somesh Jha,et al.  Backtracking Algorithmic Complexity Attacks against a NIDS , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[2]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM 2004.

[3]  Jukka Manner,et al.  Dismantling intrusion prevention systems , 2012, SIGCOMM.

[4]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[5]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[6]  Vern Paxson,et al.  Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context , 2005, DIMVA.

[7]  Jun Zhang,et al.  Security Patch Management: Share the Burden or Share the Damage? , 2008, Manag. Sci..

[8]  Giovanni Vigna,et al.  Testing network-based intrusion detection signatures using mutant exploits , 2004, CCS '04.

[9]  Richard Lippmann,et al.  Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation , 2000, Recent Advances in Intrusion Detection.

[10]  Wenke Lee,et al.  Polymorphic Blending Attacks , 2006, USENIX Security Symposium.

[11]  Miroslav Popovic,et al.  The use of distributed network-based IDS systems in detection of evasion attacks , 2005, Advanced Industrial Conference on Telecommunications/Service Assurance with Partial and Intermittent Resources Conference/E-Learning on Telecommunications Workshop (AICT/SAPIR/ELETE'05).

[12]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[13]  Hari Balakrishnan,et al.  Efficient and Robust TCP Stream Normalization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  Robert A. Small,et al.  Reducing Internet-Based Intrusions: Effective Security Patch Management , 2003, IEEE Softw..

[15]  Samuel Patton,et al.  An Achilles Heel in Signature-Based IDS : Squealing False Positives in SNORT , 2001 .

[16]  George Varghese,et al.  Detecting evasion attacks at high speeds without reassembly , 2006, SIGCOMM 2006.

[17]  Yuan-Cheng Lai,et al.  Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems , 2012, IEEE Communications Surveys & Tutorials.

[18]  Shahaboddin Shamshirband,et al.  Cooperative game theoretic approach using fuzzy Q-learning for detecting and preventing intrusions in wireless sensor networks , 2014, Eng. Appl. Artif. Intell..

[19]  David Watson,et al.  Protocol scrubbing: network security through transparent flow modification , 2004, IEEE/ACM Transactions on Networking.

[20]  Tom Rowan IPS: Intrusion prevention systems: superior security , 2007 .

[21]  Giovanni Vigna,et al.  An experience developing an IDS stimulator for the black-box testing of network intrusion detection systems , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[22]  Somesh Jha,et al.  Automatic generation and analysis of NIDS attacks , 2004, 20th Annual Computer Security Applications Conference.

[23]  Piotr Bania Evading network-level emulation , 2009, ArXiv.

[24]  Stefano Giordano,et al.  Counting bloom filters for pattern matching and anti-evasion at the wire speed , 2009, IEEE Network.

[25]  Sergey Bratus,et al.  A Patch for Postel's Robustness Principle , 2012, IEEE Security & Privacy.

[26]  Evangelos P. Markatos,et al.  Network-Level Polymorphic Shellcode Detection Using Emulation , 2006, DIMVA.

[27]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[28]  Fred Cohen,et al.  Managing network security - Part 14: 50 Ways to defeat your intrusion detection system , 1997 .