Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 10 – Wrapping Up


Future work

Although IDSs have matured and gone through tremendous amount of development throughout the years to this day there are however quite a few limitations that still and will continue to exist. This is because currently there isn’t a way to reliably detect unknown attacks and all the existing products seem to focus on attacks that are already known. It is true that anomaly-based detection can be classed as a method of detecting unknown attacks; it is still unreliable and can be easily defeated. It would make a difference if there’s a way to utilise all these methods of detection to make IDSs smarter and make them able to predict new attacks using the same concept professional hackers use to invent new exploits and methods of attacking the network. The following points highlight important facts researchers should focus on:

  1. Ways to illuminate or reduce false positive/negatives. As they represent vulnerabilities attackers use to evade detection.
  2. Effective ways to improve management of memory, speed, logging, alerts and monitoring as they’re important factors of effective IDSs. Tools such as Sguil help in this matter; however, these tools should be improved as they rely on packages that some of them are no longer maintained and some don’t work with new versions of IDSs.
  3. Because existing attacks or exploits can be modified in certain ways to make new attacks, researchers need to consider the possibility of using methods similar to the rainbow tables used for password hashes to create as many signatures as possible of all of the variations an attack can be modified to. This was explained in chapter 9.

These points should help bring the gaps closer between attackers and defenders because at the moment the time it takes attackers to invent new ways of exploiting systems is a lot lower (from days to hours) than the time it takes researchers to develop ways to defend against these attacks and thus these attacks stay quite a long time being utilized by attackers around the world before they’re discovered and many of them remain secretive between the underground community. Figure 9.1 illustrates.

 

 

Figure 9.1: Time Difference between Attackers and Defenders

In the same way attackers use tools like Metasploit, developers and researchers can use such tools to create new attacks and then create suitable signatures to detect them. The aim here is to turn the time difference illustrated by figure 9.1 a round so it takes attackers longer to find new ways to attack systems than the time it takes developers to develop new solutions.

  1. Also, another area to look at is the possibility of using artificial intelligence and neural networks to make IDSs smarter and be able to predict new attacks and create defenses for these attacks automatically. An area the author is intending to look at as a research project if possible.
  2. According to the author’s opinion if the above points have been fulfilled another challenge that will continue to exist is the evasion techniques discussed especially those that use encryption are very difficult to defend against other than using HIDSs. One solution is to create a code book containing all the encrypted variation of each attack and use this to compare the packet payload to. Although this method would work and could create a new generation IDSs that are a lot better than the IDSs available today, it would create at least two problems:
    1. This method would consume massive amount of processing power, memory and would be a slow process, and that would not be feasible in any network especially in high speed networks.
    2. Due to the above problem many packets would be dropped, and, on some occasions, it would cause DoS to the IDS.
    3. Another issue would be on the legal side as this method would cause sensitive data to be exposed to unauthorised personal.

Considering all these issues this would leave points one to four as the best options.

Please Note: at the time of this dissertation the MITRE ATT&CK Framework was not published and therefore the author believes although this framework is awesome and help tremendously close that gap, we still have a lot of work to do and the above points are still valid.

Conclusion

IDSs are very important components in any network, throughout the years they’ve gone through tremendous improvements that resulted in an increase in their effectiveness and accuracy. Researchers and developers have worked very hard to solve many of the issues that surrounded IDSs; however, some limitations still exist and will continue to do so. This study presented a detailed look at these devices and investigated their components, technologies they use and their shortcomings.

The important domains that any IDS analyst and security professionals in general should be experienced with (IDSs, information security, networking, OS and penetration testing) have also been highlighted. Many IDS analysts lack the necessary knowledge in one or more of these domains, which resulted in many of the basic methods used by attackers and that have already been resolved by developers to continue to work on many IDSs today because of the way they’ve been deployed or configured.

The study’s focus was to investigate the techniques used by attackers to evade detection and to check how well modern IDS such as snort handle such techniques. Within this topic the study also investigated the key areas that make these techniques work and what researchers would need to develop the required components to resolve such issues.

A set of eight main experiments and fifteen experiments in total were performed in order to achieve the objectives set for this study, these were spread over two main scenarios. The experiments were successfully completed, and the limitations and their important factors were identified.

Towards the end recommendations for an IDS model, which will help improve IDS’s effectiveness were presented. Tools such as fragroute or fragrouter have over a dozen different options when these are combined, they provide attackers hundreds of different ways to modify packets in order to evade IDS’s sensors. Also, the use of encryption to conceal malicious payloads presents real problems that will be very difficult to solve without the use of HIDS. This is due to many factors that are unfeasible to implement in organisation networks especially in high speed networks.

The model presented described a way implemented using artificial intelligence and neural networks or fuzzy logics to help resolve these issues.

The following summarises the key objectives achieved by the study:

  1. Proved that well known techniques still work and the importance of having accurate signatures:
    1. Proved the weakness of signature-based methods.
    2. Exploited systems, analysed the captures and created suitable signatures.
    3. Used evasion techniques and evaded detection and then created signatures to detect the attack.
  2. Demonstrated the importance of good monitoring, analysis and penetration testing techniques.
  3. Demonstrated the importance of not having false sense of security regardless of how much of a state of the art the IDSs are.
  4. Illustrated the difficulties that surround the development of control measures to counteract these techniques especially when encryption or encoding is used.
  5. Designed an IDS model to help resolve these issues.

This concludes this series and I hope that you have found it beneficial and hope to see you in the upcoming series.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s