Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 10 – Wrapping Up


Future work

Although IDSs have matured and gone through tremendous amount of development throughout the years to this day there are however quite a few limitations that still and will continue to exist. This is because currently there isn’t a way to reliably detect unknown attacks and all the existing products seem to focus on attacks that are already known. It is true that anomaly-based detection can be classed as a method of detecting unknown attacks; it is still unreliable and can be easily defeated. It would make a difference if there’s a way to utilise all these methods of detection to make IDSs smarter and make them able to predict new attacks using the same concept professional hackers use to invent new exploits and methods of attacking the network. The following points highlight important facts researchers should focus on:

Continue reading Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 10 – Wrapping Up

Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 5 – Tools and Procedures


Welcome back all, this part of the series we will test some of the methods described previously as outlined on the upcoming sections where we will discuss the tools and the procedures followed to attempt such tests and then in the final sections of this series we will discuss the results.

The tools used in this study are all preinstalled into Backtrack operating system with the exception of snort; although snort is also installed in Backtrack a separate installation was used. The tools discussed in this chapter are used throughout the experiments.

Please note that as previously mentioned, this series contained sections from an entire Distinctions Grade MSc. Dissertation that I have attempted as part of my master’s degree years back and I have tried my best to keep it without any modifications as best as I can.

The dissertation is very long and as was described by my supervisor, was a PHD grade level research, therefore I have tried to keep it as short as possible for this blog series without impacting the benefits I am intending to pass forward to the InfoSec community and I hope you all enjoy it.

Snort IDS

According to Richard Bejtlich (2005, pg 149) snort is a network intrusion detection system that can also be used for packet capture and analysis.

Snort NIDS in standby mode

A more detailed description of snort is given by (Brandon Franklin 2006, p.3):

Snort is a freeware IDS developed by Martin Roesch and Brian Caswell. It’s a lightweight, network-based IDS that can be set up on a Linux or Windows host. While the core program uses a Command Line Interface (CLI), graphical user interfaces (GUIs) can also be used. Snort operates as a network sniffer and logs activity that matches predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).

Snort consists of two basic parts:

  • Header where the rules “actions” are identified.
  • Options where the rules “alert messages” are identified.

Continue reading Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 5 – Tools and Procedures

Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 4 – Complex Evasion Techniques


Invalid RST Packets

TCP protocol is known as a connection-oriented protocol that ensures the data sent reaches its destination in a correct manner and if there is an error it requests that data to be sent again. One of the mechanisms it uses to ensure reliable communication is the use of checksum values that are added to every transmitted segment. These values are checked by the receiving end and if this value is different to the one expected by the receiver the packet is dropped.

To end a communication session TCP uses an RST packet that it sends to the other party, which terminates the session. Attackers are able to use these features to confuse the IDS because if the attacker sends an RST packet with invalid checksum the IDS sees this packet and thinks that the communication session has ended and so it stops processing it. However on the other side the receiver examines the checksum sees that it’s invalid and so it drops the RST packet, maintains the session and accepts the packets that follows, while the IDS has stopped processing this session because it thinks the session has ended, which makes other packets attackers send after the RST packet that had the invalid checksum go undetected. A way that may detect this is a signature that looks for an RST packet with invalid checksum followed by a PUSH packet.

Continue reading Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 4 – Complex Evasion Techniques

Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 3 – Basic Evasion


IDS Evasion Techniques

Since the introduction of intrusion detection systems they became very popular amongst network administrators because it provided a way to detect if any attacks took place. At them days (1990s) these systems were very simple devises that monitor the network traffic, match it to a database of signatures and if there is a match an alert is produced that informs the administrator of the event
(Bruneau, 2001,
History and Evolution of Intrusion Detection, p. 3). Throughout the years attackers, security professionals, researchers and developers have always played a cat and mouse game. Every time developers, security professionals and researchers find or develop new ways to counteract attacks, attackers seem to develop new ways to attack security devises such as IDSs or even bypass them altogether. This is because of the complexities in capturing, analysing and understanding network traffic (Timm, 2002, IDS Evasion Techniques and Tactics, p. 1). These complexities meant the existence of many techniques that can be used to take advantage of the weaknesses in IDSs. These methods were very simple such as pattern matching, denial of service (DOS) and false positives. However overtime more advanced techniques such as fragmentation, session splicing and polymorphic shell-code techniques began to appear.

As mentioned by (Roberts, 2010)
that stonesoft’s disclosure of a new way to evade IDSs and IPSs (IDPSs) raises some doubts about the effectiveness of many security products already used by many organisations worldwide. However stonesoft’s discovery was not new; anyone has an interest in information security knows that these techniques have been around for a very long time and was first mentioned in 1998 by (Newsham, 1998).

As quoted by (Roberts, 2010):

“Researchers working for Stonesoft have been delving into evasion techniques since 2007 in an effort to improve Stonesoft’s own products, said Matt McKinley, Director of Product Management in the U.S.”

He further quoted:

“”In the process of doing so, we basically discovered that it’s possible to combine multiple evasion techniques together working at different layers (of the IP stack) and they can confound the IPS and become hard to protect,” he said.”

However, I respectfully disagrees with what Mr. Matt McKinley had said; this is because these techniques as will be discussed in the following sections have been around for a very long time and all are based on the techniques mentioned in
(Newsham, 1998)
paper.

In this section the author presents an overview of some of these techniques by dividing them into two categories Basic techniques and Complex techniques.

Continue reading Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 3 – Basic Evasion

Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 1


Introduction

Computers have advanced to become part of our daily life, everywhere you go there is a computer network that’s been installed to perform a certain number of jobs; and the effectiveness of organisation’s business performance has become greatly dependent on the availability, reliability and security of these networks and the systems connected to it. This has resulted to the unfortunate fact that many systems connected to the internet is a target of a range of attacks especially organisations with hundreds of hosts, services and sensitive data. It is also equally true for small offices and isolated home users with no data to protect. This is because criminals would benefit greatly from the data they steal from big organisations; and in the case of small offices and home users, criminals would benefit from them by using them as a stepping stone so they can launch their attack without being caught.

From the beginning of 2003, the (SANS Internet Storm Centre ISC 2003) started to monitor the average survival time of un-patched machines and found that the time it takes to download patches is greater than the time to install the software. This means that before a system is fully patched attacks have already spread across the network at incredible speed. In many cases the speed of these attacks and the speed they spread across the network exceed the possibility of human intervention. Therefore the development of the components (hardware and software) that detects these attacks becomes extremely important.

As it has been mentioned by (Bruneau 2001); the rule-based method developed by Dorothy Dinning and Peter Neumann between 1984 and 1986 was used by the first IDS system. This work was influenced by a report published by James P Anderson in 1980 titled “How to use accounting audit files to detect unauthorised access”. This model was improved to create what is recognised today as the Next-Generation Intrusion Detection Expert System (Bruneau 2001, p.3).

Continue reading Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 1