Performance Attacks on Intrusion Detection Systems

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    Favorites, Groups & Events

    Performance Attacks on Intrusion Detection Systems - Presentation Transcript

    1. Performance Attacks on Intrusion Detection Systems Davide Eynard eynard@elet.polimi.it Dipartimento di Elettronica e Informazione Politecnico di Milano 2007/12/06 Performance Attacks on Intrusion Detection Systems
    2. Intro  Intrusion Detection Systems  Open problems and vulnerabilities  The queueing model  Algorithmic complexity attacks  Tests and evaluations  Conclusions p. 2 2007/12/06 Performance Attacks on IDS
    3. Intrusion Detection Systems  As the Internet grows, the number of • vulnerabilities • attacks • attackers!  increases: what kind of protections can we use for our systems?  IDS are used to detect unauthorized access attempts to computers or local networks  They work as alarms in apartments • they do not prevent attackers to break in the system... • but they allow administrators to know when an attack is taking place p. 3 2007/12/06 Performance Attacks on IDS
    4. Intrusion Detection Systems p. 4 2007/12/06 Performance Attacks on IDS
    5. IDS Performance  Measures: • coverage • probability of false alarms • probability of detection • resistance to attacks directed at the IDS • ability to handle high bandwidth traffic • ability to correlate events • ability to detect new attacks • ability to identify an attack • ...  Traffic generation: • background • attacks p. 5 2007/12/06 Performance Attacks on IDS
    6. IDS Vulnerabilities  Insertion • an IDS accepts packets that an end system rejects  Evasion • an IDS rejects packets accepted by the end system  Denial of Service • compromises the availability of the IDS, either consuming its resources or targeting at bugs in software • fail-closed vs fail-open systems p. 6 2007/12/06 Performance Attacks on IDS
    7. Model K=L+1 L λ λa X ... λr S = 1/μ Queue size: K Service time: S Incoming packet rate: λ pkt/sec Throughput: X λa accepted λr rejected p. 7 2007/12/06 Performance Attacks on IDS
    8. Model Markov Chain: p. 8 2007/12/06 Performance Attacks on IDS
    9. Model behavior Drop probability as a function of λ/μ, plotted with four different queue sizes p. 9 2007/12/06 Performance Attacks on IDS
    10. Model behavior P(K) Packet frequency Service time p. 10 2007/12/06 Performance Attacks on IDS
    11. Model behavior Drop probability as a function of S, seen for different values of λ p. 11 2007/12/06 Performance Attacks on IDS
    12. What if I have a 56Kbps?  Gigabit Ethernet: ~ 1.6Mpps (frame size: 78B)  100MB Ethernet: ~ 148Kpps (frame size: 84B)  10MB Ethernet: ~ 14.8Kpps  2MB ADSL: ~ 3Kpps  56Kbps modem: ~ 80 pps p. 12 2007/12/06 Performance Attacks on IDS
    13. Algorithmic complexity attacks  S. Crosby, D. Wallach: “Denial of Service via Algorithmic Complexity Attacks”, 2003  They exploit algorithmic deficiencies in many common applications' data structures • ie. both hash tables and binary trees can degenerate to linked list with carefully chosen input  One particular case: backtracking algorithmic complexity attacks p. 13 2007/12/06 Performance Attacks on IDS
    14. Backtracking attacks  A vulnerable rule: p. 14 2007/12/06 Performance Attacks on IDS
    15. Backtracking attacks  every triple (x, y, z) contains: • x: the match name • y: where the parsing started • z: where the next parsing will start p. 15 2007/12/06 Performance Attacks on IDS
    16. Backtracking attacks  IDS behavior (left: normal, right: under attack) p. 16 2007/12/06 Performance Attacks on IDS
    17. Tests and evaluations  Backtracking attacks seem a good way to create high service times  The plan: • install Snort on a test machine • generate background traffic on the network • attack Snort with backtracking attacks • see/measure its behavior  Test machine • 2.4GHz Athlon, 1GB RAM, Linux kernel 2.6.22.14 • Snort 2.4.3 and 2.8.0  Attacker machine • 1.86GHz Pentium M, 1GB RAM, Linux kernel 2.6.22.14 • blabla tool to replay the DARPA 1999 dataset • a perl script to generate attack packets p. 17 2007/12/06 Performance Attacks on IDS
    18. Test attack alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 ( msg:\"SMTP spoofed MIME­Type auto­execution attempt\";  flow:to_server,established;  content:\"Content­Type|3A|\"; nocase;content:\"audio/\"; nocase;  pcre:\"/Content­Type\\x3A\\s+audio\\/(x­wav|mpeg|x­midi)/i\";  content:\"filename=\"; distance:0; nocase;  pcre:\"/filename=[\\x22\\x27]?.{1,221}\\.(vbs|exe|scr|pif|bat)/i\";  reference:bugtraq,2524; reference:cve,2001­0154;  classtype:attempted­admin; sid:3682; rev:2;) p. 18 2007/12/06 Performance Attacks on IDS
    19. Test attack alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 ( msg:\"SMTP spoofed MIME­Type auto­execution attempt\";  flow:to_server,established;  content:\"Content­Type|3A|\"; nocase;content:\"audio/\"; nocase;  pcre:\"/Content­Type\\x3A\\s+audio\\/(x­wav|mpeg|x­midi)/i\";  content:\"filename=\"; distance:0; nocase;  pcre:\"/filename=[\\x22\\x27]?.{1,221}\\.(vbs|exe|scr|pif|bat)/i\";  reference:bugtraq,2524; reference:cve,2001­0154;  classtype:attempted­admin; sid:3682; rev:2;) Match example:  Content­Type: audio/x­wav;                filename=”virus.scr” p. 19 2007/12/06 Performance Attacks on IDS
    20. Test attack alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 ( msg:\"SMTP spoofed MIME­Type auto­execution attempt\";  flow:to_server,established;  content:\"Content­Type|3A|\"; nocase;content:\"audio/\"; nocase;  pcre:\"/Content­Type\\x3A\\s+audio\\/(x­wav|mpeg|x­midi)/i\";  content:\"filename=\"; distance:0; nocase;  pcre:\"/filename=[\\x22\\x27]?.{1,221}\\.(vbs|exe|scr|pif|bat)/i\";  reference:bugtraq,2524; reference:cve,2001­0154;  classtype:attempted­admin; sid:3682; rev:2;) Match example:  Content­Type: audio/x­wav;                filename=”virus.scr” Attack example: ... Content­Type: audio/x­wav; filename=filename=filename=filename= Content­Type: audio/x­wav; filename=filename=filename=filename= ... p. 20 2007/12/06 Performance Attacks on IDS
    21. Results  Snort 2.8.0 is not affected by the attacks  Snort 2.4.3 experiences serious slowdowns • normal service time: ~100μsec • normal attack: 500~1000μsec • backtracking attack: 1500000μsec  With such service time, just few packets are able to make the queue fill up and the IDS drop packets => other attacks are undetected!  Results comparable with paper: real behavior seems worse than in the model p. 21 2007/12/06 Performance Attacks on IDS
    22. Conclusions  The incoming packet rate and the service time are interchangeable  The model is useful not just to plan attacks • it explains why backtracking attacks work • it allows to study an IDS as a black box  Limits • test suffers the classical problems of IDS evaluations • bursts not taken into account  Possible future work • take bursts into account • multiclass model p. 22 2007/12/06 Performance Attacks on IDS
    23. That's All, Folks Thank you! Questions are welcome p. 23 2007/12/06 Performance Attacks on IDS

    + malamala, 2 years ago

    custom

    1070 views, 0 favs, 0 embeds more stats

    A presentation of my minor research project at Poli more

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 1070
      • 1070 on SlideShare
      • 0 from embeds
    • Comments 0
    • Favorites 0
    • Downloads 46
    Most viewed embeds

    more

    All embeds

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    Tags

    -->
    What's New

    © 2009 SlideShare Inc. All rights reserved.