advertisement

Performance Attacks on Intrusion Detection Systems

50 %
50 %
advertisement
Information about Performance Attacks on Intrusion Detection Systems

Published on January 31, 2008

Author: mala

Source: slideshare.net

Description

A presentation of my minor research project at Politecnico di Milano, Dec 2007. It uses a finite queue model to describe IDS performances when subject to a performance attack and shows a practical example with a backtracking algorithmic complexity attack.
advertisement

Performance Attacks on Intrusion Detection Systems Davide Eynard eynard@elet.polimi.it Dipartimento di Elettronica e Informazione Politecnico di Milano 2007/12/06 Performance Attacks on Intrusion Detection Systems

Intro  Intrusion Detection Systems  Open problems and vulnerabilities  The queueing model  Algorithmic complexity attacks  Tests and evaluations  Conclusions p. 2 2007/12/06 Performance Attacks on IDS

Intrusion Detection Systems  As the Internet grows, the number of • vulnerabilities • attacks • attackers!  increases: what kind of protections can we use for our systems?  IDS are used to detect unauthorized access attempts to computers or local networks  They work as alarms in apartments • they do not prevent attackers to break in the system... • but they allow administrators to know when an attack is taking place p. 3 2007/12/06 Performance Attacks on IDS

Intrusion Detection Systems p. 4 2007/12/06 Performance Attacks on IDS

IDS Performance  Measures: • coverage • probability of false alarms • probability of detection • resistance to attacks directed at the IDS • ability to handle high bandwidth traffic • ability to correlate events • ability to detect new attacks • ability to identify an attack • ...  Traffic generation: • background • attacks p. 5 2007/12/06 Performance Attacks on IDS

IDS Vulnerabilities  Insertion • an IDS accepts packets that an end system rejects  Evasion • an IDS rejects packets accepted by the end system  Denial of Service • compromises the availability of the IDS, either consuming its resources or targeting at bugs in software • fail-closed vs fail-open systems p. 6 2007/12/06 Performance Attacks on IDS

Model K=L+1 L λ λa X ... λr S = 1/μ Queue size: K Service time: S Incoming packet rate: λ pkt/sec Throughput: X λa accepted λr rejected p. 7 2007/12/06 Performance Attacks on IDS

Model Markov Chain: p. 8 2007/12/06 Performance Attacks on IDS

Model behavior Drop probability as a function of λ/μ, plotted with four different queue sizes p. 9 2007/12/06 Performance Attacks on IDS

Model behavior P(K) Packet frequency Service time p. 10 2007/12/06 Performance Attacks on IDS

Model behavior Drop probability as a function of S, seen for different values of λ p. 11 2007/12/06 Performance Attacks on IDS

What if I have a 56Kbps?  Gigabit Ethernet: ~ 1.6Mpps (frame size: 78B)  100MB Ethernet: ~ 148Kpps (frame size: 84B)  10MB Ethernet: ~ 14.8Kpps  2MB ADSL: ~ 3Kpps  56Kbps modem: ~ 80 pps p. 12 2007/12/06 Performance Attacks on IDS

Algorithmic complexity attacks  S. Crosby, D. Wallach: “Denial of Service via Algorithmic Complexity Attacks”, 2003  They exploit algorithmic deficiencies in many common applications' data structures • ie. both hash tables and binary trees can degenerate to linked list with carefully chosen input  One particular case: backtracking algorithmic complexity attacks p. 13 2007/12/06 Performance Attacks on IDS

Backtracking attacks  A vulnerable rule: p. 14 2007/12/06 Performance Attacks on IDS

Backtracking attacks  every triple (x, y, z) contains: • x: the match name • y: where the parsing started • z: where the next parsing will start p. 15 2007/12/06 Performance Attacks on IDS

Backtracking attacks  IDS behavior (left: normal, right: under attack) p. 16 2007/12/06 Performance Attacks on IDS

Tests and evaluations  Backtracking attacks seem a good way to create high service times  The plan: • install Snort on a test machine • generate background traffic on the network • attack Snort with backtracking attacks • see/measure its behavior  Test machine • 2.4GHz Athlon, 1GB RAM, Linux kernel 2.6.22.14 • Snort 2.4.3 and 2.8.0  Attacker machine • 1.86GHz Pentium M, 1GB RAM, Linux kernel 2.6.22.14 • blabla tool to replay the DARPA 1999 dataset • a perl script to generate attack packets p. 17 2007/12/06 Performance Attacks on IDS

Test attack alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 ( msg:quot;SMTP spoofed MIME­Type auto­execution attemptquot;;  flow:to_server,established;  content:quot;Content­Type|3A|quot;; nocase;content:quot;audio/quot;; nocase;  pcre:quot;/Content­Typex3As+audio/(x­wav|mpeg|x­midi)/iquot;;  content:quot;filename=quot;; distance:0; nocase;  pcre:quot;/filename=[x22x27]?.{1,221}.(vbs|exe|scr|pif|bat)/iquot;;  reference:bugtraq,2524; reference:cve,2001­0154;  classtype:attempted­admin; sid:3682; rev:2;) p. 18 2007/12/06 Performance Attacks on IDS

Test attack alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 ( msg:quot;SMTP spoofed MIME­Type auto­execution attemptquot;;  flow:to_server,established;  content:quot;Content­Type|3A|quot;; nocase;content:quot;audio/quot;; nocase;  pcre:quot;/Content­Typex3As+audio/(x­wav|mpeg|x­midi)/iquot;;  content:quot;filename=quot;; distance:0; nocase;  pcre:quot;/filename=[x22x27]?.{1,221}.(vbs|exe|scr|pif|bat)/iquot;;  reference:bugtraq,2524; reference:cve,2001­0154;  classtype:attempted­admin; sid:3682; rev:2;) Match example:  Content­Type: audio/x­wav;                filename=”virus.scr” p. 19 2007/12/06 Performance Attacks on IDS

Test attack alert tcp $EXTERNAL_NET any ­> $SMTP_SERVERS 25 ( msg:quot;SMTP spoofed MIME­Type auto­execution attemptquot;;  flow:to_server,established;  content:quot;Content­Type|3A|quot;; nocase;content:quot;audio/quot;; nocase;  pcre:quot;/Content­Typex3As+audio/(x­wav|mpeg|x­midi)/iquot;;  content:quot;filename=quot;; distance:0; nocase;  pcre:quot;/filename=[x22x27]?.{1,221}.(vbs|exe|scr|pif|bat)/iquot;;  reference:bugtraq,2524; reference:cve,2001­0154;  classtype:attempted­admin; sid:3682; rev:2;) Match example:  Content­Type: audio/x­wav;                filename=”virus.scr” Attack example: ... Content­Type: audio/x­wav; filename=filename=filename=filename= Content­Type: audio/x­wav; filename=filename=filename=filename= ... p. 20 2007/12/06 Performance Attacks on IDS

Results  Snort 2.8.0 is not affected by the attacks  Snort 2.4.3 experiences serious slowdowns • normal service time: ~100μsec • normal attack: 500~1000μsec • backtracking attack: 1500000μsec  With such service time, just few packets are able to make the queue fill up and the IDS drop packets => other attacks are undetected!  Results comparable with paper: real behavior seems worse than in the model p. 21 2007/12/06 Performance Attacks on IDS

Conclusions  The incoming packet rate and the service time are interchangeable  The model is useful not just to plan attacks • it explains why backtracking attacks work • it allows to study an IDS as a black box  Limits • test suffers the classical problems of IDS evaluations • bursts not taken into account  Possible future work • take bursts into account • multiclass model p. 22 2007/12/06 Performance Attacks on IDS

That's All, Folks Thank you! Questions are welcome p. 23 2007/12/06 Performance Attacks on IDS

Add a comment

Related pages

Performance Evaluation Study of Intrusion Detection Systems

... Intrusion Detection / Prevention Systems ... but the performance of these Intrusion Detection ... Attacks; Intrusion Detection Systems ...
Read more

Intrusion detection system - Wikipedia, the free encyclopedia

An intrusion detection system ... decide if it is an attack or not. [4] Host Intrusion Detection ... intrusion detection system (HIDS) Intrusion ...
Read more

Intrusion Detection FAQ: How to Evaluate Network Intrusion ...

... to evaluate Network Intrusion Detection Systems. ... performance indicators, attack ... as a intrusion. In reality a more useful system ...
Read more

A High-Performance Network Intrusion Detection System

A High-Performance Network Intrusion Detection ... rate on low-level network attacks) and performance ... disable the intrusion detection system by any ...
Read more

Performance Evaluation of Intrusion Detection Systems

Intrusion Detection Systems ... •IDS Performance Evaluation ... • Many of current attacks use readily available intrusion tools that can be easily ...
Read more

Mimicry Attacks on Host-Based Intrusion Detection Systems

Mimicry Attacks on Host-Based Intrusion Detection Systems ... host-based intrusion detection systems based on detecting anomalies in sequences of events.
Read more

Performance Enhancement of Intrusion Detection

... Performance Enhancement in Attack Detection with Skewness in Network Traffic, ... 2.4.2 Testing the performance of Intrusion Detection Systems 33
Read more

Intrusion Detection (IDS) and Prevention (IPS) Systems ...

Intrusion detection systems are network or ... protection rules based on intrusion and attack ... the IPS it could cause your network performance to ...
Read more

Improving Intrusion Detection Performance Using Keyword ...

Figure 2 shows performance across all 35 test attacks for three systems. One system is the baseline reference system using the total keyword counts of all ...
Read more

Network Performance and Network Intrusion Detection Systems

Network Performance and Network Intrusion Detection Systems ... The ‘attack’ packets are ... High Performance Network Intrusion Detection Using ...
Read more