Please enable JavaScript.
Coggle requires JavaScript to display documents.
Advanced Evasion Techniques (State of the art (Make the analysis be more…
Advanced Evasion Techniques
Definition
Set of tools and techniques used to bypass an
information security device
Polymorphic blending attacks
Steps
Learning normal profile
Encrypting the attack body
Encrypted body must satisfy the
normal profile
Generating polymorphic
decryptor
NP-complete task
Padding, if needed
State of the art
Avoid the analysis
Encryption and tunneling: SSL, VPN
Make the analysis be more difficult
Obfuscation (common in Android)
Resource exhaustion: Timing attacks,
overstimulation
Camouflage & Confusion
Mimicry: Whitelisted DLLs,
Traffic fragmentation & protocol-level
misinterpretation
Beware of semantic differences between security
device and endpoint!
Preprocess evasion
techniques
Fragmentation and reordering
Fragments may arrive out of-order
Fragment offset and length determine the portion of
the original datagram covered by each fragment
What to do with overlapping fragments?
Substitute the previous fragments by the newer ones
Maintain the previous fragments and discard the
newer ones
NIDS may perform different to the endpoint!
TCP Protocol
Malformed TCP header. Packet rejection if:
Erroneous CODE
ACK flag unset
Data in SYN packets
Bad Checksum
Session establishment
Require the 3WH?
If so, vulnerable to SYN flood
If not, vulnerable to desynchronization
Datagram retransmission and reassemb
If a datagram is lost, endpoint may ask for
retransmission, but NIDS can not.
Some proposed (and adopted) solutions
Traffic Normalizers.
Active mapping