Advanced Evasion Techniques (State of the art (Make the analysis be more…
Advanced Evasion Techniques
Set of tools and techniques used to bypass an
information security device
Polymorphic blending attacks
Learning normal profile
Encrypting the attack body
Encrypted body must satisfy the
Padding, if needed
State of the art
Avoid the analysis
Encryption and tunneling: SSL, VPN
Make the analysis be more difficult
Obfuscation (common in Android)
Resource exhaustion: Timing attacks,
Camouflage & Confusion
Mimicry: Whitelisted DLLs,
Traffic fragmentation & protocol-level
Beware of semantic differences between security
device and endpoint!
Fragmentation and reordering
Fragments may arrive out of-order
Fragment offset and length determine the portion of
the original datagram covered by each fragment
What to do with overlapping fragments?
Substitute the previous fragments by the newer ones
Maintain the previous fragments and discard the
NIDS may perform different to the endpoint!
Malformed TCP header. Packet rejection if:
ACK flag unset
Data in SYN packets
Require the 3WH?
If so, vulnerable to SYN flood
If not, vulnerable to desynchronization
Datagram retransmission and reassemb
If a datagram is lost, endpoint may ask for
retransmission, but NIDS can not.
Some proposed (and adopted) solutions