The effectiveness of evasion techniques against intrusion prevention systems

Evaasioita ja evaasiokombinaatiota käytetään naamioimaan hyökkäyksiä, jotta tietoturvalaitteet eivät havaitsisi niitä. Diplomityössä tutkitaan näiden tekniikoiden tehokkuutta uusimpia tunkeutumisenestojärjestelmiä vastaan. Yhteensä 11 tunkeutumisenestojärjestelmää tutkittiin, joista 10 on kaupallista ja yksi ilmainen. Tutkimuksessa suoritettiin neljä koetta. Jokainen koe sisälsi miljoona hyökkäystä, jotka suoritettiin jokaista tunkeutumisenestojärjestelmää vastaan satunnaisin evaasioin ja evaasiokombinaatioin. Käytetty hyökkäys pysyi samana yksittäisen kokeen aikana, mutta jokainen hyökkäys oli naamioitu eri evaasiotekniikoin. Yhtenäistettyjä konfiguraatioita käytettiin, jotta saataisiin vertailukelpoisia tuloksia. Tulokset osoittavat, että evaasiotekniikat ovat toimivia suurinta osaa testattuja tunkeutumisenestojärjestelmiä vastaan. Vaikka osa evaasiotekniikoista on peräisin 1990-luvulta, ne voidaan saada hienosäädettyä huijaamaan suurinta osaa testatuista laitteista. Yksi evaasiotekniikka ei ole aina riittävä, jotta voitaisiin välttää hyökkäyksen havainnointi. Monen eri tekniikan yhdistäminen lisää kuitenkin todennäköisyyttä löytää tapa kiertää havainnointi.Evasions and evasion combinations are used to masquerade attacks in order to avoid detection by security appliances. This thesis evaluates the effectiveness of these techniques against the state of the art intrusion prevention systems. In total, 11 intrusion prevention systems were studied, 10 commercial and 1 free solution. Four experiments were conducted in this study. Each of the experiments contained a million attacks that were performed with randomized evasions and evasion combinations against each intrusion prevention system. The used attack stayed the same during a single experiment, but each attack was disguised with different evasion techniques. Standardized configurations were used in order to produce comparable results. The results indicate that evasion techniques are effective against the majority of tested intrusion prevention systems. Even though some of the techniques are from the 1990s, they can be fine-tuned to fool most of the tested appliances. One evasion technique is not always enough to avoid detection, but combining multiple techniques increases the possibility to find a way to evade detection

Intrusion Prevention through Optimal Stopping

We study automated intrusion prevention using reinforcement learning. Following a novel approach, we formulate the problem of intrusion prevention as an (optimal) multiple stopping problem. This formulation gives us insight into the structure of optimal policies, which we show to have threshold properties. For most practical cases, it is not feasible to obtain an optimal defender policy using dynamic programming. We therefore develop a reinforcement learning approach to approximate an optimal threshold policy. We introduce T-SPSA, an efficient reinforcement learning algorithm that learns threshold policies through stochastic approximation. We show that T-SPSA outperforms state-of-the-art algorithms for our use case. Our overall method for learning and validating policies includes two systems: a simulation system where defender policies are incrementally learned and an emulation system where statistics are produced that drive simulation runs and where learned policies are evaluated. We show that this approach can produce effective defender policies for a practical IT infrastructure.Comment: Preprint; Submitted to IEEE for review. major revision 1/4 2022. arXiv admin note: substantial text overlap with arXiv:2106.0716

A Temporal Logic Based Approach to Multi-Agent Intrusion Detection and Prevention

Collaborative systems research in the last decade have led to the development in several areas ranging from social computing, e-learning systems to management of complex computer networks. Intrusion Detection Systems (IDS) available today have a number of problems that limit their configurability, scalability or efficiency. An important shortcoming is that the existing architectures is built around a single entity that does most of the data collection and analysis. This work introduces a new architecture for intrusion detection and prevention based on multiple autonomous agents working collectively. We adopt a temporal logic approach to signature-based intrusion detection. We specify intrusion patterns as formulas in a monitorable logic called EAGLE. We also incorporate logics of knowledge into the agents. We implement a prototype tool, called MIDTL and use this tool to detect a variety of security attacks in large log-files provided by DARPA

ANALISA DAN KONFIGURASI NETWORK INTRUSION PREVENTION SYSTEM (NIPS) PADA LINUX UBUNTU 10.04 LTS

Snort merupakan salah satu sistem pendeteksi penyusupan (Intrusion Detection System/IDS) yang open source dan banyak digunakan oleh administrator jaringan sebagai sistem untuk memonitor jaringan serta sebagai pendeteksi adanya serangan penyusupan pada pada jaringan. Fungsi Snort sebagai sistem pendeteksi penyusupan dapat dikembangkan menjadi sebuah sistem pencegah penyusupan (Intrusion Prevention System/IPS) dengan bantuan firewall (IPTables) dan Snortsam. Snortsam merupakan sebuah plugin yang membuat rule Snort mampu memerintahkan firewall (IPTables) untuk mem-block paket data yang dideteksi sebagai penyusupan oleh Snort. Snort mengidentifikasi paket data tersebut sebagai sebuah penyusupan karena pola paket data tersebut sama dengan pola rule Snort yang mendefinisikan sebagai sebuah penyusupan. Log dari pendeteksian penyusupan tersebut disimpan sebagai alert. Dalam tugas akhir ini, penulis akan mengkonfigurasi sistem pencegah penyusupan (Intrusion Prevention System/IPS) dengan menggabungkan Snort, Snortsam dan firewall (IPTables) pada sistem operasi Ubuntu. Alasan pemilihan Ubuntu sebagai sistem operasi pada konfigurasi sistem pencegah penyusupan ini karena Ubuntu merupakan sistem operasi Linux yang mudah digunakan dan dikembangkan sesuai dari keinginan penggunanya. Kata Kunci: firewall (IPTables), Intrusion Detection System, Intrusion Prevention System, Linux, Snort, Snortsam, Snort Rule, Ubuntu

Intelligent intrusion detection systems using artificial neural networks

This paper presents a novel approach to detection of malicious network traffic using artificial neural networks suitable for use in deep packet inspection based intrusion detection systems. Experimental results using a range of typical benign network traffic data (images, dynamic link library files, and a selection of other miscellaneous files such as logs, music files, and word processing documents) and malicious shell code files sourced from the online exploit and vulnerability repository exploitdb \cite{exploitdb}, have show that the proposed artificial neural network architecture is able to distinguish between benign and malicious network traffic accurately. The proposed artificial neural network architecture obtains an average accuracy of 98\%, an average area under the receiver operator characteristic curve of 0.98, and an average false positive rate of less than 2% in repeated 10-fold cross-validation. This shows that the proposed classification technique is robust, accurate, and precise. The novel approach to malicious network traffic detection proposed in this paper has the potential to significantly enhance the utility of intrusion detection systems applied to both conventional network traffic analysis and network traffic analysis for cyber-physical systems such as smart-grids

Ensemble consensus: An unsupervised algorithm for anomaly detection in network security data

Unsupervised network traffic monitoring is of paramount importance in cyber security. It allows to detect suspicious events that are defined as non-normal and report or block them. In this work the Anomaly Consensus algorithm for unsupervised network analysis is presented. The algorithm aim is to fuse the three most important anomaly detection techniques for unsupervised detection of suspicious events. Tests are performed against the KDD Cup'99 dataset, one of the most famous supervised datasets for automatic intrusion detection created by DARPA. Accuracies reveal that Anomaly Consensus performs on-par with respect to state-of-the-art supervised learning techniques, ensuring high generalization power also in borderline tests when small amount of data (5%) is used for training and the rest is for validation and testing

IRMA via SDN: Intrusion Response and Monitoring Appliance via Software-Defined Networking

Recent approaches to network intrusion prevention systems (NIPSs) use software-defined networking (SDN) to take advantage of dynamic network reconfigurability and programmability, but issues remain with system component modularity, network size scalability, and response latency. We present IRMA, a novel SDN-based NIPS for enterprise networks, as a network appliance that captures data traffic, checks for intrusions, issues alerts, and responds to alerts by automatically reconfiguring network flows via the SDN control plane. With a composable, modular, and parallelizable service design, we show improved throughput and less than 100 ms average latency between alert detection and response.Roy J. Carver FellowshipOpe

Cerberus: Exploring Federated Prediction of Security Events

Modern defenses against cyberattacks increasingly rely on proactive approaches, e.g., to predict the adversary's next actions based on past events. Building accurate prediction models requires knowledge from many organizations; alas, this entails disclosing sensitive information, such as network structures, security postures, and policies, which might often be undesirable or outright impossible. In this paper, we explore the feasibility of using Federated Learning (FL) to predict future security events. To this end, we introduce Cerberus, a system enabling collaborative training of Recurrent Neural Network (RNN) models for participating organizations. The intuition is that FL could potentially offer a middle-ground between the non-private approach where the training data is pooled at a central server and the low-utility alternative of only training local models. We instantiate Cerberus on a dataset obtained from a major security company's intrusion prevention product and evaluate it vis-a-vis utility, robustness, and privacy, as well as how participants contribute to and benefit from the system. Overall, our work sheds light on both the positive aspects and the challenges of using FL for this task and paves the way for deploying federated approaches to predictive security

Attack2vec: Leveraging temporal word embeddings to understand the evolution of cyberattacks

Despite the fact that cyberattacks are constantly growing in complexity, the research community still lacks effective tools to easily monitor and understand them. In particular, there is a need for techniques that are able to not only track how prominently certain malicious actions, such as the exploitation of specific vulnerabilities, are exploited in the wild, but also (and more importantly) how these malicious actions factor in as attack steps in more complex cyberattacks. In this paper we present ATTACK2VEC, a system that uses temporal word embeddings to model how attack steps are exploited in the wild, and track how they evolve. We test ATTACK2VEC on a dataset of billions of security events collected from the customers of a commercial Intrusion Prevention System over a period of two years, and show that our approach is effective in monitoring the emergence of new attack strategies in the wild and in flagging which attack steps are often used together by attackers (e.g., vulnerabilities that are frequently exploited together). ATTACK2VEC provides a useful tool for researchers and practitioners to better understand cyberattacks and their evolution, and use this knowledge to improve situational awareness and develop proactive defenses.Accepted manuscrip