Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 1

Introduction

Computers have advanced to become part of our daily life, everywhere you go there is a computer network that’s been installed to perform a certain number of jobs; and the effectiveness of organisation’s business performance has become greatly dependent on the availability, reliability and security of these networks and the systems connected to it. This has resulted to the unfortunate fact that many systems connected to the internet is a target of a range of attacks especially organisations with hundreds of hosts, services and sensitive data. It is also equally true for small offices and isolated home users with no data to protect. This is because criminals would benefit greatly from the data they steal from big organisations; and in the case of small offices and home users, criminals would benefit from them by using them as a stepping stone so they can launch their attack without being caught.

From the beginning of 2003, the (SANS Internet Storm Centre ISC 2003) started to monitor the average survival time of un-patched machines and found that the time it takes to download patches is greater than the time to install the software. This means that before a system is fully patched attacks have already spread across the network at incredible speed. In many cases the speed of these attacks and the speed they spread across the network exceed the possibility of human intervention. Therefore the development of the components (hardware and software) that detects these attacks becomes extremely important.

As it has been mentioned by (Bruneau 2001); the rule-based method developed by Dorothy Dinning and Peter Neumann between 1984 and 1986 was used by the first IDS system. This work was influenced by a report published by James P Anderson in 1980 titled “How to use accounting audit files to detect unauthorised access”. This model was improved to create what is recognised today as the Next-Generation Intrusion Detection Expert System (Bruneau 2001, p.3).

Since 1997 workshops held every year to share information to solve the limitations of IDSs.

These IDSs are considered to be one of the most important components used by organisations to secure their network infrastructure. Although there are many different types of IDSs all of them fall into one of the following three categories (Mell 2007):

1. Signature-based – this technology has a database of all known attacks that is used to find malicious activities by comparing the network activity to this database.
   
2. Anomaly-based – uses the network’s baseline as a profile that it compares the network activities to in order to detect attacks.
   
3. State-full protocol analysis based – understands how each protocol should and should not be used. It uses this knowledge to detect any network activity that doesn’t comply with these protocols.
   

The ones that are still mostly used today are signature based IDSs. These systems as mentioned above rely on signatures to detect an attack; a perfect system with perfect signatures would detect 100 % of the attacks (Mell 2007). Writing good signatures is the challenge that faces researchers and developers today.

To be able to write good signatures a researcher or developer needs to have deep knowledge and experience in how to compromise a network as well as deep knowledge in the attack or exploit being analysed, which is a process that can take a considerable amount of time, from weeks to months just to analyse a single exploit and derive a signature to detect it.

With hundreds of exploits and ways to attack networks; thousands of systems could still be vulnerable today even with the existence of the most advanced IDSs. This is not to deny that these devices are very effective at what they do and they’ve been around for more than 20 years; however, one has to also recognise that they do have limitations that enable attackers to always invent new ways to attack or bypass them and carry out their attacks without being noticed (Gordon undated). These facts made organisations implement several layers of security (a method called in-depth security), where each layer would have several security components that are different type and model to the components in other layers. These are all aimed to compensate for the limitations these components have, which make it harder for attackers to penetrate the network. Regardless of all of these measures, attackers still find dozens of ways to bypass all of these layers and evade detection.

While studying the Information Systems Security course and in particular the IDS and Hacking modules, the author recognised that an attacker can change the name of the attack and although the IDS have a signature for it, the attack can go unnoticed just because the name was changed. Another method the author recognised is that an attacker would create hundreds or even thousands of false alerts and hide the real attack within these alerts. This is to fool the analyst into thinking that the system generated false positives and overlook the real alert.

This was the reason for choosing IDSs as the research topic for the course. Many different sources were studied to gain good knowledge of the domain. Recognising how wide this domain is, it was narrowed down to investigate the evasion techniques used on IDSs and how effective open source IDSs such as Snort in detecting these techniques.

The author has become aware of the tremendous amount of hard work researchers and developers are doing to solve these weaknesses. Therefore this piece of work would be of benefit to information security specialists who are looking into how to improve IDSs and solve the weaknesses these systems have. Also this work would benefit students in the field who want to experiment with different ways to attack IDSs.

Research Question – Discussion

Information systems suffer from vulnerabilities that range from software to hardware. These vulnerabilities are used by attackers to compromise systems on a network. Due to these vulnerabilities, system developers work very hard to make sure that their products are free from bugs or faults and new patches are developed to resolve issues that have been discovered previously.

Organisations tend to use products such as firewalls, NIDS and HIDS to secure their network and make it harder for attackers to attack their systems. Regardless of these products, attackers still manage to bypass these devises by taking advantage of their limitations. Therefore it is very important to investigate the weaknesses these systems have as well as the techniques used to evade them and to investigate the key factors or features these evasion techniques have that enable them to succeed in evading these systems (IDSs).

For this reason the research question is formulated and expressed as follows:

What are the key factors that make well know IDS evasion techniques effective in evading the sensors of Open Source Intrusion Detection Systems?

The reason for putting together the research question is to investigate the types of techniques used to bypass IDSs, the special features they have that enable them to do so and what would IDSs need to have to be able to detect attacks that uses such techniques.

To allow for these investigations to be carried out access to the necessary tools is very important. It is also equally important to have the necessary knowledge of how to operate them. These tools usually come at a very high price that is only affordable by large organisations; therefore a decision was made to use open source tools. After that a good plan that helps in accomplishing the research and achieve its objectives should be identified. A virtualised testing environment was used to achieve this. The testing environment is made up of three virtual machines, one to act as an Intrusion Detection System, the second machine acts as the client and the third one is the attacker.

The IDS virtual machine uses snort 1.9 and the attacker system is a virtual machine that utilises backtrack.

The tests carried out were in the form of two scenarios each one is made up of three phases as described below:

• Scenario One – with No evasion: this part consists of three phases. First phase operates snort in rule only mode (all rules are activated and the pre-processors are deactivated), second phase is the other way round (rules are deactivated and the pre-processors are activated) and the third phase operates snort in full mode (all rules and pre-processors are activated).
  
• Scenario Two – the second scenario focuses on applying two of the evasion techniques discussed in chapter two. This stage also has three phases; however they’re not the same as scenario one. The IDS here will monitor in full mode (rules and pre-processors), and three different configurations will be used in which each of the three configurations represents a phase.
  

In each of the three phases of scenario two data is captured and analysed using packet capture and analysis tools such as tcpdump or wireshark. Signatures are then created and tested for their effectiveness. Finally a recommendation for a model to automatically detect and create signatures was made.

Although this research presents a theoretical model, it is however a step towards giving other researchers in the field an idea that will improve the effectiveness of IDSs and hopefully reduce the time it takes researchers and developers to develop solutions for new attacks. This is because all of the studies in this area to this day are based on a paper written in 1998 by Ptacek H. Thomas, which is 13 years old (considered in the IT industry very old).

Aims and Objectives

The aim of this piece of work is to study and investigate the techniques used by attackers to evade IDS detection and exploit systems without being discovered.

Objectives

1. To get a detailed knowledge and experience on IDSs and how they work.
   
2. To gain good knowledge of the limitations that exists in each of the different types of IDSs.
   
3. To study the best ways to deploy IDSs in an enterprise environment.
   
4. To study and investigate the different types of evasion techniques that can be used on IDSs, how they work and what makes them effective.
   
5. To apply these techniques in a controlled environment.
   
6. Investigate how to countermeasure these techniques.
   
7. Suggest a model to bring these countermeasures into practical use and automate the process.
   
8. Fulfil the requirements of the MSc in Information Systems Security.
   

Possible Outcomes

This piece of work also intends to achieve the following outcomes:

1. Increase the level of knowledge in this area.
   
2. Help users (including businesses), researchers and developers in the field get good knowledge of the limitations that exists in IDSs and how they can be attacked.
   
3. Provide network administrators a document that they can use when deploying and testing IDSs.
   
4. This project will also provide the necessary pieces of information and act as a stepping stone for further study and research into the field of artificial intelligence and neural networks and how they can play a role in improving the effectiveness of IDSs and make them smarter so that they’re capable of learning from previous attacks.
   

Outline of Project

This study aims at providing students and researchers a comprehensive document that describes IDPSs the way they work, the components they’re made of, the way they can be deployed and their strengths and weaknesses. Then the study looks at one of the problems that continue to face these devices (evasion techniques) in more details and tries to provide a solution for it. The study is made of eleven main chapters and five appendices that describe issues that couldn’t be mentioned in the report because they were beyond the length of the report, such as the program code and the problems faced:

Chapter one gives a brief discussion of the research question its objectives, what possible outcomes that can be achieved from this study and an overall outline of the study, which is the one you’re reading now. Chapter two looks into the problem this study is aiming to solve; it discusses the evasion techniques that attackers use to circumvent these devices
categorised into two categories (simple and advanced). Then the methodology and methods this study is made of and that it will use to achieve its objectives is discussed in chapter three. The tools used to complete the study and implement the experiments are briefly introduced in chapter four. Chapter five explains the procedure used in the experiments and the way the labs have been setup. Chapter six describes the results obtained from the experiments implemented during the study. Chapter seven discusses the results from the previous chapter; chapter eight explains how these problems can be solved using an IDS model that the author recommended. Other factors that researchers need to consider that aid at improving IDS’s effectiveness and that are not considered as evasion methods (directly) but help IDSs detect these attacks are outlined in chapter nine. Chapter ten provides an overall conclusion of the study and its findings, while chapter eleven gives critical evaluation of the whole study, weather it achieved its goals or not and the areas that it can be improved in to increase its accuracy. Appendix A provides a detailed look at IDSs, their different types, the way they’re deployed and the limitations of each technology, which was necessary to have knowledge in to be able to carry out the study. Appendix B provides a demo of a program the author developed, which is not complete (a full program of this sort is beyond the study and the programming experience of the author) but provides an idea of the model that the study described in chapter eight. Appendix C provides a brief discussion of the problems faced during the study and the decisions that had to be made to solve them; Appendix D provides the plan used to complete the dissertation and finally Appendix E describes the contents of the accompanied DVD.

Advertisement