Dismantling intrusion prevention systems

Niemi, Olli-Pekka; Levomäki, Antti; Manner, Jukka

doi:10.1145/2342356.2342412

Cited by 8 publications

(5 citation statements)

References 6 publications

(3 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We used a vulnerability scanner called Evader 45,49,50 to run the attacks and accompanying parallelization tool Mongbat for creating a database of a million evasion combinations. Evader supports a total of 35 different atomic evasions.…”

Section: Softwarementioning

confidence: 99%

Evaluating intrusion prevention systems with evasions

Särelä

Kyöstilä

Kiravuo

et al. 2017

Int J Communication

Self Cite

View full text Add to dashboard Cite

Intrusion prevention systems have become a common security measure in the past 20 years. Their promise is the possibility to prevent known attacks against vulnerable, unpatched devices inside enterprise networks. However, evasion techniques that enable the attacker to evade the eye of the intrusion prevention system are a potential problem for this capability. These techniques take advantage of the robustness principle that has guided designers to create systems that will try to recreate protocol content from any input they receive.In this work, we evaluated the effectiveness of 35 well-known evasions against 9 commercial and 1 free, state-of-the-art, intrusion prevention systems. We conducted 4 experiments with one million attacks against each device. Each system lets a significant amount (0.1%-45%) of attacks pass through unrecognized. Our results show that most existing intrusion prevention systems are vulnerable against evasions.

show abstract

Section: Softwarementioning

confidence: 99%

Evaluating intrusion prevention systems with evasions

Särelä

Kyöstilä

Kiravuo

et al. 2017

Int J Communication

Self Cite

View full text Add to dashboard Cite

show abstract

“…The bogus packets are dropped by Internet routers before reaching their destination, but an unaware IDS observes a misleading sequence of packets and eventually misses the attack. Handley et al [78] present a countermeasure, but this fundamental problem still prevails in many DPI-based systems today [133].…”

Section: Intrusion Detection Problemsmentioning

confidence: 99%

Monitoring of Client-Cloud Interaction

Lampesberger

Rady

2015

Correct Software in Web Applications and Web Services

View full text Add to dashboard Cite

When a client consumes a cloud service, computational liabilities are transferred to the service provider in accordance to the cloud paradigm, and the client loses some control over software components. One way to raise assurance about correctness and dependability of a consumed service and its software components is monitoring. In particular, a monitor is a system that observes the behavior of another system, and observation points that expose the target system's state and state changes are required. Due to the cloud paradigm, popular techniques for monitoring such as code instrumentation are often not available to the client because of limited visibility, lack of control, and black-box software components. Based on a literature review, we identify potential observation points in today's cloud services. Furthermore, we investigate two cloud-specific monitoring applications based on our ongoing research. While service level agreement (SLA) monitoring ensures that agreed-upon conditions between clients and providers are met, language-based anomaly detection monitors the interaction between client and cloud for misuse attempts.

show abstract

“…Volunteers will set up ScrambleSuit bridges which then publish their descriptors-including IP address, port and secret-to the bridge authority (1) which feeds this information into the BridgeDB component. In the next step, the gathered descriptors have to be distributed to censored users (2). The two primary distribution channels are email and HTTPS [41].…”

Section: Session Ticketsmentioning

confidence: 99%

“…We consider deep packet inspection (DPI) harmful. While originally meant to detect attack signatures in packet payload, it is ineffective in practice due to the ease of evasion [1,2,3]. At the same time, DPI technology is increasingly used by censoring countries to filter the free flow of information or violate network neutrality [4].…”

Section: Introductionmentioning

confidence: 99%

ScrambleSuit: A Polymorph Network Protocol to Circumvent Censorship

Winter,

Pulls,

Fuss

2013

Preprint

View full text Add to dashboard Cite

Deep packet inspection technology became a cornerstone of Internet censorship by facilitating cheap and effective filtering of what censors consider undesired information. Moreover, filtering is not limited to simple pattern matching but makes use of sophisticated techniques such as active probing and protocol classification to block access to popular circumvention tools such as Tor.In this paper, we propose ScrambleSuit; a thin protocol layer above TCP whose purpose is to obfuscate the transported application data. By using morphing techniques and a secret exchanged out-of-band, we show that ScrambleSuit can defend against active probing and other fingerprinting techniques such as protocol classification and regular expressions.We finally demonstrate that our prototype exhibits little overhead and enables effective and lightweight obfuscation for application layer protocols.

show abstract

Dismantling intrusion prevention systems

Abstract: This paper introduces a serious security problem that people believe has been fixed, but which is still very much existing and evolving, namely evasions. We describe how protocols can still be misused to fool network security devices, such as intrusion prevention systems.

Cited by 8 publications

References 6 publications

Evaluating intrusion prevention systems with evasions

Evaluating intrusion prevention systems with evasions

Monitoring of Client-Cloud Interaction

ScrambleSuit: A Polymorph Network Protocol to Circumvent Censorship

Contact Info

Product

Resources

About