Homework #5 - Fundamental NIDS Issues - Due Sunday Sep 11, 11PM
Turn in this assignment via email (firstname.lastname@example.org)
by the due date, with the term Homework in the Subject.
Read the paper
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001
(Note, it's okay to skip section 5.1, "The IP Identifier and Stealth
Port Scans", which isn't central to the paper's theme. We'll revisit
this form of stealth port scan later in the class.)
Briefly write up your views of:
- What are the main contributions of this paper?
- What parts of the paper do you find unclear? (optional)
- What parts of the paper are questionable? (That is, you think a
conclusion may be wrong, an approach or evaluation technically
flawed, or data ill-presented.)
Do one of the following:
- Discuss the forms of state that a NIDS must maintain in order
to soundly analyze layer-7 activity. How should the NIDS manage
this state in order to not run out of memory? What are the
evasion consequences of doing so? If the NIDS includes an active
element, to what degree can it use that to aid in its state
- Be sure to read
all of the parts of this question before proceeding, because
otherwise you might wind up doing work on the first part that
complicates your answering the other two parts.
In addition, you should try to avoid evasions that are due
to incompleteness (the NIDS has holes in its implementation).
For example, a NIDS that does not correctly expand hex-escapes
in HTTP requests can be evaded due to its incompleteness,
rather than due to a more fundamental ambiguity. Similarly, a NIDS
that lacks code for expanding compressed data can be evaded due
to incompleteness, rather than ambiguity.
Consider application-layer evasion, rather than network- and
transport-layer as focussed on in the paper:
- Suppose you wish to evade a
signature-based network monitor that correctly
reassembles TCP bytestreams but does not parse the
application protocol within them. Devise an evasion for
an application protocol of your choice (but not an
evasion already discussed in the papers we've read)
and explain how it works. Note that your discussion
should be in terms of a specific application protocol,
and that what's of interest here is
evasion by ambiguity (so for example use of encryption
is not an "evasion"). It's fine if an attacker can use
your evasion to induce a false positive rather
than a false negative.
- Now suppose that the monitor fully parses application protocols.
Devise and explain an evasion-by-ambiguity
(different from the one you
devised above) that still works. This evasion should
allow an attacker to induce a false negative
(avoid detection). State any assumptions you need to
make about how the NIDS operates.
- Discuss to what degree normalization (the general concept,
not the particular ones in the paper) can or can't
defend against your evasions.