Homework #5 - Fundamental NIDS Issues - Due Sunday Sep 11, 11PM


Turn in this assignment via email (vern@berkeley.edu) by the due date, with the term Homework in the Subject.

Read the paper Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, Mark Handley, Christian Kreibich and Vern Paxson, USENIX Security 2001
(Note, it's okay to skip section 5.1, "The IP Identifier and Stealth Port Scans", which isn't central to the paper's theme. We'll revisit this form of stealth port scan later in the class.)

Briefly write up your views of:

  1. What are the main contributions of this paper?

  2. What parts of the paper do you find unclear? (optional)

  3. What parts of the paper are questionable? (That is, you think a conclusion may be wrong, an approach or evaluation technically flawed, or data ill-presented.)

  4. Do one of the following:

    1. Discuss the forms of state that a NIDS must maintain in order to soundly analyze layer-7 activity. How should the NIDS manage this state in order to not run out of memory? What are the evasion consequences of doing so? If the NIDS includes an active element, to what degree can it use that to aid in its state management?

    2. Be sure to read all of the parts of this question before proceeding, because otherwise you might wind up doing work on the first part that complicates your answering the other two parts. In addition, you should try to avoid evasions that are due to incompleteness (the NIDS has holes in its implementation). For example, a NIDS that does not correctly expand hex-escapes in HTTP requests can be evaded due to its incompleteness, rather than due to a more fundamental ambiguity. Similarly, a NIDS that lacks code for expanding compressed data can be evaded due to incompleteness, rather than ambiguity.

      Consider application-layer evasion, rather than network- and transport-layer as focussed on in the paper:

      1. Suppose you wish to evade a signature-based network monitor that correctly reassembles TCP bytestreams but does not parse the application protocol within them. Devise an evasion for an application protocol of your choice (but not an evasion already discussed in the papers we've read) and explain how it works. Note that your discussion should be in terms of a specific application protocol, and that what's of interest here is evasion by ambiguity (so for example use of encryption is not an "evasion"). It's fine if an attacker can use your evasion to induce a false positive rather than a false negative.

      2. Now suppose that the monitor fully parses application protocols. Devise and explain an evasion-by-ambiguity (different from the one you devised above) that still works. This evasion should allow an attacker to induce a false negative (avoid detection). State any assumptions you need to make about how the NIDS operates.

      3. Discuss to what degree normalization (the general concept, not the particular ones in the paper) can or can't defend against your evasions.