Re: Stateful Anomaly Detection Molding

[Thomas Ptacek <tqbf () arbor net>]

On Oct 13, 2004, at 10:41 AM, Beauford, Jason wrote:
> What can the Blackhats of the world due to perpetuate rule set molding
> of Stateful Anomaly Detection engines to allow malicious traffic 
> through
> without being detected?  How reliable are S.A.D. engines in detecting
> unwanted traffic?

If you're looking for a Phrack article to write, this is probably a 
good topic.

On the other hand, if you're looking for something relevant to the ways 
that
attackers will actually break in to networks, I'd look elsewhere.

A few thoughts:

        - IDS engines --- which are very well understood --- still tend to
        be astonishingly weak against directed, surgical attacks (attacks
        in which an explicit goal is made of avoiding a particular detector).

        Just recently on this list, Dave Maynor from ISS cited a flaw in a
        competing IPS product that would have been a major discovery
        in 1998, when Newsham, Paxson, Meltzer, Dug Song, and I were all
        just beginning to do research on signature IDS.

        Despite the fact that virtually every IDS/IPS engine deployed today
        has exploitable weaknesses, IPS evasion is still not a tool in most
        attackers toolboxes. Have any operators on this list ever detected
        an attacker abetted by Fragroute? Fragroute gets press mentions
        and is freely downloadable!

        "Anomaly detection" is so new, and so un-proven, and so hyped
        and marketed, that I doubt anyone is giving serious thought to how to
        evade it.

        - Despite all this, Arbor Networks actually has done research into
        anomaly detection evasion, and we have designed and built
        mechanisms to resist training attacks --- suggesting to me that there
        are plenty of "anomaly detection" engines out there that can be faked
        out.

        - However, I would suspect that a far more fruitful avenue of attacking
        anomaly detection systems is to chaff them into generating millions
        of false positives. On enterprise networks, most well-known anomaly
        detection techniques are noisier and harder to tune than signature
        systems.

	This is simpler than training (or "molding"), and it applies equally 
well
        to IPS systems --- an IPS that appears to randomly block traffic that
        can't be traced to a legitimate attack can be evaded simply by waiting
        for operators to turn blocking off.

        - With regards to IPS vendors, by the way, you will be surprised at how
        simple the mechanisms are that underly vendor claims to "anomaly
        detection".

---
Thomas H. Ptacek // Product Manager, Arbor Networks
(734) 327-0000


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------