IDS mailing list archives

Re: interesting paper on testing sig-based IDS

From: Giovanni Vigna <vigna () cs ucsb edu>
Date: Mon, 28 Feb 2005 15:45:01 -0800

Well,
        We sort of suck in terms of publicizing our research.

Our tool, which is called 'Sploit', is more similar to CANVAS than toany other.

I haven't seen/tried CANVAS so I am not sure, but the basic ideas seem
similar.

You can get the details from the paper, but the idea is
to compose exploit templates and mutant operators.
The mutation engine applies one or more mutant operators to
an exploit template to obtain a mutant exploit. Then the exploit is run
against a vulnerable application and an oracle determines if
the attack was successful (this is necessary because even though
the mutant operator are supposed to preserve the semantics of the
exploit, things can actually go wrong in unexpected ways).
The outcome of the oracle is automatically cross-correlated
with the outputs of one or more intrusion detection systems.
By "exploring" the mutation space it is possible to find the right
composition of mutant operators to evade an IDS.
In out paper we show that using our tool we were able to
evade 9 out of 10 attacks, in the case of ISS RealSecure.

We are not distributing our code at the moment.

Best regards,

        Giovanni


On Feb 25, 2005, at 9:01 PM, Kohlenberg, Toby wrote:

http://www.cs.ucsb.edu/~vigna/pub/2004_vigna_robertson_balzarotti_CCS04.
pdf

It seems very similar (at least at first glance) what what's been
implemented by
RFP in Whisker (the anti-IDS techniques) or in Metasploit (IDSconfusion
techniques).

Have any/many of you seen this before? It seems like it's something we
would have
seen cross this list but I don't remember it doing so.

t

Toby Kohlenberg, CISSP, GCIH, GCIA
Senior Information Security Analyst
Applied Security Technology Team
Intel Corporate Information Security
503-712-8588  Office & Voicemail
877-497-1696  Pager
"Just because you're paranoid, doesn't mean they're not after you."

PGP Fingerprint:
92E2 E2FC BB8B 98CD 88FA  01A1 6E09 B5BA 9E84 9E70
--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go tohttp://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

--------------------------------------------------------------------------

Current thread:

interesting paper on testing sig-based IDS Kohlenberg, Toby (Feb 28)
- Re: interesting paper on testing sig-based IDS Jonathon Giffin (Mar 01)
  - Re: interesting paper on testing sig-based IDS buineach (Mar 02)
    - Re: interesting paper on testing sig-based IDS Shai Rubin (Mar 02)
- Re: interesting paper on testing sig-based IDS Giovanni Vigna (Mar 02)
  - Re: interesting paper on testing sig-based IDS Stefano Zanero (Mar 04)
- Re: interesting paper on testing sig-based IDS Richard Bejtlich (Mar 02)
- <Possible follow-ups>
- RE: interesting paper on testing sig-based IDS Kyle Quest (Mar 04)
  - RE: interesting paper on testing sig-based IDS Jose Maria Lopez Hernandez (Mar 06)
- RE: interesting paper on testing sig-based IDS Kyle Quest (Mar 06)
- RE: interesting paper on testing sig-based IDS Brian Smith (Mar 06)
- RE: interesting paper on testing sig-based IDS Micheal Reynolds (Mar 06)