Techniques of Network Attacks and Defenses

Techniques of Network Attacks and DefensesChapter 2: Networking security devices

Po-Ching Lin

Networking security devices

1 / 61

Categories of Network Security Devices

▶ Firewall

▶ Virtual Private Network (VPN)

▶ Intrusion Detection System (IDS)

▶ Anti-virus Gateway

▶ Anti-spam/phishing System

▶ Web Application Firewall (WAF)

▶ Application Control System

▶ Content Filtering System

▶ Data Leak Prevention

▶ Unified Threat Management (UTM)

▶ Security Information and Event Management (SIEM)

2 / 61

Firewall

▶ Sit between internal and external networks to decide whatkinds of traffic should be allowed and denied

▶ Network-based or host-based

bad guy

BP

good guy

external netfirewall

DMZpublic server

internal server

3 / 61

Packet-filtering firewall

Act as a packet filter

▶ Set up an access control list (ACL)

▶ Filter packets according to the rules with multiple fields

Example of ACLAction Src addr. Dest addr. Protocol Src port Dest port Control bit

allow internal external TCP any 80 any

allow external internal TCP 80 >1023 ACK

deny all all all all all all

▶ The filtering is based on the fields of individual packets only.No flow state is kept.

▶ Any packets from the external with src port==80 & destport>1023 & ACK are permitted to the internal (not in anestablished connection).

4 / 61

Stateful firewall

Features▶ Remember what has happened in previous packets, e.g., flow

tracking, so that reply traffic can be allowed automatically.

▶ Make the decision also based on memory of flow tracking.

Example of flow-tracking tableSrc addr. Dst addr. Src port Dst port timeout (s)

10.1.1.20 10.34.12.11 45678 80 60

10.1.1.34 10.22.11.45 53222 80 40

▶ State table updated dynamically in real-time

▶ Only packets in an established connection can enter.

▶ Extra memory needed, e.g., 1GB RAM for 100,000 entries inthe pfSense firewall

5 / 61

Stateful firewall (cont.)

What flows can be memorized except TCP flows?

▶ UDP/ICMP flow: allow incoming UDP/ICMP packets only ifthere was a matched outgoing packet.

▶ FTP flow: allow FTP data connection only if a matched FTPcommand connection has been established.

Stateless vs. Stateful▶ Stateless: less complex, easier to implement, but may be

insecure

▶ Stateful: more complex, harder to implement, but more secure

Efficiency in rule matching

▶ Basically need a fast packet classification algorithm

▶ With ASIC implementation for high-speed firewall

6 / 61

Rule configuration on a firewall

Example

From pfSense www.pfsense.org

7 / 61

Proxy-based firewall

Differences from other types of firewall

▶ Act as a proxy between client and server

▶ Two connections established: one from client to firewall andthe other from firewall to server

Features▶ Easier to inspect and filter traffic in the application layer, e.g.,

for web applications or even TLS traffic

▶ Limited protocol support (good for security, but bad fordiverse applications)

▶ A potential performance bottleneck (will maintain manyconnections in a large environment)

8 / 61

Example: Netfilter in Linux

Netfilter componentsJan Engelhardt, last updated 2014-02-28 (initial: 2008-06-17)

arptables

filter

arptables

ebtables

nat/filterbroute

ebtables

ip6tables

ip6tables

iptables

iptables

natNAT

engine

L3/4

trac

kers

L7 h

elpe

rs

conntrack

Connectiontracking

Xtables

Netfilter hook API

Userspace tools

Netfilter kernel components

from and to to network stack; hardware

NAT Loggingvia nf_log

ulogd2

Queueingvia nf_queue

(custom)

raw/mangle/filter raw/mangle/filter

Brid

ging

other networking components

nf_tables

nftiptables-nftables

source: By Jan Engelhardt - Own work, Origin SVG PNG, CC BY-SA 3.0,

https://commons.wikimedia.org/w/index.php?curid=7294051

9 / 61

Netfilter hooks

▶ Refers to a specific stage of the packet while it’s beingprocessed through the kernel.

▶ Can register with a callback function to adddtional processing

▶ Six hooks in the Linux kernel

ingress prerouting routingdecision

input

localprocess

forward

routingdecision

output

postrouting

*The ingress hook is added for nftables since Linux kernel v4.2 forfiltering L2 packets.

10 / 61

nftables

nftables: the new packet classification framework that replaces theexisting {ip,ip6,arp,eb} tables infrastructure.

nft commandThe command line tool to interact with nftables at userspace

tables family refers to a one of the following table types:ip, arp, ip6, bridge, inet, netdev.

chains type refers to the kind of chain to be created.hook refers to an specific stage of the packet whileit’s being processed through the kernel.Also priority and policy .

rules handle is an internal number that identifies a certainrule.position is an internal number that is used to insert arule before a certain handle.

11 / 61

nftables (cont.)

Type of chain

▶ filter : Supported by arp, bridge, ip, ip6 and inet table families

▶ route: Mark packets (like mangle for the output hook, forother hooks use the type filter instead), supported by ip andip6

▶ nat: In order to perform Network Address Translation,supported by ip and ip6.

Hook▶ The hooks for ip, ip6 and inet families are: prerouting, input,

forward, output, postrouting.

▶ The hooks for arp family are: input, output.

▶ The bridge family handles ethernet packets traversing bridgedevices.

▶ The hook for netdev is: ingress.

12 / 61

nft command: example

# nft list ruleset

# ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=9.59 ms

64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=11.3 ms

^C

--- 8.8.8.8 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1002ms

rtt min/avg/max/mdev = 9.593/10.423/11.253/0.830 ms

# nft add table inet my_table

# nft add chain inet my_table my_filter_chain { type filter hook

input priority 0 \; }

# nft list ruleset

table inet my_table {

chain my_filter_chain {

type filter hook input priority filter; policy accept;

}

}

13 / 61

nft command: example (cont.)# nft add rule inet my_table my_filter_chain ip saddr 8.8.8.8

counter drop

# ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

^C

--- 8.8.8.8 ping statistics ---

2 packets transmitted, 0 received, 100% packet loss, time 1003ms

# nft list ruleset

table inet my_table {

chain my_filter_chain {

type filter hook input priority filter; policy accept;

ip saddr 8.8.8.8 counter packets 2 bytes 168 drop

}

}

# nft flush table inet my_table

# ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=9.38 ms

64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=11.8 ms

^C

14 / 61

More examples of nft commands

▶ reject traffic coming to the local machine which was not originated fromusnft add rule filter input ct state new reject

▶ log and accept incoming ssh trafficnft add rule filter input tcp dport 22 ct state new log

prefix \"New SSH connection: \" accept

▶ accept a maximum of 10 ICMP echo-request packets per secondnft add rule filter input icmp type echo-request limit rate

10/second accept

▶ matches for all traffic from the 192.168.1.0/24 network to the interfaceeth0. The IPv4 address 1.2.3.4 is used as source for the packets thatmatch this rulenft add rule nat postrouting ip saddr 192.168.1.0/24 oif

eth0 snat 1.2.3.4

See more examples on wiki.nftables.org and the syntax of nfton nft(8).

15 / 61

Virtual private network

What is VPN?Building private point-to-point communication across a publicnetwork, so that users can communicate over the public network asif the communication were over the private network.

▶ Allow remote users to access internal resources (in privatenetworks) securely.

▶ For site-to-site communication between intranets.

▶ Bypass geo-blocking or censorship, or stay anonymous on theInternet.

Common VPN protocols

▶ L2TP, IPSec

▶ TLS/SSL

▶ WireGuard

16 / 61

IPSec: Authentication Header (AH)

Provide data integrity with a hash function and a shared secret key(also guarantee the data origin).

source: kkc.github.io/2018/03/21/IPSEC-note

17 / 61

IPSec: Authentication Header Format0 8 16 24 31

Next Header Payload Length Reserved

Security Parameters Index (SPI)

Sequence Number

Integrity Check Value (ICV)

· · ·

▶ Next Header: the upper-layer protocol

▶ Payload Length: length of this header in 4-byte units, mius 2

▶ SPI: to identify the security association of the receiving party

▶ Sequence Number: a monotonic strictly increasing sequencenumber to prevent replay attacks

▶ ICV: integrity check of this packet (by secure hash function)

18 / 61

IPSec: Encapsulation Security Payload (ESP)

Provide confidentiality, authentication, and integrity.

source: kkc.github.io/2018/03/21/IPSEC-note

19 / 61

IPSec: ESP Packet Format

0 8 16 24 31

Security Parameters Index (SPI)

Sequence Number

Payload data*

Padding (0-255 octets)

Pad Length Next Header

Integrity Check Value (ICV)

· · ·

*from the original IP packet

20 / 61

Internet Security Association and Key ManagementProtocol (ISAKMP)

Purpose

▶ For establishing security association (SA) and cryptographickeys

▶ Can work with key exchange protocol like Internet KeyExchange (IKE)

Security association (SA)

Establishment of shared security attributes between two networkentities, such as cryptographic algorithm and mode, and encryptionparameters and keys. SA is one-way (i.e., one SA for eachdirection).

21 / 61

Diffie-Hellman Key Exchange Protocol

Alice

1. Randomly selects a positive number XA < p (private)

2. Send YA = aXA mod p to Bob (public; a is also public)

3. Compute KA = Y XAB mod p as Alice’s secret key, where YB is

a string sent from Bob

Bob

1. Randomly selects a positive number XB < p (private)

2. Send YB = aXB mod p to Alice (public; a is also public)

3. Compute KB = Y XBA mod p as Biob’s secret key, where YA is

a string sent from Bob

Alice and Bob share the same secret key K = KA = KB .

22 / 61

TLS ≤ 1.2 handshake protocol: full handshake

Client ServerClientHello

ServerHello

Certificate*

ServerKeyExchange*

CertificateRequest*

ServerHelloDone

Certificate*

ClientKeyExchange

CertificateVerify*

[ChangeCipherSpec]

Finished

[ChangeCipherSpec]

Finished

Application data

Secure session

DH: generate ephemeral key

DH: generate ephemeral keyRSA: random premaster secret

DH: generate shared secretRSA: decrypt pms

*: may not be present inall ciphersuites.[. . .]: sent over the TLSalert protocol.single arrow: plaintext flows,double arrow: encrypted flows

23 / 61

TLS 1.3 handshake protocol: full handshake

Client ServerClientHello

key share,pre shared key,. . .ServerHello

key share,pre shared key,. . .

Encrypted extensions

CertificateRequest*

Certificate*

CertificateVerify*

Finished

Application data*

Certificate*

CertificateVerify*

Finished

Application data

Generate handshake traffic key

Generate handshake traffic key

Generate application traffic keyGenerate application traffic key

*: may not be present inall ciphersuites.single line: plaintext flows,double line: encrypted flows (HS key)triple line: encrypted flows (AP key)

24 / 61

WireGuard VPN application/protocol

▶ A new VPN application/protocol with open source

▶ Just around 4000 lines of kernel code as a module onLinux/FreeBSD, much smaller than OpenVPN

▶ High performance and power saving

Key features of the protocol

▶ Connectionless (UDP only)

▶ Curve25519 (an ECC curve) for key exchange (by ECDH)

▶ ChaCha20 for encryption

▶ Poly1305 for data authentication (by message authenticationcode)

▶ SipHash for hashtable keys

▶ BLAKE2s for hashing

25 / 61

Intrusion Detection System (IDS)

Firewall rules are basically policy-based

▶ What IP addresses/ports are allowed?

▶ What application content is allowed?

Requirements of IDS

▶ Do incoming/outgoing packets carry an intrusion?

▶ Are there suspocious activities on a system?

Types of IDS

▶ Network IDS (NIDS): deployed on the border of networks

▶ Host IDS (HIDS): deployed on a host

26 / 61

Detection and reaction in IDS

Table: Detection method

Misuse Anomaly

IdeaSee whether the traffic/log hasknown signs of misbehavior

See whether anomaly occurs intraffic/log (What is normal?)

Method by Manually crafted rulesStatistical approach or machine

learning

ProsCan find known misbehavior

efficientlyCan detect unknown orcomplicated misbehavior

ConsIneffective for new misbehavior

(false negative)Probably many false positives

Reaction to misbehavior▶ Log alerts or packets

▶ Block packets, processes or activities (known as IntrusionPrevention System, IPS)

▶ Detection or prevention?

27 / 61

General flow of NIDS

Packet capture from the network

Packet decoding/Prepro-cessing*/Protocol parsing

Detection engine

Detection output

*preprocessing: packet reassembly, connection state tracking, etc.

28 / 61

Suricata NIDS

Features▶ Open-source network intrusion/prevention system

▶ Network security monitoring

▶ Offline PCAP file analysis

▶ Support TCP session tracking and target-based packet reassembly

▶ A lot of protocol parsers

▶ Rule-based detection, but also support Lua scripting and IP reputation

▶ Support many logging formats

▶ Support multi-threading

29 / 61

Suricata rules

Examplealert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful

Clydesdale Bank Phish 2020 -12 -30"; flow:established ,to_server;

http.method; content :"POST"; http.request_body; content :" uzername =";

depth :9; nocase; fast_pattern; content :"&ip="; nocase; distance :0;

content :"&ua="; nocase; distance :0; content :"& password ="; nocase;

distance :0; classtype:credential -theft; sid :2031468; rev:2;

metadata:created_at 2020 _12_30 , former_category PHISHING , updated_at

2020 _12_30 ;)

source: rules.emergingthreats.net/open/suricata-5.0/emerging-all.rules

Principle of rule design

▶ Should be generalized enough to describe as many exploits fora vulnerability as possible, rather than a specific exploit (i.e.,hard to evade).

30 / 61

Zeek NIDS

Features▶ Fully passive traffic analysis off a network tap or monitoring port (good

for network security monitoring)

▶ Cluster-support for large-scale deployments

▶ Unified management framework for operating both standalone and clustersetups

▶ A lot of protocol parsers

▶ Scripting Language with event-based programming model

▶ Powerful tracking and managing network state over time

▶ Comprehensive logging of activity for offline analysis and forensics

31 / 61

Zeek scripts

Exampleevent http_request(c: connection , method: string , original_URI: string ,

unescaped_URI: string , version: string) &priority =5

{

if ( ! c?$http_state )

{

local s: State;

c$http_state = s;

Conn:: register_removal_hook(c, finalize_http);

}

++ c$http_state$current_request;

set_state(c, T);

c$http$method = method;

c$http$uri = unescaped_URI;

if ( method !in http_methods )

Reporter :: conn_weird (" unknown_HTTP_method", c, method);

}

32 / 61

OSSEC HIDS

Features▶ Scalable, multi-platform, open source HIDS

▶ Actively monitor and analyze data from multiple log data in real-time

▶ Process and file level analysis to detect malicious applications and rootkits

▶ Respond to attacks and changes on the system in real time

▶ Application and system level auditing for compliance with commonstandards such as PCI-DSS

▶ Detect changes of files and registry settings to the system. Also maintaina forensic copy of the data as it changes over time.

▶ Collects system information, such as installed software, hardware,utilization, network services and listeners

33 / 61

Detection by signatures

▶ Generally implemented by deep packet spection (DPI)

▶ Involve protocol parsing and multiple string matching,compared with longest prefix matching on routers andmulti-field classification on firewalls

▶ Representation of signatures: fixed string vs. regularexpression, usually along with contextual info such as withincertain protocol fields

▶ Types of regular expression• Basic regular expression: .at matches any three-character

string ending with “at”.• Extended regular expression: [hc]?at matches “at”, “hat”,

and “cat”.• Perl compatible regular expression: \d+.\d+.\d+.\d+

matches one or more digits divided by three separate dots.

▶ Common signature-matching algorithm: Aho-Corasickalgorithm (based on finite automaton)

34 / 61

Aho-Corasick algorithm

To match {hers,his,she}, set up a deterministic finite automaton(DFA).

▶ Implement a tranisition table and a failure function

▶ Given the current state and one input character, get the nextstate

▶ failure function: next state to go if the input is not in thetransition

0 1 2 8 9

6 7

3 4 5

¬{h, s}

h e r s

i s

sh e

During match: state transition in the DFA.

35 / 61

Aho-Corasick algorithm (cont.)

Advantages

▶ Deterministic linear execution time (no matter how manystrings to be matched simultaneously)

▶ Support of regular expressions (a mapping between regularexpression and DFA exists)

Disadvantages

▶ Consume a lot of memory space if the data structure of thetranisition table is not compressed. (how to compress?Non-deterministic FA (NFA)?)

▶ A large tranisition table cannot be fit into the CPU cache(slower execution).

▶ Look up only one character at a time (what if looking upmultiple characters at a time?)

36 / 61

Detection by machine learning

Advantage: good for detecting attacks that cannot be easily orprecisely described by signatures.

Types of machine learning

supervised learning learn from a set of data that contains both thesamples and their labels

unsupervised learning identify commonalities in unlabeled samplesand group them into clusters.

reinforcement learning take actions in an environment to maximizethe culmulative reward

Machine learning models

artificial neural network, decision tree, support vector machine(SVM), Bayesian networks, random forest, etc.

37 / 61

Concept of neural network

x0

x1

...

xD

y(1)0

y(1)1

...

y(1)

m(1)

. . .

. . .

. . . y(L)0

y(L)1

...

y(L)

m(L)

y(L+1)1

y(L+1)2

...

y(L+1)C

input layer1st hidden layer Lth hidden layer

output layer

38 / 61

Accuracy in the detection

Class in the detection▶ Positive: the target to be detected is claimed or existent

▶ Negative: the target to be detected is not claimed or existent

▶ Target: intrusion, malware, spam, phishing mail, etc.

Total populationActual class

Positive Negative

Positive True positive (TP) False positive (FP)Predicted class Negative False negative (FN) True negative (TN)

Errors in the detection: FP and FN

39 / 61

False positive vs. False negative

40 / 61

Performance measurement

▶ Precision=TP/(TP+FP)

▶ Recall=TP/(TP+FN), also called sensitivity

▶ Specificity=TN/(FP+TN)

▶ False-positive rate= FP/(FP+TN)

▶ False-negative rate= FN/(TP+FN)

▶ F-measure= 2*precision*recall/(precision + recall), i.e., theharmonic mean of precision and recall

Watch out the balance of positive and negative samples.

41 / 61

Receiver operating characteristic (ROC) curve

Indonderivative work: Kai walz (talk) - ROC space.png, CC BY-SA 3.0,

commons.wikimedia.org/w/index.php?curid=8326140

42 / 61

Multi-threading in Suricata

Suricata supports four thread modules and three runmodes.

Thread Module(1) Packet acquisition (PAQ), (2) Decode and Stream Applicationlayer, (3) Detection, (4) Output

Runmodes

Single Single-threaded mode

AutoFP The task of processing a packet is pipelined tomultiple stages. Each thread handles one stage, andthere is at least one thread in a stage.

Workers Multiple workers, each of which single-handedlyprocesses the packets it acquires (i.e., each threadruns all thread modules).

43 / 61

AutoFP mode vs. Workers mode

AutoFP modeCore 0 PAQ STREAM DETECT OUTPUT

1 DECODE DETECT OUTPUT

2 DETECT OUTPUT

3 PAQ STREAM DETECT

Worker modeCore 0 PAQ DECODE STREAM DETECT OUTPUT

1 PAQ DECODE STREAM DETECT OUTPUT

2

3

source: Performance Characterization of Suricata’s Thread Models, xbu.me/

article/performance-characterization-of-suricata-thread-models

44 / 61

100Gb/s monitoring solution

Functions of Arista 7504: (1) aggregate the inputs of the optical taps from the

Internet connections (2) create a 10G Link Aggregation Group (LAG) of that

aggregated traffic to pass to the 7150 device.

source: 100G Intrusion Detection,

commons.lbl.gov/display/cpp/100G+Intrusion+Detection

45 / 61

NIDS evasion

DefinitionAn attacker modifies the attacks to evade from NIDS detection,while keeping the effectiveness of the attacks.

Methods of evasion▶ Making the attacks low-profile

▶ Denial-of-service (DoS) attack to NIDS

▶ Splitting packets to smaller ones

▶ Overlapped fragments or TCP segments

▶ Time-to-live (TTL) manipulation

▶ Content mutation with equivalent semantics

▶ Input or poison attacks for adversarial learning

46 / 61

Evasion by denial-of-service (DoS) attacks

DoS attacks▶ Leverage a bug of IDS to make NIDS crash (Note that the

inspected packets are inputs to NIDS)

▶ Algorithmic complexity attacks

Example of algorithmic complexity attacks

Consider the following rule and algorithm:alert tcp $EXT NET any � $HOME NET 99(msg:“AudioPlayer Jukebox exploit”;content:“fmt=”; //P1pcre:“/ˆ (mp3|ogg) /”, relative; //P2content:“player=”; //P3pcre:“/ˆ (.exe|.com) /”, relative; //P4content:“overflow”; //P5sid:5678)

47 / 61

Evasion by algorithmic complexity attack

algorithmic complexity: O(nk), where n is the payload length andk is the number of predicates.

48 / 61

Evasion by packet splitting

Remember IP fragmentation and TCP segmentation?

bad guy

fragment 2:“/shadow”

fragment 1:“cat /etc”

NIDS

protected server

looks normal...

Complexity of reassembly

▶ Buffer IP fragments/TCP segments in the memory and trackthe offsets.

▶ Track a number of TCP connection states.

▶ Overlapped IP fragments/TCP segments (intepreteddifferently on different systems).

49 / 61

Tools for packet splitting

Tool: fragroute

Synopsis fragroute [-f file] host

Description fragroute intercepts, modifies, and rewrites egresstraffic destined for the specified host

Usage ▶ Configure ip frag size or tcp seg size inthe rule set (in file) to fragment or segmentpackets to size.

▶ Configure ip ttl ttl to set the IP time-to-livevalue of every packet to ttl.

▶ Configure order random|reverse to re-orderthe packets in the queue randomly, or in reverse.

50 / 61

Tools for packet splitting (cont.)

Tool: fragrouter

Synopsis fragrouter [ -i interface ] [ -p ] [ -g

hop ] [ -G hopcount ] ATTACK

Description Fragrouter is a program for routing network traffic insuch a way as to elude most network intrusiondetection systems.

Usage ▶ -F1 (in ATTACK): Send data in ordered 8-byteIP fragments.

▶ -F3: Send data in ordered 8-byte IP fragments,with one fragment sent out of order.

▶ -T1: Complete TCP handshake, send fake FINand RST (with bad checksums) before sendingdata in ordered 1-byte segments.

51 / 61

Overlapped fragments or TCP segments

0 1 2 3 4 5 6 7 8 9 10 111 1 1

2 2

3 3 3

4 4 4 4

5 5 5

6 6 6

Reassembled using policy: First (Windows, SUN, MacOS, HPUX)1 1 1 4 2 2 3 3 3 6 6 6Reassembled using policy: Last/RFC791 (Cisco)1 4 4 4 4 2 5 5 5 6 6 6Reassembled using policy: Linux (Linux)1 1 1 4 4 2 5 5 5 6 6 6Reassembled using policy: BSD (AIX, FreeBSD, HPUX,VMS)1 1 1 4 4 2 3 3 3 6 6 6Reassembled using policy: BSD-Right (HP Jet Direct)1 4 4 4 2 2 5 5 5 6 6 6

52 / 61

Time-to-live (TTL) manipulation

53 / 61

Evasion by content mutation

Content mutation for Web attacksPossible mutations of GET /cgi-bin/broken.cgi

▶ GET /%63%67%69%2d%62%69%6e/broken.cgi

▶ GET /xyz/../cgi-bin/./broken.cgi

▶ GET /CGI-BIN/broken.cgi

▶ GET /cgi-bin\broken.cgi▶ GET%<tab>/cgi-bin/broken.cgi<tab>HTTP/1.0

Many more encoding methods, e.g., double encoding, whichfurther encodes % as %25.

54 / 61

Evasion by content mutation (cont.)

Content mutation for exploit code

▶ XOR encoding

▶ BASE64 encoding

▶ Packing (compression, encryption, etc.)

▶ Polymorphism (relying on a mutation engine to change theencoded content in each exploit)

▶ Metamorphism (modifying binary code to a logicallyequivalent version)

55 / 61

Mutation for evading an IDS classifier

In the high-dimensional feature space,

▶ small solid circles: benign features

▶ crosses: malicious features

▶ triangles: adversarial features

source: Han et al.,“Evaluating and Improving Adversarial Robustness of

Machine Learning-Based Network Intrusion Detectors,”

https://arxiv.org/abs/2005.07519, 2020.

56 / 61

YARA: pattern matching tool for virus scanning

YARA▶ A tool to create descriptions of malware families based on

textual or binary patterns

▶ Each description, a.k.a rule, consists of a set of strings and aboolean expression which determine its logic.

Example of descriptions

rule silent_banker : banker

{

meta:

description = "This is just an example"

threat_level = 3

in_the_wild = true

strings:

$a = {6A 40 68 00 30 00 00 6A 14 8D 91}

$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}

$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

condition:

$a or $b or $c

}

57 / 61

YARA modules

▶ PE/ELF: to create more fine-grained rules for PE/ELF files byusing attributes and features of the PE file format

▶ Cuckoo: to create YARA rules based on behavioralinformation generated by Cuckoo sandbox

▶ Magic: to identify the type of the file based on the output ofthe file command

▶ Hash: to calculate hashes (MD5, SHA1, SHA256) fromportions of your file and create signatures based on thosehashes

▶ Math: to calculate certain values from portions of your fileand create signatures based on those results

▶ Dotnet: to create more fine-grained rules for .NET files byusing attributes and features of the .NET file format

▶ Time: to use temporal conditions in your YARA rules

58 / 61

SpamAssassin

An anti-spam platform giving system administrators a filter toclassify email and block spam (unsolicited bulk email).Mostly rule-based, but also support Bayesian learning.

An example of detection rulesub check_for_forged_gmail_received_headers {

my ($self , $pms) = @_;

use constant GOOGLE_MESSAGE_STATE_LENGTH_MIN => 60;

use constant GOOGLE_SMTP_SOURCE_LENGTH_MIN => 60;

my $from = $pms ->get(’From:addr’);

if ($from !~ /\ bgmail \.com$/i) { return 0; }

my $xgms = $pms ->get(’X-Gm-Message -State ’);

my $xss = $pms ->get(’X-Google -Smtp -Source ’);

my $xreceived = $pms ->get(’X-Received ’);

my $received = $pms ->get(’Received ’);

if ($xreceived =~ /by 10\.\S+ with SMTP id \S+/) { return 0; }

if ($xreceived =~ /by 2002\:a\d\d\:\w+\:\S+ with SMTP id \S+/) { return 0; }

if ($received =~ /by smtp\. googlemail \.com with ESMTPSA id \S+/) {

return 0;

}

if ( (length($xgms) >= GOOGLE_MESSAGE_STATE_LENGTH_MIN) &&

(length($xss) >= GOOGLE_SMTP_SOURCE_LENGTH_MIN)) {

return 0;

}

return 1;

}

59 / 61

Web Application Firewall (WAF)

Purpose: to protect web servers/applications from external attacks

▶ OWASP top-10 list, e.g., SQL injection

▶ User authentication and access control

▶ Denial-of-service (DoS) attacks

▶ Hide details of web servers

▶ Stop web scraping

▶ Data leak prevention

▶ Vulnerability assessment

▶ Auditing and logs

60 / 61

Exercises

1. Follow the instructions to download and install Zeek package:Zeek installation

2. Run Zeek to analyze the pcap file 2009-M57-day11-18.pcap.

3. According to the output logs, write scripts to tell• What is the top 10 most active originator host?• What is the top 10 most visited host in HTTP?• What is the top 10 most queried name in DNS?• What is the top 10 most pair of hosts in conn.log?• What is the top 10 most popular user agent in HTTP?

61 / 61