"Mimicry Attacks on Host-Based Intrusion Detection Systems"

by David Wagner and Paolo Soto, ACM CCS 2002

* Seung's Summary: 
In this paper, the authors propose a type of attack called a mimicry
targeted on host based anomaly detection IDSes. A mimicry attack is a
malicious sequence of events (system calls, audit events or anything
used for IDS detection) hiding under innocent-looking sequences.
Since anomaly detection IDSes accumulates knowledge about "normal"
behavior of the system by collecting information on "normal" sequence
of events then try to detect abnormal events by monitoring a sequence
of events that does not match the profile, a successful mimicry attack
is disguising itself as those normal sequences while having the same
effect on the system.

Most noticeable technique presented in the paper is "nullified"
events, which, in this particular example, is the system calls that
has no side effects on the system behavior.  In their experiments,
they used system call trace based IDS and they showed that they could
use "nullified" system calls as semantic no-ops to disguise a
malicious sequence as a harmless events.

Their theoretical framework is based on fairly simple automata theory.
And they use the automata of given finite state machine, the normal
set of system calls and a malicious sequence and try to find a set of
sequences that is functionally equivalent to the original malicious
sequence but satisfies the normal profile.

While they only tested a single exploit on a single application on a
single system, their empirical experience section was convincing
enough and fun to read. :)

Their conclusion is, the discovery of potential mimicry attacks using
their FSM technique, suggestion to IDS researchers that they should
worry about evasion attacks, another suggestion that anomaly-based
IDSes should use more than just the trace of system calls or such
simplified information.


* Partial List of Discussion Topics: 
1) What do you think about the usefulness of IDSes in general?
2) What do you think about signature-based/anomaly-detection IDSes?
3) This system-call trace based approaches, do you buy that?
4) Can we come up with any way that can detect mimicry attacks or make
  it harder to mount mimicry attacks?
5) What do you think about the paper that only describes an attack?


* Suvda's Pros:
1) The authors make realistic assumptions in terms of what the
attackers can do and what information is available to them. They
assume that: a) The attacker knows how the IDS works, they have
algorithms available for study.  b) The attacker knows the contents of
database of normal behavior.  c) The attacker can silently take
control of the application without being detected. Thus the paper
focuses on detecting the harmful effects of attacks instead of the
penetration into the system.

2) The main contribution of this paper in the intrusion detection
community is showing that IDS based solely on system calls is
ineffective because of no-op operations and attacks that do not
involve system calls. Some other methods must be used along with
system call traces. For example, critical system files should be
protected with checksums.

3) The paper points out suggestions for IDS designers to avoid common
pitfalls: a) Examine parameters passed to the system calls because usually
attackers try to gain more access rights to files than necessary for a
particular program.  b) Examine return values of system calls because
attackers use system calls with invalid parameters as no-op operation and
these no-ops usually return error.


* Greg(koenig@uiuc.edu)'s Pros
1) The paper examines a "real issue" in that Intrusion Detection Systems
  are in practical use.  Although the authors constrain themselves to
  anomaly detection IDS (vs. signature-based systems), it seems possible
  that anomaly detection systems could see more use in the future.

2) The paper presents a well-formed theoretical framework for the method
  of attack that the authors describe.  By using formal language theory,
  the authors clearly yet succinctly support their position, yet the
  computer science background necessary to understand the paper is simple
  enough that an undergraduate can follow the discussion.

3) The authors make a more-constraining assumption about the adversary's
  abilities when they assume that an adversary can completely control and
  modify a penetrated application's actions.  While in practice an adversary
  may not be able to achieve this goal, the authors' assumption is
  important.

4) The method of attack described by the authors is open-ended in that it
  can be used to accomplish essentially any end on the penetrated system.
  (Contrast this with Denial of Service attacks which are currently
  receiving some amount of discussion and yet have limited impact on a
  target.)

4) Perhaps the paper's most important contribution is that it promotes a
  new way of thinking about how to attack certain types of Intrusion
  Detection Systems.  As the authors say in Section 8, "...we recommend
  that all future published work proposing new IDS designs include a detailed
  analysis of the proposal's security against evasion attacks.  Even if this
  type of vulnerability cannot be completely countered through clever design,
  it seems worthwhile to evaluate carefully the risks."


* Chris's  Cons
1) they give a way to defeat an ids, but offer no suggestions on how
an ids (either that one, or any one) could prevent such a sequence or
why an ids can't prevent it

2) they discuss workings of only one ids - the only one that has fully
available source code - but not even high level approaches of other
IDSes.  it just seems that there's something that is being left out or
not talked about; though i can't put my finger on it because i don't
know much about these systems.

3) the 'shortcomings' they describe in 6 cover my other complaints
(and they add a few to those) - single exploit on single machine on
single operating system and configuration.  the problem of sneaking
past an ids becomes a lot harder when you're pitted against a system
that has most of the easy holes taken out of it (as you'd expect a
system to be if it's going to have an ids and owners/administrators
that really care about its level of security)


* Jalal's Cons
1) The findings of the paper are not really surprising. IDS technology
is known to be immature and unstable.

2) Some assumptions are too strict. For instance, isn't it a serious
IDS failure by itself if an attacker manages to take full control of
an application without setting off any alarms? Also the assumptions of
attackers knowing the implementation details of the IDS in question
and the unacceptable execution sequences are too much in many cases,
particularly when the authors claim that they were able to analyze pH
only because it was the only system with source code available.

3) some of the attacks introduced can be thwarted by an IDS that
discards no-ops and does some basic argument checking and error-code
checking.

4) The modeling presented in the paper only works for naive IDS
systems whose implementations are based on finite automata
(e.g. pH). The assumptions that A and M are regular expressions will
not hold in cases where: (1) we have attackers, who are trying to do
more complicated things, and (2) we have sophisticated IDSes
(e.g. IDSes which deploy machine learning, neural networks, or data
mining techniques).

5) The paper makes broad generalizations about host-based IDSes based
on the specific experiments on pH only.

6) the paper does not suggest concrete remedies or countermeasures for
the vulnerabilities found. *But* maybe this is because the remedies
are really the missing links of IDS technology.


*Vote Result
Strong Accept - 1
  Weak Accept - 12
  Weak Reject - 6
Strong Reject - 0