ca Issam Aib University of Waterloo Waterloo Canada issamaibgmailcom Ehab AlShaer Univ North Carolina Charlotte NC ealshaerunccedu Raouf Boutaba University of Waterloo Waterloo Canada rboutabauwaterlooca Abstract The support of stateful signatures is ID: 85024
Download Pdf The PPT/PDF document "An Evasive Attack on SNORT Flowbits Tung..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
AnEvasiveAttackonSNORTFlowbitsTungTranUniversityofWaterlooWaterloo,Canadat3tran@uwaterloo.caIssamAibUniversityofWaterlooWaterloo,CanadaEhabAl-ShaerUniv.NorthCarolinaCharlotte,NCRaoufBoutabaUniversityofWaterlooWaterloo,Canadarboutaba@uwaterloo.caThesupportofstatefulsignaturesisanimportantfeatureofsignature-basedNetworkIntrusionDetectionSystems(NIDSs)whichpermitsthedetectionofmulti-stageattacks.However,duetothedifcultytocompletelysimulateeveryapplicationprotocol,severalNIDSevasiontechniquesexploitthisAchillesheel,makingtheNIDSanditsprotectedsystemseeandexplainapacketsequencedifferently.Inthispaper,weproposeanevasiontechniquetotheSnortNIDSwhichexploitsitsowbitsfeature.Wespecifytheowbitevasionattackandprovidepracticalalgorithmstosolveitwithcontrollablefalsepositivesandformallyprovetheircorrectnessandcompleteness.WeimplementedatoolcalledSFETwhichcanautomaticallyparseaSnortruleset,generateallpossiblesequencesthatcanevadeit,aswellasproduceapatchtoguardtherulesetagainstthoseevasions.AlthoughSnortwasusedforillustration,boththeevasionattackandthesolutiontoitareapplicabletoanystatefulsignature-basedNIDS.I.INTRODUCTIONSnort[12]isapopularopensourceandlightweightNetworkIntrusionDetectionandPreventionSystem(NIDPS)[2].Itismostlysignature-basedandfamousforitsintrusiondetectioncapabilitiesthatmatchpacketcontentagainstasetofrules.Snortsupportsaexibleandrichrulelanguagewhichallowuserstoinspectalleldsofapacket.ThewasrstintroducedinSnort2.1.1andallowsthedetectionenginetotrackstateacrossasingleTCPsession.Thesupportofstatefulsignaturesallowsasignature-basedIDStodetectmulti-stageattacks.Becauseofitsimportance,thisfeatureissometimesseparatelyimplementedforspecicservices[21].isessentiallyaagthatcanbesetbysomeruleandthenusedbyanotherone.Theoptionworksbyusinglabelstosetandchangethesessionstate.Formally,ithastheowbits:[[un]set[[un]set|isnot|re]set,noalert][,TableIliststwoowbitrulestakenfromBleedingEdge[1],whichtracksanFTPsession.Wewillillustratetheessenceofourevasiontechniqueusingthissimpleruleset.TherstrulechecksifausertriestologintotheFTPserver,inwhichcaseitsetstheowbitandnoalertisraisedowbit).Thesecondruleraisesanalert(absenceofaowbit)iftheuserusestheHowever,thisoccursonlyiftheuserhasnotloggedinyet,i.e.thelabelisnotset.Thisrulesetcandetectsomeoneusingthecommandwithoutpriorloginintotheserver.However,aunauthorizedattackercanalwaystrytologinthenTABLEIXAMPLEOFANORTFLOWBITSRULESET alerttcp$EXTERNAL NETany- NET21(msg:BLEEDING-EDGEFTPUSERloginowbit;ow:established, server;content:USER;nocase;:set,login; alerttcp$EXTERNAL NETany- NET21(msg:BLEEDING-EDGEFTPHP-UXLISTcommandwithoutlogin;ow:established,to server;content:LIST;nocase;:isnotset,login;) usethecommandeventhoughtheloginwasnotgranted.TherulesetmakesSnorttreatanyloginattemptassuccessfulandhenceallowsthecommand.ThisisanexamplewhereaNIDSmisjudgestheapplicationprotocolsessionandtheevasionsucceeds(noalertraised).Inthispaper,actualsessionreferstotheapplicationprotocolsessionbeingprotected,andactualsessionstatereferstothestateofthatapplicationprotocolsession.Snortsessionpicturesaninternalrepresentativesession(oftheapplicationprotocol)maintainedbySnort,andsessionstaterepresentsthecollectivevalueofeachowbitoftheruleset(ref.Def.1below).Thein-Snortsessionstatesupposedtoreecttheactualsessionstate.However,thelargenumberandcomplexityofexistingprotocolsandcontinuousappearanceofnewonesmakesitgenerallyimpossibletocompletelysimulateactualsessionstatesinSnortbecauseofobviousperformanceandstoragereasons.Theevasionattackweidentifyinthispaperexploitsthispracticalinevitability.AlthoughitisillustratedforSnortowbitrulesets,ourevasioncanbeappliedtoanyNIDSsupportingstatefulsignatures.II.RELATEDSeveralattacksonIDSeshavebeenidentiedinthelit-erature.PtacekandNewsham[11]werethersttobringupawaytoevadeaNIDSbyusingTCPSegmentationandIPFragmentation,andFragRouteisthetoolcreatedtocarryouttheseevasiontechniques.ANIDSneedstocarryoutTCPsegmentsandIPfragmentsreassemblytodefendtheseevasiontechniques.[6]describesadifferentsolutiontostatefulIDSevasionthatreliesonanextendedversionoftheIDSstatetransitiondiagram.HandleyandPaxson[5][10]discussedevasiontechniquesbasedoninherentambiguitiesoftheTCP/IPprotocolwhichleadstoadifferencebetweenaNIDSanditsprotectedsysteminperformingTCPsegmentsandIPfragmentsreassembly.TrafcnormalizationsuggestedbyHandleyetal.[5]triestoremovetheseambiguitiesby2012IEEE 351 patchingthepacketstream.AnothersolutiontothisisActiveMapping,whichwasproposedbyShankarandPaxson[16]andeliminatesTCP/IP-basedambiguityinaNIDSanalysiswithminimalruntimecostandisimplementedintheStream5[9]preprocessorofSnort.BesidesNIDSevasiontechniques,thereareattacksonNIDSsaswell.WagnerandSoto[23]revealedmimicryattacksonaHost-basedIDS.Snot[18],Stick[4],IDSWakeup[15]andMucus[8]areover-stimulationtoolsthatcauseaDOSattackonSnortbytryingtooverloadSnortwithalertsfrommutatedpacketsconstructedfromSnortrules.AnotherDOSattacktoaNIDScomesfromthealgorithmiccomplexityissue[3][17],especiallytheauthorsin[17]presentedahighlyeffectiveattackagainstSnort,andprovidedapracticalalgorithmicsolutionthatsuccessfullythwartstheattack.Relatedtothesignature(rules)testingandevaluation,Vignaetal.[22]introducedamechanismthatgeneratesalargenumberofvariationsofanexploitbyapplyingmutantoperatorstoanexploittemplate.ThesemutantexploitsarethenrunagainstavictimhostprotectedbyaNIDS.Theresultsofthesystemsindetectingthesevariationsprovideaquantitativebasisfortheevaluationofthequalityofthecorrespondingdetectionmodel.Besides,Mucus[8]isalsoatestingtoolforSnortrulesbyusingmatchingpacketswithrandomdatainthepacketeldsnotconsideredbyagivenRubinetal.[14]observedthatdifferentattackinstancescanbederivedfromeachotherusingsimpletransformations.TCPandapplication-leveltransformationsaremodeledasinferencerulesinanatural-deductionsystem.Startingfromanexemplaryattackinstance,theyusedaninferenceenginetoautomaticallygenerateallpossibleinstancesderivedbyasetofrules.TheycreatedAGENT,atoolcapableofbothgeneratingattackinstancesforNIDStestinganddeterminingwhetheragivensequenceofpacketsisanattack.However,ourattackisnotaninstancegeneratedbyAGENT,assumingthattherulesetrepresentstheoriginalexemplaryattackinstance.OurattackisneitheraTCPnoranapplication-leveltransformation.Existingevasiontechniquescanbeusedbyourattack,how-ever,thesetechniquesonlyapplytoinjectedpacketswhicharenotpartoftheactualsession.AlthoughourpaperonlydealswithSnortrules,whicharemainlymanuallywrittenbyusers,automaticallygeneratedsemantic-awaresignatures[24]orsessionsignatures[13]arealsopotentiallyvulnerabletoouridentiedattack.Inordertoavoidfalsepositives,thesegeneratedsignaturesmustconsiderinnocentpaths(orsequences)whicharenotattackinstances.OurattackexploitstheseinnocentpathsandtriestoconvinceSnortthattheactualsessionisfollowingoneofthem.III.SNORTLOWBITVASIONLetS=,...,beaSnortowbitruleset.Wedenearulethatraisesanalertwhentriggered(i.e.hasnoowbit)asaTargetrule;andTargetrulesetthesetofalltargetrulesinaruleset.TheevasionproblemconsistsofndingallpossiblepacketsequencesthatsuccessfullyattacktheserviceprotectedbySyetmanagenottotriggeranytargetruleofS.Itcanalsobedenedonatargetrulegroup,whichisasubsetofthetargetrulesetcontainingruleshavingthesamematchoptionsexcepttheowbitsconditions.Denition1(Sessionstate):Itrepresentsthegroupofowbits(labels)thatarecurrentlyset(duringaruntimesession).Ifisthenumberofowbitsusedintheruleset,thentherearepotentiallydifferentin-Snortsessionstates.ItisaTargetstateiftheowbitsetitrepresentscorrespondtotheconditionofatargetrule,otherwiseitiscalledanon-targetTargetpacketisapacketthatmatchesanytargetruleandpresumablythelastpacketinthepacketsequenceofarealattack.Aowbitruleisevadableifitcanbetriggeredbytheattackertochangeanin-Snortsessionstatewhilepreservingtheactualsessionstate.Anevadablerulecanbetriggeredbytwodifferentkindsofpackets:apacket(fromtheconnectionsession)thattriggerstheruleandcorrectlyreectswhatSnortthinksaboutthesession,andapacketthatisnotsupposedtotriggertheruleandmakesSnortmisjudgethesession.Givenarule,letrepresenttherstkindofpackets,callednormalpacketsrepresentthesecondkind,calledevasionpacketspacketscauseachangeinthein-Snortsessionstate(by),buthavenoeffectontheactualsessionstate.Apacketsequenceisconsideredasuccessfulevasionattackifrightbeforethetargetpacketissentthepacketsequenceputstheactualsessioninoneofthetargetstatesandputsthein-Snortsessioninoneofthenon-targetstates.Wecanassumethat,whentheactualsessionisinoneofthetargetstatesandthein-Snortsessionisinoneofthenon-targetstates,theattackerwillalwaystriggerthesendingofthecorrespondingtargetpacket.Asaresult,theproblemcanberedenedasndingallpossiblepacketsequencesthatputtheactualsessioninatargetstateandthein-Snortsessioninanon-targetstate.IV.LANGUAGEOFALLLOWBITSVASIONSADeterministicFiniteStateAutomaton(DFA)representa-tionofaowbitsrulesetcanbederivedusingamappingfromsessionstates.Alg.1constructsthein-Snort()andactual)sessionstateDFAofarulesetS.Ascanbenoticed,thetwoautomatahavethesamealphabet,setofstates,startstateandthesetofacceptstates.Theonlydifferenceisinthetransitionfunctionwherechangesstateforevasionpackets(line14)whiledoesnot.bethelanguagescorrespondingtorespectively.WhilerepresentsallpacketsequencesthatSnortthinkstoputthesessioninatargetstate,representsallpossiblepacketsequencesthattrulyputthesessioninatargetstate.Thegoalisthentondallpossiblepacketsequencesthattrulyputinatargetstatebutnot.Thesepacketsequencesmusthencebeacceptedbyandrejectedby.Inotherwords,thesepacketsequencesareacceptedbyboththe.Ifweconsiderthesepacketsequencesasalanguage,say,then:Lemma1(Languageofallowbitsevasions):languageofallpacketsequencesthatsuccessfullyattack 2012IEEENetworkOperationsandManagementSymposium(NOMS) Algorithm1ConstructionofSnort()andActual(SessionDFAs Setofstates:reachablesessionstatesconstructedfromtheruleStartstate:thestatewherenolabelisset.Acceptstates:alltargetstatesisnotatargetruleisevadableisnotatargetruleTransitionfunctionforallnontargetruleforallstateAstateBcanbetriggeredatAoutputstateofwhentriggeredfromendifA,PtobothisevadableA,PA,Pendifendforendfor theserviceprotectedbyarulesetSusingowbitsevasionV.TNORTFFECTINGCTUALTATEA.Packet-basedpropertyofSnortSnortisapacket-basedNIDSandmostpacketsitreceivesarecheckedbythedetectionengine.Thisfeatureallowsthecreationofevasionpackets.Onemethodistoconstructapacketthatmatchesagivenrule,however,withanoutoforderTCPsequencenumber.ThispacketisnotprocessedbythereceiverapplicationlayerbutisstillexaminedbytheSnortdetectionengine(thentriggerstherule).Snort,withthestream5preprocessorenabled,knowsthatthepacketdoesnothaveanexpectedsequencenumberforthesessionstreamandisoverlappingwithapreviouspacket(assumingthatthispreviouspackethassomepayload).Inthiscase,Snortdoesexactlyastheprotectedhost:notreassemblethispacketintothesessionstream.However,thepacketisstillpasseddowntothedetectionenginebecausethepacketmaymatchsomeTCP-basedattackswherethesequencenumberisnotimportant(e.g:Nmap[7]usesTCPpacketswithrandomsequencenumbertoprobeahostsOS).Hence,itisalwayspossibletoconstructapacket(withanout-of-orderTCPsequencenumber)tofakearequestfromtheclientandinjectitintotheconnectionsession.Therefore,anySnortowbitrulematchingtrafcfromtheclientsidecanbetriggeredwithoutcausingtheactualsessionstatechange.ThiswastestedwithSnort2.9.1[20],thenewestversionatthistime.B.LooserulesWesaythataowbitruleisifitdoesnotmatchpacketsusingtightoptionslike,oroffset.Alooserulecanwronglyexplaintheintentionofapacketifthepacketjusthappenstomatchtherulebutlogicallydoessomethingelse.Moreover,itispossibletocreateortriggerthesendingofsuchapacket.Thepacketcanevenbecreatedfromtheconnectionsessionitself.Dependingontheserviceprotocol,anattackermaybeabletomakearequestfromtheclient-sidethatmatchesalooserulewhilelogicallydoingsomethingelseratherthanwhattheruleexpects.Forexample,consideralooserulethatchecksifauserthatiscurrentlyinanFTPsessionistryingtoquitthesessionbyexaminingclient-sidepacketscontainingintheirpayload.Theattackercanmakearequesttocreateadirectorynamed,whichhappenstohavethepacketpayloadandcausesSnorttomisjudgethesession.Itishardertoevasivelytriggeralooserulematchingtrafcfromtheserversidethantheclientsidebecausetrafcfromtheserversideisnotalwayscontrollablebytheattacker.However,whendealingwithinteractiveprotocols,therearemanytrickstheattackercanusetocausetheservertosendapacketcontainingdesiredstringsandthentriggertherule.ConsiderarulewhichchecksforanypacketfromtheserverinatelnetsessioncontainingthestringGrantedinthepayload.TheattackercanissueaninvalidcommandcontainingGranted.Theserverwillsendbackanunknowncommanderrormessage,whichhappenstocontainthestringGranted,andhencetriggerstherule.AnothertrickistocreateafoldernamedGrantedandthentrytolistallthefolders.VI.EXAMPLEOFALOWBITSVASIONTherulesetinTableIIfollowsanFTPsessionandraisesanalertifanon-adminusertriestodoanythingrelatedtoanimportantlewhoseaccessisrestrictedtoadministratorsonly.Forsimplicity,weshowonlytheandtheoptionsinarule.Theoptiondenotesthepurposeofadetermineifanon-adminuserisloggingin.indicatesthattheuserisdeniedtologin.iftheuserhassuccessfullyloggedin.indicatesthattheuserhasloggedoutoftheFTPsession,andchecksifthelogged-inusertriestodoanythingwitharestrictedleandraisesanalert.Onlyisatargetrule.Theoretically,anyruleisevadable,butinthisexample,forsimplicity,weassumethatonlyis.Thismeansthattheattackercancomeupwithawaytotriggerwithoutaffectingtheactualsessionstate.HecanaccomplishthisinmanydifferentwayswhicharediscussedinSectionV.Threelabelsareusedinthisruleset,leadingtopossiblestates.However,onlyfourofthesearereachable,includingthestartstate(nolabelset):A=,B=nalu,nalpandD=nalu,nalp,nauld.Thein-SnortDFAandactualsessionstateDFAaredepictedinFig.1andFig.2.Theintersectionof,whichisconstructedinFig.3,where(A,A)isthestartstateand(D,A), 2012IEEENetworkOperationsandManagementSymposium(NOMS) Fig.1.oftheFTPruleset Fig.2.oftheFTPrulesetTABLEIIFLOWBITSRULESETTODETECTANONADMINUSERACCESSINGARESTRICTEDFILEFROMAN msg:FTPNon-adminUserLoginAttempt-Senduser-:set,nalu;:noalert; msg:FTPNon-adminUserLoginAttempt-Sendpass-word;:isset,nalu;:set,nalp; msg:FTPlogindenied;:isnotset,nauld;:isset,nalu;:isset,nalp;:unset,nalu;:unset,nalp;:noalert; msg:FTPlogingranted;:isset,nalp;set,nauld;:noalert; msg:FTPuserexits;content:QUIT;nocase;:isset,nauld;:unset,nauld;:unset,:unset,nalp;:noalert; msg:Non-adminUseraccessesrestrictedle;isset,nauld; (D,B),and(D,C)areacceptstates.Thelanguagecorrespond-ingtothisrepresentsallpossiblepacketsequencesthatsuccessfullyattacktheFTPserver.Forexample,isasuccessfulevasivepacketse-quenceacceptedbythis.Theattackercanapplythispacketsequencetoperformarealattackasfollows:First,theattackerlogsinasanormaluser(nonadmin)withacorrectusernameandpassword.Thisactionneedstobesentfromtheattackerandleadstothesendingoffromtheservertoindicatethattheuserissuccessfullyauthorized.Thenextsteptheattackerneedstodoistocausethesendingof.Therearetwooptionstocreate.Therstistomanuallyconstructandinjectintotheconnectionapacketthatmatchesbuthasanout-of-ordersequencenumber.ThesecondistosendapacketthatmatchesbutlogicallydoessomethingelseratherthanexitingthesessionasSnortthinks.Theattackercancreateadirectorynamed,whichmakesSnortmisjudgethesessionandthinkthattheuserhasloggedout.Afterthat,theattackercandownloadoraccesstherestrictedleattheserver.Thislastactiondoesnottriggersthetargetruleandtheevasionsucceeds. Algorithm2owbitsRectify small(TargetRuleGroup betheowbitsevasionDFAfortargetrulegroupforallacceptstateremoveoutgoingtransitionsofendforthesetofallsimplepathsfromthestartstateoftoanacceptstate.forallsimplepath,whereisthesignature(oranevasion)ofruleCreateanewowbitsrulesetbeaowbitslabelthatissetbydefaultforCreateowbitslabelAddtotheruleconsistingof:owbits:isset,;owbits:set;owbits:noalert;alloptionsinintheoriginalruleset(headerandbody)excepttheowbitsoptionsendfor//targetruleCreateowbitslabelbeatargetruleinAddtotheruleconsistingof:owbits:isset,;owbits:setalloptionsinintheoriginalruleset(headerandbody)excepttheowbitsoptionsendfor VII.FLOWBITSVASIONECTIFICATIONA.SolutionforsmallrulesetsWecanconsiderasadirectedgraph.Theoretically,weneedtoaddarulesettodetecteachpathfromthestartstatetoanacceptstate,whichwecallanevasionpath.Fortunately,itisenoughtoconsideronlysimpleevasionpaths,whereasimplepathisapathwithnocycles.Thisisbecauserulesaddedtodetectallsimpleevasionpathscanactuallydetectallevasionpaths.Moreover,itissufcienttoconsideronlysubsetpathsoverallsimplepaths.Alg.2detailsthisprocedure.Simplepathtranslationintoarulesetisgiveninlines12-19withthetargetruleinlines21-27.Forexample,thesetof 2012IEEENetworkOperationsandManagementSymposium(NOMS) Fig.3.oftheFTPruleset Fig.4.SimpleevasionpathsimplepathsSPcollectedfromofFig.3hasonesimplepath(afterremovingsubsetpaths)asshowninFig.4.ThereareverulesaddedforthissimplepathasshowninTableIII.ThefactthatAlg.2searchesforallsimplepathstotargetstates(line5)attributestoitanexponentialworsttimecomplexity.Hence,Alg.2isonlysuitableforrulesetsofasmallsize.Intheevaluation,thecomputationallimitisquicklyachievedforrulesetsofsize.Inthefollowing,wepresentadifferentsolutionthatisfeasibleforbothsmallandlargeruleB.SolutionforlargerulesetsForlargerulesets,wewilluseThm.1below(proofinDenition2(VulnerableRule):Itisanevadablerulethatrenderstherulesetvulnerable()evenifallotherrulesarenotevadable.Theorem1:Ifasetofevadablerulesmakestherulesetvulnerable,thenatleastoneoftheseevadablerulesisvulnerable.(Thistheoremcanbeprovenusingcontradiction)Itfollowsthatanyevasionsequenceneedstoexploitatleastoneevadablerule,i.e.,itcontainsatleastoneevasionpacket.Hence,theideaistobehaveinawayandsetaagwheneveranevadableruleistriggered.IfSnortseesatargetpacketwhiletheagisset,itraisesanalert.Interestingly,TABLEIIIULESADDEDFORTHESIMPLEPATHIN owbits:set,;owbits:noalert; owbits:isset,;owbits:set,;owbits:noalert; owbits:isset,;owbits:set,;owbits:noalert; owbits:isset,;owbits:set,;owbits:noalert; owbits:isset, Algorithm3owbitsRectify Large(TargetRuleGroup correspondingto//Findvulnerablerulesof;//setofvulnerablerulesforallnontargetruleinrulesetS,whereistheonlyevadablerule.hasareachableacceptstateendifendforcreatenewlabelAddnewruleconsistingof:beginowbits:isset,;//theowbitsconditionallheaderandbodyoptionsinatargetruleofexceptowbits.forallAddtoowbits:set,endforendif Thm.1tellsusthatweonlyneedtodothiswithvulnerableAlg.3startsbydeterminingthesetofvulnerablerules(lines4 10).Next,itpatchesineverydestinationstateofavulnerablerulebysettingtheag(line19).Onceavulnerablerulehasbeentriggered,analertisraisedattheencounterofasignaturebelongingtoatargetruleregardlessoftheowbitsstate(lines15 16).Thispessimisticapproachcomesataperformancecost.However,itbringsthebenetofhavingapolynomialcomplexity,whichisanimportantscalabilityenhancementoverAlg.2.ConsideringtherulesetofTableIIandassumingallrulesareevadable,therststepofthealgorithm(lines1 9)indicatesthatonlyrulesarevulnerable(notethatFig.3isthecreatedassumingonlyisvulnerable). 2012IEEENetworkOperationsandManagementSymposium(NOMS) Fig.5.VulnerableandsaferulesetspercentagewhenSFETisruninthecautiousmode Fig.6.AverageOverheadtopatchsmallrulesets Fig.7.AverageOverheadfromfalsepositivescontrolpatch(forsmallandlargerulesets) Fig.8.Averagefalsepositivesratecausedbythesmallruleset Fig.9.Averagefalsepositivesratecausedbythelargeruleset Fig.10.Averagefalsenegativesrateforthesmallandlargerulesetsolutionsaremodiedbyinsertingtheowbitsoptionistheaddedruleandallotherrulesarethesame.TableIVshowsthemodiedandaddedrulestopatchtheruleset.WecanformallyprovethatbothAlg.2andAlg.3arecomplete(rulesetssemanticspreserved)andsound(fullyeliminatetheowbitsevasion).C.FalsepositivescontrolEventhoughtheapproachusedforlargerulesetsalsoworksforsmallrulesets,itpotentiallycausesmorefalsepositives.Whilethelatteronlyraisesanalertifacompleteevasionsequenceisseen,theformerdoessoonlyforimportantpacketsinanevasionsequence.However,theoverheadcausedbythelatterislarger.Inordertoavoidfalsepositives,Snortneedstoconsidersessionpacketsbeyondatargetstate(inthepatchedruleset).Thesecangivecluesaboutwhoisrunningthesession.Ifatargetpacketisencounteredright 2012IEEENetworkOperationsandManagementSymposium(NOMS) TABLEIVODIFIEDANDADDEDRULESUSINGTHELARGERULESETSAPPROACH owbits:isnotset,nauld;owbits:isset,nalu;owbits:isset,nalp;owbits:unset,nalu;owbits:unset,nalp;owbits:set,;owbits:noalert; owbits:isset,nauld;owbits:unset,nauld;owbits:un-set,nalu;owbits:unset,nalp;owbits:set,;owbits: msg:NormalUseraccessesimportantle;owbits:isset, awayitismostlikelythatitisanattack.Otherwise,ifthefollowingpacketscontinuetriggeringnormaltransitionsinasnormalusersdo,itbecomesmoreandmoreprobablethatitisabenignsession.Hence,themoresessionpacketsareconsideredafterward,themoreaccuratethedecisionbecomes.InordertodetermineallpossibleactionsanormalusermightdoafterSnortisputintoatargetstate,weneedtoknowallthestatesinafteranevasionsequencehasbeenidentied(forsmallrulesetsolution)orafteravulnerableruleistriggered(forlargerulesetsolutions).Thenallpossibleactionsofanormaluserareequivalenttoallpathsstartingfromanyofthesestates.Asaresult,wecancreaterulescorrespondingtothesepathstocontrolthefalsepositivesratecausedbythepatchedruleset.Thereisalwaysatradeoffbetweenvulnerabilityandfalsepositives.Apatchedruleset(whetherforthesmallorlargerulesetalgorithms)haszerofalsenegativesyetpotentiallyalotoffalsepositives.Ontheotherhand,anonpatchedvulnerablerulesethasnofalsepositives(withregardstoowbitevasion).Thefalsepositivescontrolpatchmakestherulesetvulnerableagainbecauseasmartattackercanalwayssendpacketscorrespondingtoallpossibleactionsanormalusermightdobeforesendingthetargetpacket.However,thisfalsepositivescontrolpatchisusefulwhenmissingfewevasionsisbetterthanhavingtoomanyfalsepositives.LetLbethelengthofactions(orpathlength)Snortconsidersafteritisputintoatargetstatetodecideifthesessionisrunbyanormaluserornot.ThetradeoffwehaveisthattheshorterLweuse,thelessfalsepositivesweobtain,however,themorefalsenegativeswemightcause.VIII.IMPLEMENTATIONVALUATIONWedevelopedaprogramcalledSFET(SnortFlowbitsEvasionTool)toparsearuleset,checkiftherulesetisvulnerabletotheproposedattack,generatethecorresponding(orevasionsequences)andpatchtherulesetaccordinglydependingonitssizeandthenumberofevasionsequences.SFETcanberunin3modes:speciedmode,automaticmodeandcautiousmode.Inthespeciedmode,SFETallowsuserstospecifywhichruleisevadableandwhichruleisatargetrule.Intheautomaticmode,SFETitselfdecidesthepossibilityofaruletobeevadablebasedontherulesmatchingoptions(likecontentoptionsandtrafcdirectiontherulematches)andchoosesruleswithnoastargetrules.Lastly,inthecautiousmode,SFETassumesallrulesinarulesetareevadable.Arulesetisconsideredvulnerableifthereexistsanevasionsequenceforanychosentargetrule.Wecollectedpubliclyavailablerulesets(mostlyfromBleedingEdge[1]andSourceFire[19]).About60%oftherulesuseowbitsmatchingtrafccomingfromtheclientsside(presumablyfromtheattackersside),hencetheserulesareconsideredevadable.Alltogether(consideringdifferentruleoptionsaswell),thereisabout68%outoftherulesusingowbitsdeterminedbySFETasevadable.Inaddition,thereareabout6%and4%of400rulesets(usingowbits)detectedvulnerabletotheproposedattackwhenSFETwasruninthecautiousmodeandtheautomaticmoderespectively.WhenrunningSFETinthespeciedmodewithsomechosenrulesets(weknowexactlywhichruleisevadable),allevasionsequencesgeneratedbySFETcanbeconvertedtoarealattack(thisisnottrueforothermodes).Eventhoughlargerulesets(thenumberofrulesmakeuponly20%oftheconsideredrulesets,theyaremoresusceptibletotheattackthansmallrulesets.While10%oflargerulesetsarevulnerabletotheattack,only5%ofsmallrulesetsarevulnerable.ThisisshowninFig.5.Whenapplyingtheproposedsolutiontosmallvulnerablerulesets,thenumberofaddedrulesinaverageistriplethatofrulesintheruleset(forbothautomaticandcautiousmodes).Fig.6showstheaveragenumberofaddedrulesforeachrulesetsize(note:wedonotndanyvulnerablerulesetofsizeForlargevulnerablerulesets,thenumberofmodiedrulesisthesameasthatofvulnerablerules.Eventhoughsomelargerulesetshavemanyevadablerules,inaverage,only10%ofevadablerulesarevulnerable.Inaddition,thenumberofaddedrulesforeachlargerulesetisatmostthenumberoftargetrulesintheruleset.Theaveragenumberofaddedrulesisonly3.5forbothautomaticandcautiousmodes.WeappliedthefalsepositivescontrolpatchfordifferentvaluesofL.Onaverage,thenumberofrulesaddedtocontrolfalsepositivesincreasesexponentiallyasLincreases(asexpected)andthisisshowninFig.7.Tomeasurefalsepositivescausedbyourpatches,werunSnortwithvulnerablerulesetsandgeneratedtrafcaccordingtotheirDFAs.Tobemoreaccurate,wegeneratedtrafcwithbothnormalandevasionpackets.However,wesettherateofevasionpacketstobesmall(anywherefrom1%to5%).Afalsepositiveoccurswhenthepatchedrulesetraisesanalertonabenignpacketsequence(notanevasionsequenceandtheoriginalrulesetdoesnotraiseanalerton).Fig.8showstheaveragefalsepositivesrateforthesmallrulesetsolution.Weseethatpatchedrulesetsofsmallersizetendtohavemorefalsepositivesthanthoseofbiggersize.Besides,rulesetsofsize2or3havehighaveragefalsepositivesratebecausetheirDFAsaresmallandthereisnosignicantdifferencebetweenthenumberofevasionsequencesandthenumberofnormalsequences.However,whenthefalsepositivesrateishigh,thefalsepositivescontrol 2012IEEENetworkOperationsandManagementSymposium(NOMS)