Introduction to algorithms
Network security: private communication in a public world
Network security: private communication in a public world
Service specific anomaly detection for network intrusion detection
Proceedings of the 2002 ACM symposium on Applied computing
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Specification-based anomaly detection: a new approach for detecting network intrusions
Proceedings of the 9th ACM conference on Computer and communications security
STATL: an attack language for state-based intrusion detection
Journal of Computer Security
Anomaly Detection Using Call Stack Information
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Anomaly detection of web-based attacks
Proceedings of the 10th ACM conference on Computer and communications security
Network traffic anomaly detection based on packet bytes
Proceedings of the 2003 ACM symposium on Applied computing
Testing network-based intrusion detection signatures using mutant exploits
Proceedings of the 11th ACM conference on Computer and communications security
Automatic Generation and Analysis of NIDS Attacks
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Language-Based Generation and Evaluation of NIDS Signatures
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Fast and automated generation of attack signatures: a basis for building self-protecting servers
Proceedings of the 12th ACM conference on Computer and communications security
Can machine learning be secure?
ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
Automating mimicry attacks using static binary analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Accurate buffer overflow detection via abstract payload execution
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Anomalous payload-based worm detection and signature generation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
On the infeasibility of modeling polymorphic shellcode
Proceedings of the 14th ACM conference on Computer and communications security
Noninvasive Methods for Host Certification
ACM Transactions on Information and System Security (TISSEC)
Swarm Attacks against Network-Level Emulation/Analysis
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Open problems in the security of learning
Proceedings of the 1st ACM workshop on Workshop on AISec
A data damage tracking quarantine and recovery (DTQR) scheme for mission-critical database systems
Proceedings of the 12th International Conference on Extending Database Technology: Advances in Database Technology
McPAD: A multiple classifier system for accurate payload-based anomaly detection
Computer Networks: The International Journal of Computer and Telecommunications Networking
ANTIDOTE: understanding and defending against poisoning of anomaly detectors
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Robust signatures for kernel data structures
Proceedings of the 16th ACM conference on Computer and communications security
A framework for quantitative security analysis of machine learning
Proceedings of the 2nd ACM workshop on Security and artificial intelligence
Adaptive Anomaly Detection via Self-calibration and Dynamic Updating
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Thwarting zero-day polymorphic worms with network-level length-based signature generation
IEEE/ACM Transactions on Networking (TON)
Mining frequent patterns from network flows for monitoring network
Expert Systems with Applications: An International Journal
Machine learning in adversarial environments
Machine Learning
Mimimorphism: a new approach to binary code obfuscation
Proceedings of the 17th ACM conference on Computer and communications security
KIDS: keyed intrusion detection system
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Heap Taichi: exploiting memory allocation granularity in heap-spraying attacks
Proceedings of the 26th Annual Computer Security Applications Conference
Enhancing Intrusion Detection System with proximity information
International Journal of Security and Networks
A misleading attack against semi-supervised learning for intrusion detection
MDAI'10 Proceedings of the 7th international conference on Modeling decisions for artificial intelligence
Escape from monkey island: evading high-interaction honeyclients
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
JACKSTRAWS: picking command and control connections from bot traffic
SEC'11 Proceedings of the 20th USENIX conference on Security
Proceedings of the 4th ACM workshop on Security and artificial intelligence
Adversarial support vector machine learning
Proceedings of the 18th ACM SIGKDD international conference on Knowledge discovery and data mining
BotFinder: finding bots in network traffic without deep packet inspection
Proceedings of the 8th international conference on Emerging networking experiments and technologies
Sampling attack against active learning in adversarial environment
MDAI'12 Proceedings of the 9th international conference on Modeling Decisions for Artificial Intelligence
Security analysis of online centroid anomaly detection
The Journal of Machine Learning Research
Hi-index | 0.01 |
Attackers often try to evade an intrusion detection system (IDS) when launching their attacks. There have been several published studies in evasion attacks, some with available tools, in the research community as well as the "hackers'' community. Our recent empirical case study showed that some payload-based network anomaly detection systems can be evaded by a polymorphic blending attack (PBA). The main idea of a PBA is to create each polymorphic instance in such a way that the statistics of attack packet(s) match the normal traffic profile. In this paper, we present a formal framework for the open problem: given an anomaly detection system and an attack, can one automatically generate its PBA instances? We show that in general, generating a PBA that optimally matches the normal traffic profile is a hard problem (NP-complete). However, the problem of finding a PBA can be reduced to the SAT or ILP problems so that solvers available in those domains can be used to find a near-optimal solution. We also present a heuristic (hill-climbing) to find an approximate solution. Our framework can not only expose how the IDS can be exploited by a PBA but also suggest how the IDS can be improved to prevent the PBA. We have experimented with our framework using the PAYL 1-gram and 2-gram anomaly detection system, and the results have validated our framework.