Evading network anomaly detection systems: formal reasoning and practical techniques
Proceedings of the 13th ACM conference on Computer and communications security
Evaluation of collaborative worm containment on the DETER testbed
DETER Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007
Data sanitization: improving the forensic utility of anomaly detection systems
HotDep'07 Proceedings of the 3rd workshop on on Hot Topics in System Dependability
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
A practical mimicry attack against powerful system-call monitors
Proceedings of the 2008 ACM symposium on Information, computer and communications security
Detecting energy-greedy anomalies and mobile malware variants
Proceedings of the 6th international conference on Mobile systems, applications, and services
A methodology for designing accurate anomaly detection systems
Proceedings of the 4th international IFIP/ACM Latin American conference on Networking
Sensing Attacks in Computers Networks with Hidden Markov Models
MLDM '07 Proceedings of the 5th international conference on Machine Learning and Data Mining in Pattern Recognition
Learning and Classification of Malware Behavior
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Swarm Attacks against Network-Level Emulation/Analysis
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Vigilante: End-to-end containment of Internet worm epidemics
ACM Transactions on Computer Systems (TOCS)
Proceedings of the 15th ACM conference on Computer and communications security
Peer-to-peer system-based active worm attacks: Modeling, analysis and defense
Computer Communications
SS'08 Proceedings of the 17th conference on Security symposium
McPAD: A multiple classifier system for accurate payload-based anomaly detection
Computer Networks: The International Journal of Computer and Telecommunications Networking
Active and Semi-supervised Data Domain Description
ECML PKDD '09 Proceedings of the European Conference on Machine Learning and Knowledge Discovery in Databases: Part I
Active learning for network intrusion detection
Proceedings of the 2nd ACM workshop on Security and artificial intelligence
Exploiting dynamicity in graph-based traffic analysis: techniques and applications
Proceedings of the 5th international conference on Emerging networking experiments and technologies
Emulation-based detection of non-self-contained polymorphic shellcode
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Thwarting zero-day polymorphic worms with network-level length-based signature generation
IEEE/ACM Transactions on Networking (TON)
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Traffic classification using visual motifs: an empirical evaluation
Proceedings of the Seventh International Symposium on Visualization for Cyber Security
An empirical study of real-world polymorphic code injection attacks
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Effective and efficient malware detection at the end host
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
Machine learning in adversarial environments
Machine Learning
Mimimorphism: a new approach to binary code obfuscation
Proceedings of the 17th ACM conference on Computer and communications security
KIDS: keyed intrusion detection system
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Graption: A graph-based P2P traffic classification framework for the internet backbone
Computer Networks: The International Journal of Computer and Telecommunications Networking
On detecting active worms with varying scan rate
Computer Communications
SHELLOS: enabling fast detection and forensic analysis of code injection attacks
SEC'11 Proceedings of the 20th USENIX conference on Security
Detecting malware domains at the upper DNS hierarchy
SEC'11 Proceedings of the 20th USENIX conference on Security
JACKSTRAWS: picking command and control connections from bot traffic
SEC'11 Proceedings of the 20th USENIX conference on Security
Frankenstein: stitching malware from benign binaries
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
N-Gram against the machine: on the feasibility of the n-gram network analysis for binary protocols
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
BotFinder: finding bots in network traffic without deep packet inspection
Proceedings of the 8th international conference on Emerging networking experiments and technologies
Bot detection evasion: a case study on local-host alert correlation bot detection methods
Security and Communication Networks
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
A static, packer-agnostic filter to detect similar malware samples
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Security analysis of online centroid anomaly detection
The Journal of Machine Learning Research
Detecting machine-morphed malware variants via engine attribution
Journal in Computer Virology
Toward supervised anomaly detection
Journal of Artificial Intelligence Research
A close look on n-grams in intrusion detection: anomaly detection vs. classification
Proceedings of the 2013 ACM workshop on Artificial intelligence and security
| Hi-index | 0.00 |
A very effective means to evade signature-based intrusion detection systems (IDS) is to employ polymorphic techniques to generate attack instances that do not share a fixed signature. Anomaly-based intrusion detection systems provide good defense because existing polymorphic techniques can make the attack instances look different from each other, but cannot make them look like normal. In this paper we introduce a new class of polymorphic attacks, called polymorphic blending attacks, that can effectively evade byte frequency-based network anomaly IDS by carefully matching the statistics of the mutated attack instances to the normal profiles. The proposed polymorphic blending attacks can be viewed as a subclass of the mimicry attacks. We take a systematic approach to the problem and formally describe the algorithms and steps required to carry out such attacks. We not only show that such attacks are feasible but also analyze the hardness of evasion under different circumstances. We present detailed techniques using PAYL, a byte frequency-based anomaly IDS, as a case study and demonstrate that these attacks are indeed feasible. We also provide some insight into possible countermeasures that can be used as defense.