Abstract
Anomaly based intrusion detection has been held out as the best (perhaps only) hope for detecting previously unknown exploits. We examine two anomaly detectors based on the analysis of sequences of system calls and demonstrate that the general information hiding paradigm applies in this area also. Given even a fairly restrictive definition of normal behavior, we were able to devise versions of several exploits that escape detection. This is done in several ways: by modifying the exploit so that its manifestations match “normal,” by making a serious attack have the manifestations of a less serious but similar attack, and by making the attack look like an entirely different attack. We speculate that similar attacks are possible against other anomaly based IDS and that the results have implications for other areas of information hiding.
This view is clearly enunciated by Dorothy Denning [1] who said:
The model is based on the hypothesis that exploitation of a system’s vulnerabilities involves abnormal use of the system; therefore, security violations could be detected from abnormal patterns of system usage. ...
Similar, though often less clear, statements appear in many recent papers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Denning, D. E.: An intrusion detection model. IEEE Transactions on Software Engineering SE-13 (1987) 222–232 1, 3
Tan, K.M.C., Maxion, R.A.: “Why 6?” Defining the operational limits of stide, an anomaly–based intrusion detector. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA (2002) 2, 5
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longsta., T.A.: A sense of self for unix processes. In: Proceedings 1996 IEEE Symposium on Security and Privacy, Los Alamitos, CA, IEEE Computer Society Press (1996) 2, 4, 5
Provos, N.: Steganography press information. On line report of work performed at the University of Michigan Center for Information Technology Integration (2002) Observed at http://www.citi.umich.edu/projects/steganography/faq.html as of 4 february 2002 2
Provos, N., Honeyman, P.: Detecting steganographic content on the internet. In: ISOC NDSS’02, San Diego, CA (2002) 2
Anderson, J.P.: Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co., Fort Washington, PA (1980) Available online at http://seclab.cs.ucdavis.edu/projects/history/CD/ande80.pdf 3
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, CA (1999) 133–145 4, 5, 7
Maxion, R.A., Tan, K.M.C.: Anomaly detection in embedded systems. IEEE Transactions on Computers 51 (2002) 108–120 5
Pop, S., Card, R.: Restore(8) system manager’s manual. Included in dump version 0.4b13 software package (2000) 8
Troan, E., Brows, P.: Tmpwatch(8). Included in tmpwatch version 2.2 software package (2000) 9
Yurchenko, A.Y.: Tmpwatch arbitrary command execution vulnerability. Internet–http://www.securityfocus.com/bid/1785 (2000) bugtraq id 1785 9, 13
Jaconson, V.: Traceroute(8). Included in traceroute version 1.4a5 software package (1997) 10
Kaempf, M.: Lbnl traceroute heap corruption vulnerability (2000) bugtraq id 1739 11
Wagner, D., Soto, P.: Mimicry attacks on host–based intrusion detection systems. In: 9th ACM Conference on Computer and Communications Security. (2002) To Appear 14
Tan, K. M., Killourhy, K. S., Maxion, R.A.: Undermining an anomaly–based intrusion detection system using common exploits. In Wespi, A., Vigna, G., Deri, L., eds.: 5th International Symposium, RAID 2002. Number 2516 in LNCS, Zurich, Switzerland, Springer (2002) 54–73 14
Lee, W., Xiang, D.: ‘Information–theoretic measures for anomaly detection’. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, IEEE Computer Society Press, Los Alamitos, CA (2001) 130–143 16
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tan, K., McHugh, J., Killourhy, K. (2003). Hiding Intrusions: From the Abnormal to the Normal and Beyond. In: Petitcolas, F.A.P. (eds) Information Hiding. IH 2002. Lecture Notes in Computer Science, vol 2578. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36415-3_1
Download citation
DOI: https://doi.org/10.1007/3-540-36415-3_1
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00421-9
Online ISBN: 978-3-540-36415-3
eBook Packages: Springer Book Archive