Jun 17, 2010

Approaches to Detecting Evasion

When an attacker uses an evasion technique, he is altering traffic so that it cannot be detected by a security product such as a Network IPS. To accomplish this, the traffic is run through a tool which manipulates the data stream and modifies it using a pre-determined pattern – similar to an encoder. Thus, to detect the attack, a network IPS needs to do the same in reverse – in essence, decode the data stream.

Alternatively, an IPS can drop traffic that appears to have been altered (e.g. fragmented or segmented) under the assumption that it is bad. Unfortunately, this is not the case much of the time since legitimate network traffic comes in all shapes and sizes. Thus, when vendors elect to drop such traffic instead of normalizing / decoding it and inspecting the content, they drop legitimate traffic. Knowing this, we have found that multiple vendors turn off those anti-evasion protections by default. This is a problem.

And this is why NSS Labs tests anti-evasion using vendor default settings.

Subsequent to our last IPS Group Test, NSS Labs found a loophole in our testing where multiple vendors enabled evasion detection that would block legitimate traffic. These evasion defenses would therefore never be deployed in the real world. We are therefore adding false positive testing for evasions to our upcoming IPS Group Test scheduled for Q3 2010.