IPS Countermeasures Fight Obfuscation, Evasion

Before the advent of intrusion detection systems (IDS) and intrusion prevention systems (IPS), firewalls served as the primary technology to help organizations block unwanted traffic. With application-layer protocols lacking detection, attackers were able to disguise malicious traffic and remotely exploit applications. To stop these kinds of attacks, the security industry created IPS/IDS technologies to detect these attacks and block connections before any exploitation could occur.

Since the introduction of IPS, attackers have tried to find new ways to evade detections by these systems. One technique is fragmentation: The data that is normally sent in the channel is fragmented and is reconstructed only at the receiver’s end. It is possible to add the malicious traffic as part of the data that gets fragmented. When the data is reconstructed at the receiver, it can exploit the targeted application. Such fragmentation techniques could be applied in various protocols of the application layer.

The focus of IPS vendors recently is to address these issues and also stay ahead of attackers in spite of their obfuscation techniques. These evasions continued to evolve as attackers attacked application-layer protocols. By parsing client application-layer data, IPS can identify any payload that is injected and reduce the number of attacks.

The high number of attacks that the security industry has witnessed in the last few years shows the sophistication involved in writing the exploit code (malware, malicious scripts). Attackers reverse-engineer the workings of IPS detection mechanisms and develop attacks that fully understand the security application, and that take advantage of its features. Evasion has become a key strategy for attackers to avoid detection.

In a series of blogs we will look at the evasion technique of encoding, the process in which one character is paired with a code. When this character is encoded, the equivalent code for the character is displayed; this can be converted back to the original character by the process of decoding. Employing this technique, attackers have encoded complete payloads, thereby hiding the presence of exploit code. Encoding has become one of the major challenges of detection.

In this series we will explain the current methodologies employed in evading detection and prevention systems, an ideal system to detect and prevent these attacks, and McAfee’s solution to prevent these attacks.