Evasion Techniques Efficiency Over The IPS/IDS

Technology

Hakan KÕOÕo 1HúHW Sertaç KDWDO AOL$\GÕQ6HOoXN

Computer Engineering Department Rakuten Mobile Network Computer Engineering Department
TOBB University Tokyo, Japan TOBB University
Ankara, Turkey [email protected] Ankara, Turkey
KDNDQNNLOLF#JPDLOFRP [email protected]

Abstract— Intrusion Prevention Systems (IPS) and released [5]. To defend a vulnerable system, IPS/IDS
Intrusion Detection Systems (IDS) are the first line of the systems are indispensable.
defense of cyber-environment. This technology is made for
capturing and preventing breaches and attacks. Evading of an
There are two different types of IPS/IDS systems:
IPS/IDS system creates a large gap in cyber-security. This
research examines seven common evasion techniques and signature-based and anomaly-based. Anomaly-based
success rates of these over the IPS/IDS system. These techniques IPS/IDS systems are rarely used in practice due to their high
are TTL evasion, fragmentation with MTU modification false positive rates. A signature-based system uses
evasion, tampering time – agent name and port name evasion, signatures that are defined from logs of past attacks. It
encoding and obfuscation evasion, bad checksum evasion, file checks new packets against its signature database to detect
header manipulation evasion, file and path change evasion. The attacks [6]. In case of a match, the IPS/IDS generates an
last version of Snort IPS/IDS system was used to test attacks and alert about it.
evasion techniques. The whole attack and evasion dataset
created by contemporary attack techniques during the research.
Even though an IPS/IDS system is mostly reliable,
Test results demonstrate that the IPS/IDS system can be
bypassed with evasion techniques. there is a possibility that an attacker can evade it and breach
the end system [21]. If the IPS/IDS system can be bypassed,
an attacker can easily reach the target. Although IPS/IDS
Keywords— Intrusion Prevention Systems (IPS), Intrusion systems are constantly improved against such attacks
Detection Systems (IDS), evasion attacks-technique
everyday, there are still evasion techniques that can bypass
I. INTRODUCTION an IPS/IDS system.
There is always a challenge between attackers and
In this study, we tested seven common techniques to
system defenderrs. Attackers continually aim to breach the
evade an IPS/IDS system: TTL evasion technique,
system for some political and financial reasons or just for
fragmentation by MTU modification, tampering time agent
making a point to become famous[1][2]. For these reasons,
name and port, encoding and obfuscation, bad checksum,
a cyber system has to be protected against the cyber attacks
file header manipulation, and file and path change
and cyber breaches. To protect these systems, intrusion
techniques. The success of each evasion technique is
prevention and intrusion detection system was found.
measured by the proportion of the alarms it silenced. In this
IPS/IDS technology focuses on detecting, preventing and
study, OSSTMM penetration testing methodology is used
reporting the cyber-attacks on network or
to attack the target machines. Then every single attack is
telecommunication infrastructure. It is accomplished by
sent to the IDS system to test the alarm it generates.[24] We
looking at the whole network traffic and content. It creates
used the open-source Snort IPS/IDS system with Kali
an advantage of controlling and defending the network
Linux attacker machines. Snort was loaded with the latest
against attackers on a single point [1][4].
signatures which are the community rules and v.2.9.13.0
registered rules dated 11 April 2019.
For effective security reasons, IPS/IDS system becomes
a crucial part of network security. The reason for this,
Note that in this research, the attack scenarios are
IPS/IDS system provides perimeter security and has a
limited only to the IPS/IDS related attacks. Every single
capability to prevent and report an attack in single point [3].
attack has a signature and is recognizable by IPS/IDS
Moreover, IPS/IDS system not only creates time for
systems because some of the attack techniques and tactics
unpatched vulnerabilities but also defends misconfigured
are beyond the IPS/IDS limits. For that reason, there are
systems. IPS/IDS system fills the time gap between a
other cyber security devices that should protect the cyber
vulnerability is found and the vulnerability’s patch is
environment. For this purpose, this research is done
conducted within the IPS/IDS boundaries.

ϵϳϴͲϭͲϳϮϴϭͲϯϵϲϰͲϳͬϭϵͬΨϯϭ͘ϬϬΞϮϬϭϵ/

(UBMK'19) 4rd International Conference on Computer Science and Engineering - 542

 II. RELATED WORKS evaluation by the IPS/IDS, packets will go their way. Of course
the second “V” packet cannot reach the victim system, the
The first IPS/IDS evasion technique was published on victim system will combine the packets as “E” - “V” - “I” -
1998 by Newsham and Timothy[6]. They studied how a “L”, obtaining the evil payload again, and it may infect the
system or a human can be fooled by an attack. The main focus victim system without triggering any alarms from the IPS/IDS.
was on human related inaccuracies.
B. Fragmentation with MTU Modification
In 2010, Stonesoft corporation group conducted a study of
IPS/IDS systems[25]. The main motivation was to find the Fragmentation with MTU modification works by an
weak and strong points of their IPS/IDS product. They also attacker’s fragmenting an attack packet by tampering the MTU
wanted to compare their IPS/IDS system with competitors. value at the IP layer. The main purpose of this evasion is to
From this research, they published an evasion tool to test send the packet in a fragmented way and expect that the
IPS/IDS systems. They determined 23 evasion techniques and IPS/IDS correlation engine cannot combine the fragments
created a tool to test it automatically. After this research, every properly [23]. A smaller MTU value means more packets to
IPS/IDS system developed, commercial or open source, has combine in the IPS/IDS buffer which has limited resources. An
taken notice of this tool and the 23 evasion technique. IPS/IDS system has an adjustable buffer size but it is optimized
to protect from DOS attacks.
In another study in 2016, Särelä, Kyöstilä, and
Kiravuo [28] tested the commercial IPS/IDS products in the C. Tampering Time, Agent Name and Port Number
market. They conducted a test with eight evasion techniques Tampering time technique is worked by slowing down the
and published the success rates obtained. attack packets, especially in the scan/recon phase [7]. In this
evasion technique, attackers aim to exploit the time packets are
III. EVASION TECHNIQUES remembered in the IPS/IDS buffer. Due to the limited
There are many evasion techniques applicable on IPS/IDS resources, an IPS/IDS buffer will hold packets’ information for
systems. In this research we tested the most effective and the a limited amount of time. So, if the attacker increases the time
best-known seven techniques among them. Each and every range between attack packets, IPS/IDS system cannot
technique has a unique application style and is born from conclude whether it is under attack or not. For example, in
different methodology. These techniques are summarized SYN scan, attacker aims to discover the hosts and open TCP
below. ports. However, one or two SYN packets is normal for
IPS/IDS system [19]. If an attacker knows the exact time of
A. TTL Evasion holding the packets in IPS/IDS buffer, he can scan the system
TTL is a layer-3 value used to determine how many hops without triggering any alarm on IPS/IDS system. Even if the
further a packet can go [27]. Every layer-3 network device on attacker can complete the attack successfully, this evasion
a packet’s path decrements its TTL value by one. If TTL value technique needs too much time and effort.
reaches to zero, network device or operating system drops the
packet. It is used for preventing infinite loops in the network In HTTP protocol, every request to a server has an agent
[27]. name. Agent name is used to identify the system that made the
request to the server. Agent name differentiation means that an
The TTL-based evasion techniques aim to evade an attacker changes the agent name for evading the IPS/IDS
IPS/IDS by changing the TTL value in the IP packet. An system. Some of the hacking tools or scripts uses the same
IPS/IDS device may not inspect a packet with a TTL value agent name while sending HTTP packets [20]. For example,
close to zero, in order not to waste its limited resources, Nikto web scan tool is using the agent name which is
because if a packet will not be able to reach the end-system, Mozilla/5.0 (Nikto/2.1.6), for this reason IPS/IDS detection
the IPS/IDS resources can better be used for other packets [10] engine easily understands the attack by only checking the
[22]. packet’s agent name field. For evading this kind of detection
by IPS/IDS, changing the agent name is an easy and accurate
There are two major evasion techniques using the TTL
way to succeed.
value. First one manipulates the IPS/IDS configuration so the
IPS/IDS’s detection engine will act as the packet has a low Using a different port, which is an information at layer 4,
TTL value. As a result, IPS/IDS system does not need to check is a technique in which attackers change the port number to
the signatures [21]. Although the option of not inspecting avoid the detection of IPS/IDS engine. This evasion technique
packets with low TTL values can be turned off, in practice has a difference from other evasion techniques because in this
most vendors’ devices come with that option turned on by one, the attacker should have access to the victim machine to
default. change the port number [18]. In Snort IPS/IDS system, every
rule has a port number to operate the rule, and the signatures
The second TTL evasion technique is the dual of the first
work depending on the port number. An example of Snort rule
idea. In that scenario, the IPS/IDS inspects the packets with a
is given in Figure 1 to demonstrate how crucial a port number
low TTL value [13]. For instance, assume that the evil payload
is for detecting an attack. So, changing the port number of an
contains “EVIL” in it and this payload is an exploit for the end-
attack evades the IPS/IDS system. As a result of changing the
system. The attacker divides the payload into packets and it
port of a service while transferring the data, the IPS/IDS may
becomes “E”- “V”- “I”- “L”. After that, the attacker adds an
not generate any alert.
additional packet in between with a payload say “V”, with a
low TTL value. This packet’s TTL value is too small to reach
the victim system. When the attacker sends the packet, the
IPS/IDS correlation engine will combine the packets to have
“E”- “V”- “V”- “I” - “L” with a payload “EVVIL”, which is
not suspicious and will not trigger the IPS/IDS alarm. After

(UBMK'19) 4rd International Conference on Computer Science and Engineering - 543

 unique header information, and operating systems decide the
file type by checking that header information. IPS/IDS systems
have different signatures for different file types, and they don’t
operate every signature on every type of file. An attacker can
use this feature to evade an IPS/IDS: If an attacker changes the
file header information before sending the packets, the
IPS/IDS system cannot recognize the attack due to checking
Fig.1 An example of a Snort signature [28] the wrong signature set [17]. After the attack packets reach the
victim system, the attacker needs to change the header
information again to succeed in his attack. This is the hardest
D. Encoding And Obfuscation part of this evasion technique. For example, a web page can
Encoding is used for changing the data into a new format only accept to upload .jpg file type. An attacker changes the
due to protect it from corruption during transfer. Corruption file header to upload a reverse-shell for .jpg. After the upload
may occur due to different systems’ using different character process, the victim computer may process the reverse shell and
sets, so the data can be misinterpreted while processing. To the attacker gains access. If that does not happen, in the other
avoid this problem, encoding is widely used through possible attack scenario, the attacker is assumed to have access
computers’ communications. However, this technique can also to the victim system to complete the evasion: The attacker
be used for evading IPS/IDS systems. IPS/IDS systems may changes the packet header to original one and runs the exploit.
know only a few of the decoding schemes and have an This can be used as an attack in the post-exploitation phase.
activated scheme due to resource limitations. An attacker can
send the packets by encoding with a technique that the IPS/IDS G. File and Path Change
cannot decode [14]. If the packet cannot be decoded properly, Accessing special file and critical path are an indicator of
IPS/IDS detection engine cannot operate the signature. No compromise. An IPS/IDS system has pre-defined information
alarm will be triggered. The most commonly used encoding for path and file name like /etc/shadow or /etc/passwd. If an
technique is UTF-8 encoding. For example, if an attacker use attacker tries to reach the special file or critical path, the
UTF-8 encoding technique, /etc/shadow directory becomes to IPS/IDS system generates an alert about it. At this point, an
look like \x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77. attacker should evade an IPS/IDS system in order to succeed
This attack can evade an IPS/IDS system if the system cannot with the attack [9]. In this evasion, attacker changes the critical
decode the payload or does not have the encoded signatures. file or path name, and the IPS/IDS detection engine cannot
detect any critical information [15]. For instance, an attacker
Obfuscation is a hiding technique that is mostly used for may copy a critical path to a standard path like “/usr/tmp/” and
illegitimate purposes. This technique is commonly used for then steal the information from this new path. The IPS/IDS
hiding attacks from cybersecurity devices [16]. This evasion will think the path is not sensitive and will not generate any
technique is similar to encoding. For instance, /etc/shadow alerts about it. In order to perform the attack, the attacker needs
looks like “fzÐYžrJ{ßÇði¿¯[ìâ͞!U ÍåmiN&´é_ÌBÅH an access to victim system so, this evasion can be used in the
T€” with shikataganai obfuscation. This method has a header post-exploitation phase.
information about how to decode the payload. The IPS/IDS
system most probably will not have the ability to decode the IV. EVASION EXPERIMENT ENVIRONMENT
obfuscation.
In this section, we will review the experiment setup, tools
E. Bad Checksum and scripts, and test methodology of the experiments.
TCP checksum is a value used to detect whether a network A. Test Setup
packet has reached its target without any corruption. However,
All tests are done in virtual environment with ESXI 6.5.
this checksum can also be abused by an attacker to evade
The test environment consists of 1 attacker (Kali Linux), 1
IPS/IDS systems. An IPS/IDS system typically does not check
virtual switch, 1 full packet capturer (Ubuntu 18.04LTS), 2
the checksum field in order not be overburdened [11]. Due to
IDS (Ubuntu 18.04LTS with Snort2.9.13), 4 victims
this lack of control, an attacker can use additional packets with
(Metasploitable 2 – Ubuntu server 14.04 with web applications
bad checksum values to evade an IPS/IDS: For instance,
– Windows 2012 server – Windows XP SP2)
suppose an attacker has a payload that include “virus” and this
payload is a malware that can infect to victim system. The There are several tools and scripts used in this research to
attacker divides the payload in “v” - “i” - “r” - “u” - “s” and generate the attacks, evasions, and inspecting the evasions.
add adds additional payloads in between with bad checksum The attacks can be evaluated in three phases as defined by the
number. This payload apparently becomes “v” - “x” - “i” - “r” OSSTMM data network security testing methodology. These
- “x” - “u” - “s”, but with the additional packets with a bad phases are scan/recon (intelligence gathering and vulnerability
checksum. The IPS/IDS sees the payload as “vxirxus” which analysis), exploitation, and post-exploitation. First the attack
has no chance to trigger any alerts. However, when the packets datasets were created, and then evasion attacks were created
reach the victim, the host drops the packets with a bad for making changes on pre-created attacks via tools and
checksum value, and combines the payload as “virus”. As a programs. Below, we describe the attacks, tools, and evasion
result, the attacker can exploit the victim machine without technique briefly.
triggering any alerts on the IPS/IDS [12].
The scan/recon phase includes the port scan, service
F. File Header Manipulation enumeration, service fuzzing, and banner grabbing attacks.
A file’s header information is used for defining the file type These attacks are done for gathering detailed information
[17]. Contrary to popular belief, the file extension is not used about the victim machine. While using scan/recon technique
by cybersecurity devices in that respect. Every file type has a Nmap, Burp Suite, Dirb, DNSLookUp, Nikto, Enum4Linux

(UBMK'19) 4rd International Conference on Computer Science and Engineering - 544

and SMTPEnum tools were used. In this phase, TTL evasion, x In TTL evasion technique, %100 percent success was
fragmentation with MTU, and tampering with time, port and achieved for using second TTL evasion method. The
agent name are the evasion techniques tested. successful attack was done by changing the TTL value.
The evasion was done by first PHP reverse shell exploit
The exploitation phase includes uploading exploits, code
on Metasploit was created. Then we tested it to count
execution, directory traversal, file include, brute force, SQL
the number of alarm which is sixteen without evasion.
injection, and XSS attacks. These attacks are done for
We divided reverse shell exploit into pieces. Then we
exploiting the vulnerabilities to breach the victim system.
added two additional random packet which TTL values
JohnTheRipper, WFUZZ, Hydra, NetCat, BeefXSS, Burp
are equal to one between the packets. Then Snort could
Suite, SQL Map, Metasploit, Veil, Msfvenom, Havij and
not generate any alert when we sent whole packets.
Hping3 are the tools used. Moreover, some manual techniques
Since the random generated low TTL packets could not
were used to complete the exploitation phase. In this phase,
reach the target, we succeeded on taking a reverse shell
TTL evasion, fragmentation with MTU, tampering time, port,
on victim machine. However, we could not have
and agent name, encoding and obfuscation, bad checksum, and
succeeded on first TTL evasion technique. We made
file header manipulation are the evasion techniques tested.
attack packets TTL value to one and two. For an
The post-exploitation phase includes privilege escalation, example, the results are 232 alarms without evasion,
pivoting, data stealing, and persistency. These attacks are done 106 alarms with TTL value is equal to two, 83 alarms
for gaining benefit proportional to the value of the victim with TTL value is equal to one. The success rates for
machine. For post-exploitation purpose, we used NetCat, second TTL evasion was between 2%-64%.
Metasploit, Veil, Msfvenom, Powershell Empire, Mimikatz,
Sshutle and Lasagne tools. Besides some manual techniques x In fragmentation with MTU modification attack cannot
were done on this phase. In this phase, file and path name evade 100 percent. Every evasion trial triggered an alert
change, file header manipulation, and tampering with port on the IPS/IDS system. Most successful evasion trial
number are the evasion techniques used. could reach 95% success. We reach that score by
randomizing the MTU value on every packet. We set
Some tools and programs were used to change packet MTU between 20 and 100 on the test. The other tests
headers or payloads to evade the IPS/IDS system. These are done with constant MTU value between 20 and 1000.
Fragroute, TCPreWrite, TCPReplay and Hping3. Moreover, The success rates for all evasion tests were between
we developed some scripts to change packet header 17%-95%.
information.
x Tampering time, agent name and port are tested
B. Methodology and Snort Configuration separately. Tampering time could reach 97% success at
The whole testing dataset was created at the beginning of best on SYN Scan with NMAP. In this evasion we
the study. The reason of creating the original dataset is to prove slowed down the packet sending speed. However, with
and demonstrate every evasion and attack’s success rate. For evasion Snort could trigger any alert. The whole port
converging to the real world scenario, the dataset contains the scan took 7 hours to complete the attack. Agent name
real attack pcaps. These pcaps were created by OSSTMM could reach 98% success rate. We reached this success
penetration testing methodology. The dataset consists the three rate when we changed the agent name of Nikto.
phases of an attack: scan/recon, exploit, and post-exploit. Original agent name was triggered 2817 alarms, this
There are attack samples for each phase. The samples were number reduced with evasion to 57 alarms. The other
created to be the same as a real attack. attempts success ratio was changed between 1% to
98%. Changing Port Number evasion technique
The Snort configuration was set for full protection, with all reached 100% success on our trials. We opened FTP on
Snort 2.9 signatures enabled for detection. The latest different port. On Snort FTP signature set, there is some
community rules were downloaded, and the registered rules, special characters that causes to trigger an alert on
version 2.9.13.0, were added to the Snort ruleset. To detect Snort like “MKD” or “REST”. We created a file to
everything, all plug-ins were installed, namely Barnyard2, contain these 10 different special characters. The result
BASE 1.4, PulledPork, OpenAppId. The network was 11 different alarm on Snort. After changing the
configuration was set to inspect the traffic. To alert on every port number, 0 alarm was triggered.
attack, Home_net and External_net were set to “any”, meaning
that Snort should inspect every communication with no x Encoding and obfuscation evasions are the most
exception. Setting “any” in Home_net and External_net causes successful ones among the seven evasion techniques.
some false positives, but Snort IPS/IDS can use the full In encoding more than 3 times reaches 100 percent
potential of its detection engine. Every rule was uncommented evasion success. For example, in SQL Injection we
and made active. encoded the payload 3 times with UTF-8 encoding
technique. Without encoding 12 alarms were triggered,
V. TEST RESULTS after 3 times encoding no alarm was triggered.
In this research, seven different evasion techniques were However only 1 time encoding trigger any alert on
tested. The criteria for the success of a technique is measured every trial. For succession on Encoding evasion, an
according to the number of alarms triggered. First, the attacks attacker should encode the payload at least 3 times.
were carried out without any evasion techniques. Then, each Obfuscation did not trigger any alert on each trial. It is
possible attack was combined with an evasion technique and found to be the most successful evasion technique on
the results were observed. Compare the first result to the this research. We tried shell-elf-binary, Shikataganai,
second one, the success rate of each evasion technique is cmd/powershellBase64 and Xor encoder for
obtained. The success rates observed are summarized below: obfuscation. We tried 1, 3, 7 and 21 times obfuscate the

(UBMK'19) 4rd International Conference on Computer Science and Engineering - 545

 payloads. Each trial passes the IPS/IDS without Contrary to popular belief, fragmentation attack cannot totally
triggering any alert. evade the IPS/IDS system.
x Bad checksum could reach 100 percent success rate. Based on the observation above, an IPS/IDS system has to
The best results were observed that we divided the be improved or strengthened against evasion techniques. The
payload into small pieces, then we insert additional evasion techniques are mostly successful due to the IPS/IDS
packet with bad checksum randomly. This new order system’s failure in detection or correlation. The detection fails
disrupted the signature of the attack. For that reason, because the signatures should have less false positive and be
Snort did not generate any alert. When the whole more efficient on big flow of data. The correlation fails
packets reach the victim, the victim dropped the wrong because of the IPS/IDS system must inspect the whole network
checksum value packet. So it affected the attack and no traffic, for that reason they have to use their CPU, RAM
alarm was triggered on Snort. In this scenario, we resources efficiently. Otherwise the IPS/IDS system can face a
selected CVE-2017-0144 (EternalBlue SMB) denial of service situation.
attack’s exploit to evade Snort. [8] However, random
There are lots of things to widen this research’s scope. We
bad checksum value for packet have no effect on
did not study or argue every evasion technique since focusing
evasion. When we tested random bad checksum value,
on seven common one. In future, there might be a chance of
the test results had no difference between attack and
studying out of scope evasion techniques such as denial-of-
evasion.
service evasion or encryption evasion.
x File header manipulation could evade an IPS/IDS The performance of an IPS/IDS system was not measured.
system 100 percent success rate. In the best trial, we The performance issue is critical for every network or security
selected “Win32/Dorkbot” malware. When we send the device. After some acceptable delays, the system become
malware without evasion, 3 alarms were triggered. The unusable to lost availability. Improvement on IPS/IDS system
we changed the file header to any random bytes, Snort over evasion may need to configure for performance.
could not detect the attack and no alarm was triggered.
The trick of this attack is we had a pivot machine to get The successes of evasion techniques cause the question of
the packet. Then we modified the header to original how to prevent these evasions in the IPS/IDS system. There
value. After that attack could exploit the target without are lots of possible signature suggestion or configuration
triggering any alert on perimeter IPS/IDS system. change opportunity to study about. Moreover, new signatures
However, some evasion trials triggered serious number would argue and discuss to stop evasion attacks with low false-
of alerts because the IPS/IDS system found a pattern in positive rate.
the rest of file without checking file type. The success
REFERENCES
rates of this evasion fluctuates between 0% to 100%.
x File and path change evasion technique can be done [1] F. Maymi, CISSP All-In-One Exam Guide, 8th ed. McGraw-Hill
without triggering any alert on the IPS/IDS system. Education, 2018.
During the trials of this evasion technique, it was [2] S. Martin, "SANS Institute: Reading Room - Intrusion Detection",
observed that an attacker has at least 50% success rate. Sans.org, 2019. [Online]. Available: https://www.sans.org/reading-
This result was interesting because in every trial the room/whitepapers/detection/anti-ids-tools-tactics-339. [Accessed: 08-
worst success rate reached at least 50%. For the most Jun- 2019].
successful trial, which had 100% success rate, we [3] A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras and B. Stiller,
copied the values in path /etc/passwd to /tmp folder. “An Overview of IP Flow-Based Intrusion Detection,” IEEE Commun.
Then we reached and downloaded the files on /tmp Surveys Tutorials, vol. 12, issue 3, pp. 343-356, Third Quarter 2010.
folder, no alarm was triggered on Snort. [4] A. Pathan, State of the art in intrusion prevention and detection, 1st ed.:
CRC Press, 2016.
VI. CONCLUSION AND FUTURE WORKS [5] A. Ghorbani, W. Lu and M. Tavallaee, Network intrusion detection and
prevention, 1st ed. New York: Springer, 2010.
This article makes a research about the seven common
[6] T. H. Ptacek and T. N. Newsham, “Insertion, Evasion, and Denial of
IPS/IDS evasion techniques and test it on real environment.
Service: Eluding Network Intrusion Detection,” Technical Report from
The aim of this research is to show how secure the new
Secure Networks, Inc., http://insecure.org/stf/secnet ids/secnet ids.html,
IPS/IDS systems are against the evasion techniques. For
Jan. 1998
making this test, normal attacks are created. After that attacks [7] M. Handley, V. Paxson, and C. Kreibich, “Network Intrusion Detection:
are done with evasion method to measure each evasion Evasion, Traffic Normalization, and End-to-end Protocol Semantics,” In
technique. The purpose of this research is to demonstrate how Proc. USENIX Security Symposium, Aug. 2001
evasion technique are working and whether they are still [8] "CVE-2017-0144 : The SMBv1 server in Microsoft Windows Vista
affective to last version of the IPS/IDS system or not. The SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows
difference of this research is that the whole attack dataset was 8.1; Windows", Cvedetails.com, 2019. [Online]. Available:
created during the research so, every evasion technique was https://www.cvedetails.com/cve/CVE-2017-0144/. [Accessed: 12- Jun-
tested and proved. The most crucial gain of this research is 2019].
proving IPS/IDS system can still be bypassed. Some of the [9] M. Corporation, "Worm:Win32/Dorkbot threat description - Microsoft
techniques such as tampering time, agent name, port number, Security Intelligence", Microsoft.com, 2019. [Online]. Available:
encoding/obfuscation, bad checksum, file header manipulation https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-
and File and Path change, can evade an IPS/IDS system totally description?Name=Worm%3AWin32/Dorkbot. [Accessed: 12- Jun-
but some attacks such as TTL evasion and fragmentation with 2019].
MTU modification can partially evade the IPS/IDS system.

(UBMK'19) 4rd International Conference on Computer Science and Engineering - 546

[10] P. Fogla and W. Lee, “Evading Network Anomaly Detection Systems:
Formal Reasoning and Practical Techniques,” In Proc. ACM Conference
on Computer and Communications Security (CCS), Oct.–Nov. 2006.
[11] D. Watson, M. Smart, G. R. Malan and F. Jahanian, “Protocol Scrubbing:
Network Security Through Transparent Flow Modification,” IEEE/ACM
Trans. Netw., vol. 12, issue 2, pp. 261-273, Apr. 2004.
[12] H. Dreger, C. Kreibich, V. Paxson and R. Sommer, “Enhancing the
accuracy of network-based intrusion detection with host-based context,”
In Proc. Conference on Detection of Intrusions and Malware and
Vulnerability Assessment (DIMVA), July 2005.
[13] A. Pasupulati, J. Coit, K. Levitt and F. Wu, “Buttercup: On Network-
based Detection of Polymorphic Buffer Overflow Vulnerabilities,” In
Proc. IEEE/IFIP Network Operation and Management Symposium, May
2004.
[14] U. Payer, P. Teufl and M. Lamberger, “Hybrid Engine for Polymorphic
Shellcode Detection,” In Proc. Conference on Detection of Intrusions
and Malware and Vulnerability Assessment (DIMVA), July 2005.
[15] M. Polychronakis, K. G. Anagnostakis and E. P. Markatos,
“Networklevel Polymorphic Shellcode Detection using Emulation,” In
Proc. Conference on Detection of Intrusions and Malware and
Vulnerability Assessment (DIMVA), July 2006.
[16] M. Polychronakis, K. Anagnostakis and E. P. Markatos, “Emulation-
Based Detection of Non-self-contained Polymorphic Shellcode.” In
Proc. 10th International Symposium on Recent Advances in Intrusion
Detection (RAID), Aug. 2007.
[17] C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, J.
Hartman, “Protecting against Unexpected System Calls,” In Proc. 13th
Usenix Security Symposium, Aug. 2005.
[18] M. Shimamura and K. Kono, “Yataglass: Network-Level Code
Emulation for Analyzing Memory-Scanning Attacks,” In Proc. Detection
of Intrusions and Malware and Vulnerability Assessment (DIMVA), July
2009.
[19] G. Varghese, J. A. Fingerhut and F. Bonomi, “Detecting Evasion
Attacks at High Speeds without Reassembly,” In Proc. ACM
SIGCOMM, Sept. 2006.
[20] G. Antichi, D. Ficara, S. Giordano, G. Procissi and F. Vitucci, “Counting
Bloom Filters for Pattern Matching and Anti-Evasion at the Wire Speed,”
IEEE Network, vol. 23, issue 1, Jan/Feb 2009.
[21] V. M. Igure and R. D. Williams, “Taxonomies of Attacks and
Vulnerabilities in Computer Systems,” IEEE Commun. Surveys
Tutorials, vol. 10, issue 1, pp. 6-19, First Quarter 2008.
[22] R. Smith, C. Estan and S. Jha, “Backtracking Algorithmic Complexity
Attacks against a NIDS,” In Proc. 22nd Annual Computer Security
Applications Conference (ACSAC), Dec. 2006.
[23] S. Dharmapurikar and V. Paxson, “Robust TCP Stream Reassembly In
the Presence of Adversaries,” In Proc. USENIX Security Symposium,
Aug. 2005.
[24] I. Shakeel, "Penetration Testing Methodologies and Standards", Infosec
Resources, 2019. [Online]. Available:
https://resources.infosecinstitute.com/penetration-testing-
methodologies-and-standards/#gref. [Accessed: 11- Jun- 2019].
[25] Evader User Guide. Evader users guide. http://evader.stonesoft.
com/assets/files/Evader_UsersGuide_20120905.pdf. [Accessed May 27,
2019]
[26] M. Särelä, T. Kyöstilä, T. Kiravuo and J. Manner, "Evaluating intrusion
prevention systems with evasions", International Journal of
Communication Systems, vol. 30, no. 16, 2017.
[27] S. Huang, C. Blundo, S. Cimato, B. Masucci, D. MacCallum and D. Du,
Network Security, Springer, 2010.
[28] N. Khamphakdee, N. Benjamas and S. Saiyod, "Improving Intrusion
Detection System based on Snort rules for network probe attack
detection", 2nd International Conference on Information and
Communicaiton Technology (ICoICT), 2014.

(UBMK'19) 4rd International Conference on Computer Science and Engineering - 547