Title:
Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic
Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic
Author(s)
Kolesnikov, Oleg
Lee, Wenke
Lee, Wenke
Advisor(s)
Editor(s)
Collections
Supplementary to
Permanent Link
Abstract
Normal traffic can provide worms with a very good source of information
to camouflage themselves. In this paper, we explore the concept of polymorphic
worms that mutate based on normal traffic. We assume that a worm has
already penetrated a system and is trying to hide its presence and propagation attempts
from an IDS.We focus on stealthy worms that cannot be reliably detected
by increases in traffic because of their low propagation factor.We first give an example
of a simple polymorphic worm. Such worms can evade a signature-based
IDS but not necessarily an anomaly-based IDS. We then show that it is feasible
for an advanced polymorphic worm to gather a normal traffic profile and use it to
evade an anomaly-based IDS.We tested the advanced worm implementation with
three anomaly IDS approaches: NETAD, PAYL and Service-specific IDS. None
of the three IDS approaches were able to detect the worm reliably. We found that
the mutated worm can also evade other detection methods, such as the Abstract
Payload Execution.
The goal of this paper is to advance the science of IDS by analyzing techniques
polymorphic worms can use to hide themselves. While future work is needed
to present a complete solution, our analysis can be used in designing possible
defenses. By showing that polymorphic worms are a practical threat, we hope to
stimulate further research to improve existing IDS.
Sponsor
Date Issued
2005
Extent
150196 bytes
Resource Type
Text
Resource Subtype
Technical Report