Intrusion Detection System based on protocol analysis

There are many advantages, such as performance, efficiency, detection rate to false alarm rate, and etc. compare Intrusion Detection System (IDS) based on protocol analysis with which based on simple pattern-matching.  

Let’s take example for HTTP protocol combines with the HTTP analyzer of Ax3soft Sax2 intrusion detection system. “GET /scripts/.. ../winnt/system32/cmd.exe?/c dir HTTP/1.0” is a Unicode attack aim at IIS. The attack’s first step is send out a request, like as “TCP dport:80”, “content:’ ’/I”, “alert:’IIS Unicode Directory Traversal’ TCP dport:80”, “content:’cmd.exe’/I” and “alert:’Attempt to execute cmd’” via browser. The Intrusion Detection System (IDS) based on simple pattern-matching will detect the attack with the rules in following: 1) system will send an alarm of “IIS Unicode Traversal” if the caught TCP packets sent to Point 80 with the code “ ”(blank space). 2) system will send an alarm of “Attempt to execute cmd” if the caught TCP packets sent to Point 80 with the code “cmd.exe”. Put aside the optimization this feature, there are two serious bugs in this kind IDS - misinformation and omission. 

  • Misinformation  The IDS based on pattern-matching ignores two important aspects – whether the TCP connections have been setup and whether the matched string is legal. In fact, the later situation is more serious.

    For example, the Cookie or GET/POST data can be include the code “ ” (blank space). Unfortunately, this method can not distinguish the blank space in these data.

  • Omission   The IDS based on pattern-matching require the matched string must in one packet. The attackers, regard the rule, can execute their attacks with several packets not ONE packet.

    For example, one byte composes one packet if the attacks transferred via Telnet. Therefore, pattern-matching method check the packet only will lead to serious omission of the attacks. Attackers can connect to the Point 80 via Telnet, input the “GET /scripts/.. ../winnt/system32/cmd.exe?/c dir HTTP/1.0” request in the Command-Line, and then double clicks the Enter key to send the attacks. With this method, the attacks may composed of many packets at most 64 packets.

    In addition, the attackers can encode the “cmd.exe” to achieve his aim. For example, encode the URL request “cgi-bin” as “%63%67%69%2d%62%69%6e”. In this situation, the rule is useless. 

The HTTP Analyzer in Ax3soft Sax2 intrusion detection system is designed for the two disadvantages of IDS based on simple pattern-matching. It has the following features:

  • The feature of TCP stream reconstruction based on protocol analysis engine in Ax3soft Sax2 intrusion detection system.

    It will analyze and reconstruct the HTTP request in multiple packets. For example, the attacker encode the attacks “GET /scripts/.. ../winnt/system32/cmd.exe?/c dir HTTP/1.0” in the following six packets “Get”, “/scripts/.. ../winnt/system32/”, “c”, “m”, “d” and “.exe?/c dir HTTP/1.0” can avoid the detection of pattern-matching IDS. Whereas, the TCP stream reconstruction will detect it and reconstruct the attacks to it’s original profile “GET /scripts/.. ../winnt/system32/cmd.exe?/c dir HTTP/1.0”.

  • Gains the whole HTTP request. Ax3soft Sax2 intrusion detection system will analyze the HTTP requests exceed normal length (maybe Buffer Overflow Attacks) even if the HTTP request composed of multiple TCP packets.

  • Analyzes HTTP 0.9, HTTP 1.0 and HTTP 1.1 protocols. Ax3soft Sax2 intrusion detection system will analyze and reconstruct multiple HTTP requests in a HTTP connection.

  •  Analyzes the HTTP requests send to Proxy Server.

  • Decodes the URL request. If the attackers encode the URL request to %XX, e.g. encode “cgi-bin” to “%63%67%69%2d%62%69%6e”, to avoid attack detection. Ax3soft Sax2 intrusion detection system will detect it through it’s own protocol analysis and decoding models.

  • Ax3soft Sax2 intrusion detection system will resolve the HTTP request into Method, Host, Path, Querystring and etc. and then analyze them. For the path include “cmd.exe”, HTTP analyzer will gain the “cmd.exe” after decode and establish an event. And then, HTTP analyzer will send the event number and related information in uniform format to Response Module to start the next processing.

 

Above all, the HTTP Analyzer Module in Ax3soft Sax2 intrusion detection system, works as independent detection module, achieves more reliable and efficient detection of attacks via HTTP protocol through analyzes and decodes the HTTP request. Obviously, it will be the future development of Intrusion Detection System that based on protocol analysis in module method.