METHODS AND SYSTEMS TO DETECT AN EVASION ATTACK

Abstract

A method and system to detect an evasion attack are provided. The system may include a repository to store signature fragments that together constitute an attack signature, an interceptor to intercept a data packet associated with a network connection, a string-matching module to determine whether the payload of the data packet includes any of the stored signature fragments thereby identifying a match, a responder to perform a prevention action in response to the match, and a detector to detect that a size of the data packet is less than a size threshold. The system may further include a state machine to commence maintaining a state for the network connection in response to the detector determining that the size of the data packet is less than the size threshold.

Description

BRIEF DESCRIPTION OF DRAWINGS

Embodiments of the present invention are illustrated by way of example and not of limitation in the figures of the accompanying drawings, in which like reference numbers indicate similar elements and in which:

FIG. 1 shows a network environment within which an example embodiment may be implemented;

FIG. 2 is a block diagram of an intrusion detection system (IDS), in accordance with an example embodiment;

FIG. 3 is a flow diagram illustrating a method, in accordance with an example embodiment, to monitor data packets on a network;

FIG. 4 is a flow diagram illustrating a method, in accordance with an example embodiment, to detect an indication of an attack signature; and

FIG. 5 is a diagrammatic representation of an example machine in the form of a computer system within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed.

Claims

1. An intrusion detection system, the system comprising: a slow path to reassemble data packets associated with a network connection; anda fast path to: intercept a data packet associated with the network connection,forward the data packet to its destination if the data packet is not indicative of the attack, anddivert the data packet to the slow path if the data packet is indicative of the attack.

2. The system of claim 1, wherein the fast path comprises a counter to update a count of detected anomalies with respect to intercepted data packets.

3. The system of claim 2, wherein an anomaly comprises a small data packet, wherein a size of the small data packet is less than a threshold value.

4. The system of claim 2, wherein an anomaly comprises a data packet having an out-of-order sequence number.

5. The system of claim 2, wherein the data packet is indicative of the attack if the count of detected anomalies is equal to or greater than a count threshold.

6. The system of claim 2, wherein the fast path is to provide a copy of the data packet to the slow path if the data packet is indicative of an anomaly and the count of detected anomalies is less than a count threshold.

7. The system of claim 1, wherein the network connection is a TCP connection and the data packet is a TCP data packet.

8. A system comprising: a repository to store a plurality of signature fragments that together constitute an attack signature;an interceptor to intercept a data packet associated with a network connection;a string-matching module to determine that the data packet comprises a signature fragment from the plurality of fragments thereby identifying a match;a responder to perform a prevention action in response to the match;a detector to detect that a size of the data packet is less than a size threshold, wherein the size threshold is dependent on a size of a signature fragment from the plurality of signature fragments; anda state machine to commence maintaining a state for the network connection in response to the detector determining that the size of the data packet is less than the size threshold.

9. The system of claim 8, further comprising a reassembler to reassemble selected data packets.

10. The system of claim 9, wherein the preventive action comprises diverting the data packet to the reassembler.

11. The system of claim 9, wherein the preventive action comprises providing a copy of the data packet to the reassembler.

12. The system of claim 9, further comprising a counter to update a count of detected anomalies with respect to intercepted data packets.

13. The system of claim 12, wherein an anomaly comprises a small data packet, wherein a size of the small data packet is less than the threshold value.

14. The system of claim 12, wherein an anomaly comprises a data packet having an out-of-order sequence number.

15. The system of claim 12, wherein the responder is to redirect data packets associated with the network connection to the reassembler in response to the count of detected anomalies reaching a count threshold.

16. The system of claim 15, wherein the network connection is a TCP connection and the data packet is a TCP data packet.

17. A method comprising: intercepting a data packet associated with a network connection;performing a prevention action if the data packet comprises a signature fragment from a plurality of signature fragments, the plurality of signature fragments identifying an attack; andcommencing to maintain a state for the network connection if a size of the data packet is less than a size threshold, the size threshold being dependent on a size of a signature fragment from the plurality of signature fragments.

18. The method of claim 17, wherein the performing of the prevention action comprises diverting the data packet to a reassembler for reassembly.

19. The method of claim 17, wherein the performing of the prevention action comprises providing a copy of the data packet to a reassembler.

20. The method of claim 19, further comprising: detecting a further data packet having a size less than the size threshold; andupdating a counter in response to the detecting of the further data packet.

21. The method of claim 19, further comprising: detecting a further data packet having an out-of-order sequence number; andupdating a counter in response to the detecting of the further data packet.

22. The method of claim 21, further comprising selectively diverting a subsequent data packet to the reassembler for reassembling, based on the counter.

23. The method of claim 17, wherein the network connection is a TCP connection and the data packet is a TCP data packet.

24. The method of claim 17, further comprising: selecting an attack signature;determining a number of signature fragments; andsplitting the attack signature into the determined number of signature fragments.

25. The method of claim 17, further comprising providing the size threshold as follows: (a size of a signature fragment from the plurality of signature fragments)*2−1.

26. A machine-readable medium having stored thereon data representing sets of instructions which, when executed by a machine, cause the machine to: store a plurality of signature fragments that together constitute an attack signature;intercept a data packet associated with a network connection;determine that the data packet comprises a signature fragment from the plurality of fragments thereby identifying a match;perform a prevention action in response to the match;detect that a size of the data packet is less than a size threshold, wherein the size threshold is dependent on a size of a signature fragment from the plurality of signature fragments; andcommence maintaining a state for the network connection in response to the detector determining that the size of the data packet is less than the size threshold.

27. A system comprising: means for intercepting a data packet associated with a network connection;means for performing a prevention action if the data packet comprises a signature fragment from a plurality of signature fragments, the plurality of signature fragments identifying an attack; andmeans for commencing to maintain a state for the network connection if a size of the data packet is less than a size threshold, the size threshold being dependent on a size of a signature fragment from the plurality of signature fragments.