TY - GEN
T1 - Themis
T2 - 27th ACM Annual Conference on Computer and Communication Security, CCS 2021
AU - Wang, Zhongjie
AU - Zhu, Shitong
AU - Man, Keyu
AU - Zhu, Pengxiong
AU - Hao, Yu
AU - Qian, Zhiyun
AU - Krishnamurthy, Srikanth V.
AU - La Porta, Tom
AU - De Lucia, Michael J.
N1 - Publisher Copyright:
© 2021 Owner/Author.
PY - 2021/11/12
Y1 - 2021/11/12
N2 - Network intrusion detection systems (NIDS) can be evaded by carefully crafted packets that exploit implementation-level discrepancies between how they are processed on the NIDS and at the endhosts. These discrepancies arise due to the plethora of endhost implementations and evolutions thereof. It is prohibitive to proactively employ a large set of implementations at the NIDS and check incoming packets against all of those. Hence, NIDS typically choose simplified implementations that attempt to approximate and generalize across the different endhost implementations. Unfortunately, this solution is fundamentally flawed since such approximations are bound to have discrepancies with some endhost implementations. In this paper, we develop a lightweight system Themis, which empowers the NIDS in identifying these discrepancies and reactively forking its connection states when any packets with "ambiguities"are encountered. Specifically, Themis incorporates an offline phase in which it extracts models from various popular implementations using symbolic execution. During runtime, it maintains a nondeterministic finite automaton to keep track of the states for each possible implementation. Our extensive evaluations show that Themis is extremely effective and can detect all evasion attacks known to date, while consuming extremely low overhead. En route, we also discovered multiple previously unknown discrepancies that can be exploited to bypass current NIDS.
AB - Network intrusion detection systems (NIDS) can be evaded by carefully crafted packets that exploit implementation-level discrepancies between how they are processed on the NIDS and at the endhosts. These discrepancies arise due to the plethora of endhost implementations and evolutions thereof. It is prohibitive to proactively employ a large set of implementations at the NIDS and check incoming packets against all of those. Hence, NIDS typically choose simplified implementations that attempt to approximate and generalize across the different endhost implementations. Unfortunately, this solution is fundamentally flawed since such approximations are bound to have discrepancies with some endhost implementations. In this paper, we develop a lightweight system Themis, which empowers the NIDS in identifying these discrepancies and reactively forking its connection states when any packets with "ambiguities"are encountered. Specifically, Themis incorporates an offline phase in which it extracts models from various popular implementations using symbolic execution. During runtime, it maintains a nondeterministic finite automaton to keep track of the states for each possible implementation. Our extensive evaluations show that Themis is extremely effective and can detect all evasion attacks known to date, while consuming extremely low overhead. En route, we also discovered multiple previously unknown discrepancies that can be exploited to bypass current NIDS.
UR - http://www.scopus.com/inward/record.url?scp=85119358859&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85119358859&partnerID=8YFLogxK
U2 - 10.1145/3460120.3484762
DO - 10.1145/3460120.3484762
M3 - Conference contribution
AN - SCOPUS:85119358859
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 3384
EP - 3399
BT - CCS 2021 - Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 15 November 2021 through 19 November 2021
ER -