loading
Papers Papers/2022 Papers Papers/2022

Research.Publish.Connect.

Paper

Paper Unlock

Authors: George Stergiopoulos ; Eirini Lygerou ; Nikolaos Tsalis ; Dimitris Tomaras and Dimitris Gritzalis

Affiliation: Information Security & Critical Infrastructure Protection Laboratory, Department of Informatics, Athens University of Economics & Business, 76 Patission Ave., Athens GR-10434, Greece

Keyword(s): Network Security, Detection, Attack, Evasion, Intrusion Detection, Host, Siem, Malware, TCP, Packet, Transport, Layer, Payload, Shell, Data Leakage, DLP.

Abstract: Current host and network intrusion detection and prevention systems mainly use deep packet inspection, signature analysis and behavior analytics on traffic and relevant software to detect and prevent malicious activity. Solutions are applied on both system and network level. We present an evasion attack to remotely control a shell and/or exfiltrate sensitive data that manages to avoid most popular host and network intrusion techniques. The idea is to use legitimate traffic and victim-generated packets that belong to different contexts and reuse it to communicate malicious content without tampering their payload or other information (except destination IP). We name the technique “bit-masking”. The attack seems able to exfiltrate any amount of data and execution time does not seem to affect detection rates. For proof, we develop the “Leaky-Faucet” software that allows us to (i) remotely control a reverse shell and (ii) transfer data unnoticed. The validation scope for the presented att ack includes evading 5 popular NIDS, 8 of the most popular integrated end-point protection solutions and a Data Leakage Prevention system (DLP); both on the network and host session level. We present three different variations of the attack able to transfer (i) shell commands, (ii) large chunks of data, and (iii) malicious code to a remote command and control (CnC) center. During experiments, we also detected an NPcap library bug that allows resent packets to avoid logging from network analysis tools for Windows that use the Npcap library. (More)

CC BY-NC-ND 4.0

Sign In Guest: Register as new SciTePress user now for free.

Sign In SciTePress user: please login.

PDF ImageMy Papers

You are not signed in, therefore limits apply to your IP address 13.58.61.197

In the current month:
Recent papers: 100 available of 100 total
2+ years older papers: 200 available of 200 total

Paper citation in several formats:
Stergiopoulos, G.; Lygerou, E.; Tsalis, N.; Tomaras, D. and Gritzalis, D. (2020). Avoiding Network and Host Detection using Packet Bit-masking. In Proceedings of the 17th International Joint Conference on e-Business and Telecommunications - SECRYPT; ISBN 978-989-758-446-6; ISSN 2184-7711, SciTePress, pages 52-63. DOI: 10.5220/0009591500520063

@conference{secrypt20,
author={George Stergiopoulos. and Eirini Lygerou. and Nikolaos Tsalis. and Dimitris Tomaras. and Dimitris Gritzalis.},
title={Avoiding Network and Host Detection using Packet Bit-masking},
booktitle={Proceedings of the 17th International Joint Conference on e-Business and Telecommunications - SECRYPT},
year={2020},
pages={52-63},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0009591500520063},
isbn={978-989-758-446-6},
issn={2184-7711},
}

TY - CONF

JO - Proceedings of the 17th International Joint Conference on e-Business and Telecommunications - SECRYPT
TI - Avoiding Network and Host Detection using Packet Bit-masking
SN - 978-989-758-446-6
IS - 2184-7711
AU - Stergiopoulos, G.
AU - Lygerou, E.
AU - Tsalis, N.
AU - Tomaras, D.
AU - Gritzalis, D.
PY - 2020
SP - 52
EP - 63
DO - 10.5220/0009591500520063
PB - SciTePress