2012年4月23日星期一

By Laurent Boutet, CISSP, expert pre-sales of Stonesoft


Advanced Evasion Techniques (AET) is a new challenge to network security systems. Unlike known workarounds, combine and modify the AET methods to disguise an attack or malicious code. Thus they infiltrate a network without being detected by security systems in place. The particular risk associated with AET is the almost unlimited combination of options that can be done. Current estimates reach 2,250 variants of AET, which will be used for hackers to disguise an attack. Current protection mechanisms (intrusion prevention system or firewall) do not support these techniques. There is no complete protection against AET, however it is possible to secure networks using methods of prevention.

To work around a protected cyber hackers disguise or alter the malware and run them, unnoticed, to networks. In the case of simple workarounds and AET, TCP / IP used on the Internet and a majority of computer networks, plays a central role. He again uses the standard IP and RFC 791 defines a receiving mode open mode while sending remains conventional. In general only data packets can be sent without error, and the system accepts all incoming data packets that can be interpreted in the chain end. Of incoming data packets can have different formats, but they are always interpreted in the same way. This open approach, based on the notion that the interaction between different systems should be as reliable as possible, opening the door to attacks and / or techniques deployed to disguise them.

The different operating systems and applications do not behave the same way by receiving data packets, and it may happen that IPS does not detect the original context of the package and therefore interprets the data stream differently the target host. This is called case of "out of sync status." This is the starting point for bypass techniques, which use this context to create the data packets that appear normal and secure. These packages are identified as attacks when they are interpreted by the final system, that is to say, when the malicious code is installed in the network.

没有评论:

发表评论