Key-Recovery Attacks On Kids, A Keyed Anomaly Detection System

ABSTRACT:

Most anomaly detection systems rely on machine learning algorithms to derive a model of normality that is later used to detect suspicious events. Some works conducted over the last years have pointed out that such algorithms are generally susceptible to deception, notably in the form of attacks carefully constructed to evade detection. Various learning schemes have been proposed to overcome this weakness. One such system is KIDS (Keyed IDS), introduced at DIMVA’10. KIDS’ core idea is akin to the functioning of some cryptographic primitives, namely to introduce a secret element (the key) into the scheme so that some operations are infeasible without knowing it. In KIDS the learned model and the computation of the anomaly score are both key-dependent, a fact which presumably prevents an attacker from creating evasion attacks. In this work we show that recovering the key is extremely simple provided that the attacker can interact with KIDS and get feedback about probing requests. We present realistic attacks for two different adversarial settings and show that recovering the key requires only a small amount of queries, which indicates that KIDS does not meet the claimed security properties. We finally revisit KIDS’ central idea and provide heuristic arguments about its suitability and limitations.

AIM

The aims of this paper KIDS the learned model and the computation of the anomaly score are both key-dependent, a fact which presumably prevents an attacker from creating evasion attacks.

SCOPE

 The Scope of this project is show that recovering the key is extremely simple provided that the attacker can interact with KIDS and get feedback about probing requests.

EXISTING SYSTEM

Accurately pointed out that security problems differ from other application domains of machine learning in, at least, one fundamental feature: the presence of an adversary who can strategically play against the algorithm to accomplish his goals. Thus for example, one major objective for the attacker is to avoid detection. Evasion attacks exploit weaknesses in the underlying classifiers, which are often unable to identify a malicious sample that has been conveniently modified so as to look normal. Examples of such attacks abound. For instance, spammers regularly obfuscate their emails in various ways to avoid detection, e.g. by modifying words that are usually found in spam, or by including a large number of words that do not. Similarly malware and other pieces of attack code can be carefully adapted so as to evade Intrusion Detection Systems (IDS) without compromising the functionality of the attack

DISADVANTAGES:

1.  Anomaly  detection systems rely on machine learning algorithms to derive a model of normality that is later used to detect suspicious events
2. Such  algorithms are generally susceptible to deception, notably in the form of attacks carefully constructed to evade detection.

PROPOSED SYSTEM

KIDS (Keyed Intrusion Detection System) , introduced by Mrdovic and Drazenovic at DIMVA’10. KIDS is an application layer network anomaly detection system that extracts a number of features (“words”) from each payload. The system then builds a model of normality based both on the frequency of observed features and their relative positions in the payload. KIDS’ core idea to impede evasion attacks is to incorporate the notion of a “key”, this being a secret element used to determine how classification features are extracted from the payload. The security argument here is simple: even though the learning and testing algorithms are public, an adversary who is not in possession of the key will not know exactly how a request will be processed and, consequently, will not be able to design attacks that thwart detection

ADVANTAGES

1. It has been on recovering the key through efficient procedures, demonstrating that the classification process leaks information about it that can be leveraged by an attacker.
2. The  ultimate goal is to evade the system, and we have just assumed that knowing the key is essential to craft an attack that evades detection or, at least, that significantly facilitates the process

SYSTEM CONFIGURATION:-

HARDWARE REQUIREMENTS:-

1. Processor             -    Pentium –IV

2. Speed                   -   1.1 Ghz
3. RAM                    -   512 MB(min)
4. Hard Disk           -    40 GB
5. Key Board          -    Standard Windows Keyboard
6. Mouse                -    Two or Three Button Mouse
7. Monitor                      -    LCD/LED

 SOFTWARE REQUIREMENTS:

1. Operating System              : Windows 7             
2.  Front End                           : ASP.net and C#
3. Database                             : MSSQL
4. Tool                                    : Microsoft Visual studio

REFERENCE:

Tapiador, J.E, Orfila, A. ; Ribagorda, A. ; Ramos, B.. “Key-Recovery Attacks On Kids, A Keyed Anomaly Detection System”, IEEE Transactions on Dependable and Secure Computing, Volume 12  Issue 3  , SEPTEMBER 2013