Firewalls & Detection Evasions

Question 1

stateless firewall

Answer 1

packet filter: examine packet at network layer (L4)
decision based on packet header IP, port, flags
+ application independent, performance and scalability
- no state or application context

Question 2

stateful firewall

Answer 2

decision also based on session state
+more powerful rules
- state for udp?, state explosion

Question 3

next gen. firewall

Answer 3

• NGFW
• deep packet inspection
• take application and protocol state into account for security decision
  + application and protocol awareness
• need to support many application protocols
• perf. and scalability

Question 4

accuracy vs. precision

Answer 4

precision: values of repeated mes. are clustered
accuracy: how close measured values are to the target

Question 5

multiple detectors

Answer 5

parallel composition: either A or B triggers allert (A or B) -> inc. false positive
serical composition: both A and B must trigger for alert (A and B) -> inc. false negative

Question 6

signatures

Answer 6

use information of previous attacks to detect suspicious behaviour

1d: blacklist/whitelist
2d: regular expression functions and string matching
nd: threshold of good or bad activities classifies behaviour

Question 7

sandboxing

Answer 7

run suspicious program in isolated environment and check behaviour
+proactive, no signature updates
-resource intensive, high latency

Question 8

machine learning

Answer 8

supervised: analyze labeled data (good/bad)
unsupervised: classify unlabeled data

Question 9

Firewall Attacks

Answer 9

• IP Source Spoofing: spoof source IP address to bypass filters (ineff. for TCP)
• artificial fragmentation: fragment packets to bypass rules
• Dos: provoke state explosion at FW
• Tunneling: data in ICMP ping packets or DNS requests / VPN channel
• encodings: different encodings or addition of noise

Question 10

Protectors

Answer 10

• detect use of debuggers or virtualization

- if seen, malware causes different operation

Question 11

Crypter

Answer 11

• encrypt malware so that signature detection systems and static analysis are ineffectual

Question 12

packers

Answer 12

• make malware smaller and more portable

- binary is structurally different every time packed version is executed

Question 13

polymorphism techniques

Answer 13

• swap equivalent code
• change order of code
• insert noise
• compiler modulation

Question 14

binder

Answer 14

embed maleware into other software

Question 15

why was stuxnet not detected by antivirus

Answer 15

AV only detects known malware