Research and implementation of advanced evasion technology based on web middleware

Abstract

Since the inception of the Internet in 1969, cybersecurity has remained a significant challenge. On one hand, attackers continuously seek new vulnerabilities to intrude systems, while on the other hand, developers strive to detect and prevent these cyber attacks through various means to safeguard system security. Much like a battle between spear and shield, the war between the two has never ceased.

Nowadays, with the rapid development of the Internet, especially mobile Internet and the Internet of Things, the situation of cybersecurity is becoming increasingly serious. Network evasion technology, a common attack method, is often used in conjunction with viruses and Trojans to evade detection by IDS (intrusion detection system) and poses a serious threat to the security of each of us.

From an attacker’s point of view, this paper introduces the related network evasion technology and advanced evasion technology, including common evasion methods, evasion tools, and prevention measures against evasion technology. And we implement an advanced evasion system at the TCP/IP layer, which is used to discover weaknesses of IDS offline and help improve the performance of IDS.

This system runs in the form of a plugin on SAPP, a large-scale real-time traffic processing platform of the Institute of Information Engineering, CAS, and implements a total of eight network evasion methods and supports user-defined combinations of evasion methods. The system is written using a modular approach, with each evasion method being a module that is highly expandable.

Keywords

IDS
Evasion technology
SAPP
AET

Chapter 1: Introduction

1.1 The current state of cybersecurity

Nowadays, the Internet, especially mobile Internet and the Internet of Things, is developing rapidly. According to statistics, as of December 2016, the number of Internet users in China has reached 1.3 billion, with 42.99 million new users added throughout the year 2016. The Internet penetration rate has reached 53.2%, marking an increase of 2.9 percentage points compared to the end of 2015. It is expected that by the end of 2017, the number of Internet users in China will reach 772 million, and the Internet penetration rate will reach 55.9%.

A bar chart in orange shows the number of Internet users per year, going from 564,000,000 in 2012 to 771,522,000 in 2017. An overlaid line chart in blue shows the Internet penetration rate, going from 41.1% in 2012 to 55.9% in 2017. — Figure 1-1: Number of Internet users and Internet penetration rate in China

On the other hand, with the rapid development of the Internet, the situation of cybersecurity is becoming increasingly serious. In 2016, 360 Security Center released the 2016 China Internet Security Report (hereinafter referred to as the “Report”). The Report provides a comprehensive overview of the security threats faced by individuals, governments and enterprises, such as telecom harassment, malicious programs, Internet fraud, phishing emails, website security, IoT security, DDoS attacks, Android system vulnerabilities, industrial control security, email security, network scanning emergency responses, APTs, and so on. The Report reveals that, after conducting a vulnerability check of over 1.979 million websites, approximately 43.6% of websites in China were found to have security vulnerabilities, with 7.1% of these being classified as high-risk vulnerabilities. The cybersecurity landscape remains grim.

Two pie charts. The left pie chart is titled “Total number of websites scanned in 2015: 2.312 million”. The proportions of the categories are “No vulnerabilities 56.1%” (green), “Vulnerabilities 43.9%” (yellow), and “High-risk vulnerabilities 13.30%” (red). The radius of the red slice is reduced to show that it is a subset of the yellow slice. The right pie chart is titled “Total number of websites scanned in 2016: 1.979 million” and its proportions are “No vulnerabilities 53.7%”, “Vulnerabilities 46.3%”, “High-risk vulnerabilities 7.1%”. — Figure 1-2: Comparison of website vulnerabilities in 2015–2016

Meanwhile, users’ awareness of cybersecurity is very weak. According to incomplete statistics, 81% of Internet users in China do not change their account passwords regularly, and among them, 64% only change their passwords when they encounter problems, and 17% never change their passwords at all. Additionally, 44% of Internet users use their name, birthdate, or phone number as a password, with the percentage being even higher among teenagers, reaching 49%. Furthermore, 75% of Internet users use the same password for multiple accounts, with the issue being more prevalent among teenagers, where the figure rises to 82%.

Meanwhile, users are highly susceptible to security risks when scanning QR codes. According to incomplete statistics, 36.96% of Internet users answer the question concerning QR codes with “scanning QR codes frequently without considering the security”. Among teenage users, the percentage is even higher, with 40.3% admitting they frequently scan QR codes without considering the security.

In addition, more than 80% of users connect to public wifi without caution, posing significant risks to their payment behaviors. According to incomplete statistics, 80.2% of Internet users connect to public wifi at will without performing any security checks, of which, 45% of Internet users not only browse websites with free public wifi, but also use instant messaging tools such as WeChat and SMS. Nowadays, online payment is becoming increasingly common, but statistics show that 83% of Internet users are exposed to serious security risks in their online payment behaviors. Among them, 38% of Internet users use public wifi without passwords to make online payments, and 42% do not choose to erase Internet browsing history after making payments on public networks.

A pie chart with title “Usage of public wifi”. 19.78%: Never connect. 30.17%: Connect, for simple activities such as web browsing only. 45.29%: Connect, not only for browsing websites, but also for using QQ, WeChat. 4.75%: Connect, not only for browsing websites and using instant messaging tools but also for online shopping or web transactions. — Figure 1-3: Usage of public wifi

In 2013, the “Snowden Incident” and “PRISM” shocked the world, making people more deeply aware of the critical importance of cybersecurity. Because of this, on 2014-02-27, the Central Government established the Central Leading Group for Cybersecurity and Informatization, headed by President Xi Jinping himself. The Leading Group focuses on national security and is responsible for coordinating major issues related to informatization and cybersecurity across various sectors, including politics, economics, culture, and military. The Leading Group also researches and formulates development strategies and major policies on informatization and cybersecurity, thereby driving the construction of national informatization and cybersecurity and continuously enhancing the level of China’s security and guarantee. President Xi further emphasized the strategic importance of cybersecurity by stating, “Without cybersecurity, there is no national security”, elevating the issue of cybersecurity to the level of national security.

1.2 Common cyber attack methods

Cyber attack methods are numerous and continuously evolving. This chapter describes only a few common cyber attack methods and their corresponding countermeasures: SQL injection, DoS attacks, malicious code attacks, phishing websites, etc.

1.2.1 SQL injection attacks

SQL injection is one of the common tactics used by hackers to attack databases. Due to varying skill levels among programmers, some fail to validate the legitimacy of user input when writing code, which leads to security risks in applications. Users can submit a seemingly normal database query code and obtain certain desired data through the results returned by the program. This is known as SQL injection.

Since SQL injection utilizes normal HTTP requests, it appears indistinguishable from regular HTTP requests on the surface, making it highly covert and difficult to detect.

SQL injection is generally divided into the following steps:

Step one: Determine whether the current environment is vulnerable to SQL injection. If only web pages are accessed and no database operations are involved, then SQL injection is not a concern.

Step two: Identify SQL injection points. Once step one is successful, the next step is to search for SQL injection points. This is typically done by crafting specially formatted inputs and analyzing the browser’s responses to infer the data type. From there, efforts can be made to locate the exact injection point.

Step three: Guess the database username and password. Attackers can use many readily available injection tools found online to crack usernames and passwords.

Step four: Gain access to the website backstage admin panel, which is usually not open to regular users. Attackers can use scanning tools to locate possible admin entry points and then attempt to log in using trial and error until successful access is achieved.

An abstract diagram with labeled nodes: Attacker, Web server, Database, Backend administrator. Attacker→Web server: Construct special database query statements. A word bubble from Web server: Lack of judgment of the legitimacy of input. Web server→Database: Dynamic database query. Database→Web server: Return database information. Web server→Attacker: Obtain database information. Attacker→Backend administrator: Use SQL statements to guess administrator information. Attacker→Backend administrator: Log in to admin panel. Finally, the Backend administrator has an arrow pointing to a starburst that reads: Tamper with interface, modify data, and carry out further attacks. — Figure 1-4: General flow of SQL injection

1.2.2 DoS attacks

DoS attacks are also known as denial of service attacks. They can make the target system unable to provide normal services or even crash by exhausting its resources. The system resources under attack include CPU, memory, network bandwidth, and so on. This is a very common attack, with an average of 28 DoS attacks occurring every hour globally. The primary forms of DoS attacks are typically divided into the following three types:

The first type: Constructing a large number of useless connections, which saturates the network bandwidth to the target host, thereby preventing normal requests from communicating with the target host.

The second type: Taking advantage of vulnerabilities in the target host or the transport protocol and sending repeated requests at a high rate, thereby preventing the target host from processing normal requests in a timely manner.

The third type: Taking advantage of vulnerabilities in the target host or the transport protocol and repeatedly sending abnormal attack data to make the target host misallocate a large amount of system resources, thereby paralyzing the host.

Common DoS attack methods include Synflood, Smurf, Land_based, Ping of Death, Teardrop, PingSweep, and Pingflood. The specifics of each method are beyond the scope of this paper. Building upon the foundation of DoS attacks, DDoS attacks (distributed denial of service) have emerged. It refers to the manipulation of a large number of computers to simultaneously attack a target host through a distributed network based on DoS attacks. The number of computers attacked by DDoS attack can often reach million or even ten million, which greatly improves the efficiency and success rate of the attack.

It is worth mentioning that attackers typically obtain botnets by using Trojan horse viruses to infect and take control of a large number of computers and then manipulate these botnets to launch a DDoS attack simultaneously. This poses a significant threat.

1.2.3 Malicious code attacks

Malicious code attacks refer to code that can perform unauthorized operations on a computer, including various Trojan horses, viruses, and buffer overflow attacks. Malicious code attacks pose the greatest threat, encompass the most varieties, are highly transmissible, and are difficult to prevent. Take Trojan horse viruses as an example, they are divided into the controlling end and the controlled end. Once a user is infected with a Trojan horse virus, the attacker will obtain most operating privileges on the target host, including the ability to modify files, modify the registry, control the mouse and the keyboard, and so on. Meanwhile, because Trojan horse viruses are highly covert, attackers usually employ various methods to disguise Trojan horse viruses to make them look the same as normal software, so even if users realize they have been infected with a Trojan horse virus, it is difficult to find and delete it in time.

Malicious code attacks can cause severe consequences as they may steal important information from the victim’s computer, including online banking account details and passwords. They may also encrypt the entire disk for extortion. Moreover, new variants of malicious codes continuously emerge, making it nearly impossible to defend against new types of viruses. Consequently, malicious code attacks have become the greatest threat to cybersecurity.

1.2.4 Phishing websites

Phishing websites typically refer to “spoofed” websites that are disguised as legitimate banking and e-commerce websites, and are often used to steal information submitted by users, such as bank card details, account numbers, passwords, and other information. Phishing websites are generally spread through emails, which often contain a disguised link intended to entice users to click. The pages of phishing websites are usually designed to look identical to those of legitimate websites, with only slight differences in the URL, and they prompt users to submit sensitive information such as usernames and passwords. Generally speaking, phishing websites are relatively low-tech, and all an attacker needs to do is to create a few web pages and a URL that is very similar to that of a legitimate website. However, users can easily fall victim to these scams if they do not exercise caution.

1.3 Intrusion detection systems

IDS is also known as intrusion detection system. It refers to a system that monitors the operating status of a system according to specific security policies, aiming to detect various attacks as promptly as possible and then give alerts. This enables users to identify various security risks in advance and take timely action to address them. The presence of IDS effectively ensures the security of the system and greatly reduces the risk of malicious attacks. In some large systems or networks, IDS is an essential configuration.

Unlike traditional firewalls, IDS does not perform interception, but focuses solely on monitoring and alerting. As an on-path monitoring device, IDS does not need to be deployed in essential network links. It only requires a copy of the monitored network traffic through a “splitting” method, which does not affect the actual traffic. This is called the “parallel” mode of IDS.

A network diagram. At the top left, between the DMZ zone and the Internet, there is a splitting router attached to an IDS N120. At the bottom, between Intranets 1 and 2 and the Internet, there is a splitting router attached to both an IDS N3200 and an IDS console. — Figure 1-5: Simple schematic diagram of IDS

Whether an IDS is efficient or not depends mainly on the intrusion detection methods it employs. Currently, the main intrusion detection methods used in practical applications include the following:

Pattern matching, known as “signature-based” in English; i.e., signature-based intrusion detection. This method usually involves creating a attack signature database, which contains the signatures of known attacks (e.g., specific code segments, specific commands, etc.), and then inspecting whether the sent data messages contain these signatures in turn for the network traffic flowing through them. This is the most traditional intrusion detection method, which it is simple and efficient compared to other methods. However, its disadvantages are also obvious. It can only detect known attacks and the detection effect is completely dependent on the signature database, making it quite limited. Meanwhile, due to the need to analyze and possess a large amount of network traffic, the efficiency of this method will become a bottleneck.
Statistical models. Statistical models are usually used for anomaly detection. In statistical models, the following three measurement parameters are commonly employed: interval time, number of audit events, and resource consumption. The five commonly used statistical models include: (a) Operational model, which compares statistical results with standard indicators to identify anomalies, and the standard results are usually obtained by calculating the average values over a certain period of time or based on experience. As an example, if multiple failed login attempts occur in a short period of time, then it may indicate that the attacker is trying to enumerate passwords for attack. (b) Variance model, which sets the confidence interval and then calculates the variance of the measurement results. When the variance exceeds the range of the confidence interval, then we can suspect that it is an anomalous case. (c) Markov process model. We can define each type of event as a system state and then represent the change of a state-by-state transition matrix. When an event occurs, we can check the probability of that transition in the state transition matrix. If the probability is low, then we can suspect that it is an anomalous case. (d) Time series analysis. We can sequence the event counts by time. If the probability of an event occurring at a specific time is relatively low, then we can suspect that it is an anomalous case.
File integrity check. This intrusion detection method typically involves comparing the current files of the system with those from the last check. If a file change is detected, then it can be suspected that the system has been invaded. Typically, the results of each check are stored in the file integrity check system. During each check, the files to be checked are hashed to get a file summary, and then the correspondence between files and summaries are stored in the database for comparison next time.
Machine learning–based intrusion detection methods. With the rapid development of machine learning, machine learning is utilized in various fields to improve results. Intrusion detection is no exception. Machine learning-based intrusion detection is divided into supervised and unsupervised machine learning. In supervised machine learning, each data is labeled to create a dataset used for training machine learning algorithm. Unsupervised machine learning only requires inputting all the data into the machine, allowing it to identify patterns on its own. Machine learning–based intrusion detection method does not require deep research in cybersecurity or spending a lot of time looking for attack signatures, as long as the data is available. With the increasing availability of machine resources and the widespread use of machine learning algorithms, this method will become increasingly popular in the future.

1.4 Evasion technology

Evasion technology is a means of disguising cyber attacks. It refers to the techniques employed by attackers to manipulate packets in order to allow the attack code to evade detection by IDS, thereby achieving the goal of jeopardizing the target host.

Evasion technology first appeared in 1998. In January 1998, Ptacek and Newsham published a paper entitled “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, describing some fundamental issues in IDS products and models and a series of methods for bypassing IDS detection from the underlying TCP/IP layer (network layer). Its main idea is to take advantage of the difference between the way IDS analyzes and processes data messages and the way the target host processes them to perform insertion, evasion and denial-of-service attacks, thus preventing IDS from correctly detecting the attacks. This was the first time the concept of evasion technology was introduced in the field of cybersecurity, and as such, that paper has become a classic reference related to evasion technology.

That paper, published in 1988, focuses on the challenges posed by IP fragmentation, and also discusses other evasion technologies, including modifications to IP options and TCP options. Today, many of the evasion technologies mentioned in that paper are still effective in avoiding detection by current IDSes.

1.5 Advanced evasion technology

Advanced evasion technology, abbreviated AET, is an evolution of evasion technology.

In August 2010, Finland’s StoneSoft announced the discovery of a new advanced evasion technology (AET). The discovery of AET greatly expanded existing knowledge of evasion technology. Subsequently, StoneSoft reported this significant discovery in detail to Finland’s CERT (Computer Emergency Response Team), and it was verified by ICSA (International Computer Security Association). Research revealed that many existing cybersecurity solutions are unable to detect this advanced evasion method.

Compared with traditional evasion methods, AET usually has the following characteristics: (a) the fundamental principle remains unchanged; (b) it is based on ordinary evasion technologies and is a combination of multiple methods and layers; (c) it possesses stronger evasion capabilities and is difficult to be detected by IDS; and (d) the number of evasion methods is huge.

1.6 Organization of this paper

Chapter 1 of this paper begins with an introduction to the current state of cybersecurity, common cyber attack methods, and knowledge about intrusion detection systems. It aims to help readers quickly understand the current threats faced in the field of cybersecurity and common network attack and defense methods. The focus of this paper to be addressed, namely, advanced evasion technology, is then briefly introduced.

Chapter 2 provides a detailed overview of the classification of various evasion technologies and their application scenarios. In addition, it also discusses the software that can facilitate the implementation of these evasion technologies.

Chapter 3 describes the system design work, mainly including controller design, design of interaction with SAPP, and design of specific evasion methods.

Chapter 4 describes the implementation part of the platform, including implementation of controller and various evasion methods.

Chapter 5 describes the experimental part, including experimental steps, results, and analysis of the results.

Chapter 6 summarizes the main contributions of this paper and provides an outlook for future work.

Chapter 2: Introduction to evasion technology

2.1 Classification of evasion technologies

2.1.1 Denial of service

First, denial of service: its goal is to overwhelm network bandwidth and exhaust system resources, such as CPU and memory space of IDS. In addition to generating large amounts of network traffic, the attack can also exploit weaknesses in the detection algorithm. In this type of attack, the attacker uses a backtracking method to attempt to cover all possible rule matches to get the algorithm to compute the worst case every time. In this case, experiments have demonstrated that: Just 4.0 kbps of bandwidth traffic is enough for a DoS attack. This type of attack, which leverages algorithmic complexity rather than overwhelming network bandwidth, is a typical example of a DoS attack.

2.1.2 Packet fragmentation

Packet fragmentation includes IP packet fragmentation and TCP packet segmentation, which divides IP packets or TCP streams into non-overlapping fragments or segments. If IDS is unable to completely reassemble the contents of the packets, it may overlook an attack against the destination host. As an example, IPS might look for the signature “/bin/sh” in a packet payload, but an attacker might split the packet into two fragments, one containing “/bin” and the other containing “/sh”. If the IPS is unable to reassemble these two segments, then it will fail to detect the signature, thus allowing the attacker to evade detection.

Because IDS is responsible for monitoring all network traffic, it must, in theory, reassemble all IP fragments and TCP segments in the network to prevent evasion. However, IDS has resource limitations regarding the information for each connection. As an example, the buffer used for reassembly may be insufficient. Therefore, IP fragmentation or TCP segmentation may be effective, if the IDS happens not to reassemble them.

2.1.3 Duplicate packet insertion

Duplicate packet insertion refers to the tactic of inserting duplicate packets or overlapping TCP segments or IP fragments to confuse IDS. This technique relies on the different methods for processing duplicate or overlapping fragments by IDS and the destination host, as IDS lacks relevant information such as the network topology and the operating system of the destination host. Figure 1 illustrates a specific example of how this technique works. In this example, the attacker inserts a segment with a small TTL value so it is discarded before reaching the destination host.

A diagram showing an Attacker sending 8 packets through an IDS (10 hops away) and to a Victim (3 more hops away). Each packet is represented by a single letter and each has a separate TTL and sequence number. The packets K, A, T, T, A, C have sufficient TTL (14 to 20) to be seen by both the IDS and the Victim; the packets’ sequence numbers are 6, 1, 2, 3, 4, 5, so they spell ATTACK when reassembled. Between T, T and A, C are two additional packets labeled X; their TTLs are 11 and 12, and the diagram shows them being dropped between the IDS and the Victim. The X packets have duplicate sequence numbers with either the preceding or the following packet. — Figure 2-1: Schematic diagram of duplicate packet insertion

Overlapping IP fragments and TCP segments may be ambiguous to IDS. As an example, let’s suppose one TCP segment has a sequence number of 10 and a payload of ATTXYZ, while another segment has a sequence number of 13 and a payload of ACK. When both packets are received, the destination host may reassemble them into either ATTXYZ or ATTACK, depending on the operating system of the host. If IDS does not know the operating system of the host, it may process these two packets differently than the host. The attacker can exploit this to evade detection.

2.1.4 Payload transformation

Payload transformation refers to the process by which an attacker converts malicious payloads into semantically equivalent ones. The transformed payload appears different from the signatures that IDS expects, so the attacker can evade detection. Since the transformed payload is semantically the same, the attack remains effective. As an example, using the library libwhisker (www.wiretrip.net/rfp/txt/whiskerids.html), the URL header of an HTTP request can be transformed into an equivalent expression. This transformation can involve hexadecimal encoding. Using the hexadecimal encoding of URLs as an example, if a directory name “cgi-bin” is encoded as “%63%67%69%2d%62%69%6e”, IDS will fail to detect “cgi-bin”. A SQL injection attack can evade detection in the same way.

Similar to duplicate packet insertion, payload transformation is ambiguous for IDS as the processing method differs between the host and the IPS. For example, Apache does not accept backslashes as legitimate slashes, but Microsoft IIS does. As a result, administrators have to configure the IDS to make its processing method consistent with that of the host.

2.1.5 Shellcode transformation

Shellcode transformation involves encoding shellcode into a polymorphic form to evade detection by IDS. There are many methods to achieve this. For example, an attacker can encrypt or compress shellcode and preconfigure a decryption or decompression routine within the code. Attacker can also replace the original code with semantically equivalent code; a specific example is inserting a nop instruction to make the code look different. For example, the instruction mov eax, ebx can be replaced with push ebx, pop eax. This way, signature-based IPS will be unable to detect it, thus enabling evasion. This technique is also used in various types of malware, such as viruses and worms.

Because there are so many ways to transform shellcode, it becomes particularly difficult for IDS to detect polymorphic code. An IDS may need to encrypt and decrypt code or even simulate code execution (e.g., run in a sandbox) to identify malicious behaviors. Thus, reconstructing shellcode becomes particularly computationally intensive, even overwhelming the IDS.

2.2 Evasion tools

There are various evasion methods, and evasion tools also emerge endlessly. This paper summarizes several common evasion tools, along with the specific scenarios in which each tool is applicable.

Fragroute, which implements packet fragmentation and duplicate packet insertion at the TCP/IP layer. An attacker simply needs to write a script to configure the order in which the evasion technologies are to be used before launching Fragroute, and then the system will execute these evasion technologies in the configured order.

Nikto, a network scanning tool that can generate many harmful URI requests. It helps developers and network administrators test for possible security issues on servers. This software also provides an anti-IPS method: Payload transformation is employed to allow network scanners to evade detection by IPS.

ADMmutate, a tool that implements shellcode mutation. A program using the ADMmutate API can transform shellcode into different forms to evade detection by signature-based IPS.

Sploit, an evasion testing framework that allows attackers to develop new evasion technologies. This framework includes most of the evasion technologies provided by Fragroute, Nikto, and ADMmutate. It also provides payload transformation at the application layer (such as FTP or IMAP). For example, “\xff\xf1” is a meaningless telnet control instruction, so an FTP command like PASS can be replaced with “P\xff\xf1ASS”, thus evading detection by the IPS that matches the signature for “PASS”.

Metasploit, a framework for penetration testing, IDS signature matching, and vulnerability research. It supports exploiting vulnerabilities to attack remote hosts. The Metasploit framework also offers more shellcode transformations than ADMmutate and Sploit^[11].

Havij, an automated SQL injection tool that exploits web vulnerabilities. It encodes attack strings into formats such as hexadecimal and BASE64.

Figure 2-2: Scope of application of evasion tools
Evasion methods	Evasion tools
Packet fragmentation	Frogroute, Sploit
Duplicate packet insertion	Frogroute, Sploit
Payload transformation	Nikto, Sploit, Havij
Shellcode transformation	ADMmutate, Sploit, MetaSploit

2.3 Prevention of evasion technology

2.3.1 Prevention of DoS attacks

Generally, administrators can enhance resilience against DoS attacks by increasing available bandwidth and utilizing IDS clusters. When a DoS attack occurs, administrators can block specific malicious traffic and investigate the attack vector. Then they report to the IDS developer to check if the IDS is vulnerable to algorithmic complexity attacks.

2.3.2 Prevention of packet fragmentation and duplicate packet insertion

To combat this type of attack, the primary strategy relies on the IDS reassembling packets to restore the original packets. Many current studies have proposed signature matching algorithms instead of packet reassembly. The main idea of this algorithm is to divide the original signatures into smaller ones as well, and then use these smaller signatures to match instead of reassembling the packets. But this algorithm does not address other evasion methods, such as payload transformation.

Currently, there are two main techniques to address duplicate packet insertion. The first is stream modification, where a method is selected to interpret duplicate packets before they reach IDS, so that both the IDS and the target host see the same packet, thus eliminating ambiguity. However, a potential issue with this approach is that the standardization process may incur significant memory overhead, as it requires storing all unacknowledged packets in memory.

2.3.3 Prevention of payload transformation

To cope with payload transformation, an IDS must be capable of restoring the transformed payload. For example, when a hexadecimal encoding like “%20” is detected in a URI request, the IPS must be able to convert it back to a space. An IDS must be able to process encoding methods in different applications. Since target hosts support different encoding methods, IDS must be carefully configured to ensure that its processing method is consistent with that of the target host. Another protective method is host-based text scanning, where IDS must collaborate with the backend web server. When a request is received, the web server first decodes the URL and then returns the result to IDS for detection.

2.3.4 Prevention of shellcode transformation

There are many ways to detect polymorphic shellcode, such as using the range of return addresses to detect shellcode related to buffer overflow attacks. However, because this method requires manual configuration of the return address for each vulnerability, it is not applicable, even though it has a very high accuracy rate, with a false positive rate of 0.01% and a false negative rate of 0%.

There is also a neural network–based hybrid tool that can classify decomposed instructions. It uses the execution frequency of instructions as a feature for training and classification. Although this method works well, it cannot detect shellcode that has never been encountered before.

Detection of polymorphic shellcode at the network layer involves simulating the execution of shellcode in an emulator (e.g., a sandbox). This method treats the input stream as instructions and attempts to execute them. This detection is feasible because normally the execution of random bytes would stop very quickly (an illegal instruction is encountered), but polymorphic shellcode is only executed when the payload is fully decrypted. This detection follows the following strategy: If location-related instructions for the encrypted payload are found and there are a large number of reads and writes in a small block of memory, then it may indicate that the decryption processor is working.

Chapter 3: Design of an advanced evasion system

The goal of the system is to implement an advanced evasion system based on network middleware, which is required to be able to implement most evasion operations at the TCP/IP layer and support a combination of various evasion methods. In this context, the network middleware refers to the SAPP platform of the Institute of Information Engineering, CAS.

Based on this, this paper implements an advanced evasion system that runs on the SAPP platform as a plugin, which is automatically loaded during the platform’s runtime. When the plugin is running, network traffic is obtained through the API provided by SAPP, and then sent out via the API provided by SAPP after being processed by the evasion system. Throughout the process, the evasion system only needs to do the core evasion processing, while other operations, such as Pcap packet capture and sending packets, are completed by the SAPP platform, so as to realize the decoupling of sending/receiving and processing operations.

3.1 Introduction to the SAPP platform

SAPP (Stream Analyse Process Platform) is a cybersecurity development platform designed for high-speed network stream processing. With full-stack protocol analysis capabilities, it supports IPv4/IPv6 network-layer protocols, intermediate-layer protocols such as VLAN, GRE, MPLS, and PPPoE, and application-layer protocols such as SOCKS, HTTP, SMTP, IMAP, POP3, FTP, and Telnet. Processing capabilities ranging from 10 Gbps to 40 Gbps can be achieved on appropriate hardware platforms. The platform supports both parallel and serial deployment modes.

3.2 Evasion system design

The evasion system is primarily divided into 4 components: controller, evasion methods, SAPP interaction, and configuration files. The controller is the main part of the whole program, which is responsible for the whole process from inputting raw data to outputting processed data. Evasion methods refer to specific methods that are functional functions, and each evasion method is a separate module. SAPP interaction refers to the part that invokes the receiving/sending interfaces of the SAPP platform, which is part of the program I/O. Configuration files refer to user-defined configuration files for evasion methods and their combinations.

There are four boxes: Configuration files, Controller, SAPP interaction, and Evasion methods. Configuration files is connected to Controller with an error that says Retrieve; Controller to SAPP interaction with an arrow that says Input; SAPP interaction back to controller with an arrow that says Output; and Controller to Evasion methods with an arrow that says Invoke. — Figure 3-1: Evasion system design drawing

3.2.1 Controller

The controller is the main part of the program and is responsible for handling everything from receiving a packet to sending it out after processing. Because of the need to implement a combination of evasion methods, a queue is designed to store packets. Initially, the queue contains all the packets that need to be processed. Whenever a packet is processed, the new packet obtained from the processing is added to the queue, while the original packet is removed from the queue. Once all evasion commands are completed, the remaining packets in the queue are the ones that have undergone evasion processing. The processing flow for an input packet is as follows:

A flowchart. The initial linear series of steps is: “Start”, “Read the command configuration file”, “Read a packet using SAPP”, “Select the current evasion command”, “Select the packet at the head of the queue”. Now there is a conditional: “Queue head <= queue tail”. If No, go to “Next evasion command” and back to “Select the current evasion command”. If Yes, proceed to “The current packet executes the evasion command”. Then there is another conditional: “Last command”. If No, go to “The processed packet is added to the queue; The original packet is removed from the queue” and then back to “Select the packet at the head of the queue”. If Yes, to to “End, send the packet in the queue”. — Figure 3-2: Controller processing flow

3.2.2 Evasion methods

This system implements a total of eight TCP/IP evasion methods, namely: IP fragmentation, IP overlap, TCP segmentation, TCP segment overlap, modifying TTL, modifying MSS, modifying wscale, and modifying TCP flags. See the table below for details.

Table 3-3: Eight evasion methods implemented by the system
Evasion name	Corresponding module name
IP fragmentation	module_ip_frag
IP overlap	module_ip_overlap
TCP segmentation	module_tcp_frag
TCP segment overlap	module_tcp_overlap
Modify TTL	module_modify_ttl
Modify TCP flags	module_modify_tcp_flags
Modify MSS	module_modify_mss
Modify wscale	module_modify_wscale

3.2.3 Configuration file

Since it is an advanced evasion system, the system supports the combination of different evasion methods. Users can configure the evasion methods to be executed, execution order, and evasion parameters in the configuration file on their own. The configuration file needs to be placed in the current directory and named AET.conf.

The command configuration rules in the configuration file are similar to commands in Linux, i.e., command + parameter. Specific commands and parameter descriptions are shown in the table below:

Table 3-4: Configuration rules for the configuration file
Evasion name	Command	Parameter 1	Parameter 2	Parameter 3	Remarks
IP fragmentation	ip_frag	`size` (fragment size)
IP overlap	ip_overlap	`size` (fragment size)	`overlap` (fragment overlap size)	`model` (overlap rule)	`model` is 0/1, where 0 indicates that the later one overwrites the earlier one.
TCP segmentation	tcp_frag	`size` (fragment size)
TCP segment overlap	tcp_overlap	`size` (segment size)	`overlap` (segment overlap size)	`model` (overlap rule)	`model` is 0/1, where 0 indicates that the later one overwrites the earlier one.
Modify TTL	modify_ttl	`size` (new TTL value)
Modify TCP flags	modify_tcp_flags	`flag` (new tcp flag)			The `flag` range is (syn, ack, fin, rst, psh).
Modify MSS	modify_mss	`size` (new MSS value)
Modify wscale	modify_wscale	`size` (new wsacle value)

For example, for the following configuration file:

ip_frag 4
modify_ttl 64
modify_tcp_flags syn

It means that each packet passing through will first undergo IP fragmentation with a fragment size of 4, then the TTL will be modified to 64, and finally, the TCP options will be changed to syn.

3.2.4 SAPP interaction

The SAPP platform is a large-scale real-time stream processing platform, and because of its full protocol stack parsing capabilities, in essence, SAPP shields the system from protocol stack details. For its upper-layer services, SAPP provides an encapsulated API for invoking. Its advantage is that when implementing the evasion system, data sending and receiving can be directly managed by invoking SAPP’s interfaces, allowing the focus to remain on evasion processing.

In terms of receiving traffic, SAPP provides a variety of interfaces, including IP-layer traffic (after fragment reassembly), TCP-layer traffic (after TCP stream reconstruction), and even raw traffic at the Ethernet layer. In our system, we get the IP-layer traffic. The entry function for IP-layer traffic is as follows:

char business_ip_entry(struct streaminfo*f_stream, unsigned char routedir, int thread_seq, const void* entry_ip_pkt);

Where:

fstream: Information on the current stream
routedir: Upstream or downstream direction
thread_seq: Current thread
entry_ip_pkt: Pointer to an IP packet, which is the packet to be processed

In terms of sending packets: SAPP provides various encapsulated functions for sending packets, including sending IP packets, TCP packets, Ethernet frames, etc. Here we use the function for sending IP packets. SAPP provides the following function for sending IP packets:

MESA_sendpacket_iplayer(int thread_index,const char* ip_pkt,int buf_len,int dir);

Where:

thread_index: Current thread
ip_pkt: Pointer to the IP packet to be sent
buf_len: Length of the IP packet to be sent
dir: Upstream or downstream direction

3.3 Evasion method design

The system needs to implement eight evasion methods, as detailed in Table 3-3. The design ideas for each evasion method are explained below.

3.3.1 IP fragmentation

IP fragmentation is one of the most common and traditional evasion methods, and its main principle is to eliminate the signatures of malicious codes by dividing IP packets into very small fragments. Since most IDSes are signature-based matching, this method can effectively evade detection by IDS. The following shows how IP fragmentation works.

On the left, a box with red text ATTACK. An arrow leads to the middle, where there are two side-by-side boxes with black text ATT and ACK. Another arrow leads to a larger box on the right side with the text IDS. — Figure 3-5: IP fragmentation process

Then how can we implement IP fragmentation? We need to have an understanding of the structure of IP header. Below is a diagram illustrating the structure of an IP message.

Diagram of an IPv4 packet, 32 bits wide. 4-bit Version. 4-bit Length. 8-bit Type of Service (TOS). 16-bit Total Length (in bytes). 16-bit Identification. 3-bit Flags. 13-bit Fragment Offset. 8-bit Time to Live (TTL). 8-bit Protocol. 16-bit Checksum. 32-bit Source IP Address. 32-bit Destination IP Address. Options (if any). Data. There are wavy lines to indicate that Options and Data have variable size. — Figure 3-6: IP message format

In Linux’s tcp.h, the structure of the IP message header is defined as follows:

struct ip {
    u_int ip_hl:4,  //Header Length
          ip_v:4;   //Version
    u_char ip_tos;  //Type of Service
    u_short ip_len; //Total Length of IP Packet
    u_short ip_id;  //16-bit Identification
    u_short ip_off; //Offset
    u_char ip_ttl;  //Time to Live
    u_char ip_p;    //8-bit Protocol
    u_short ip_sum; //Checksum
    struct in_addr ip_src,ip_dst; //Source and Destination Addresses
};

In the IP header, there are 4 bytes used for fragmentation, which include the 16-bit Identification, the 13-bit Offset, and 3 flag bits: DF (Don’t Fragment), MF (More Fragments), and RF. These correspond to the ip_id and ip_off fields in the IP header. The 16-bit Identification belonging to the same fragment is identical. The 13-bit Offset refers to the offset of the fragmented message relative to the original message, measured in units of 8 bytes. As for the other 3 flags, DF represents Don’t Fragment; if this bit is set to 1, the IP layer will not fragment the message. MF indicates that there are More Fragments, and all fragments except the last one have an MF of 0. RF is a reserved bit that is not used for the time being.

Therefore, we can establish the following correspondence:

Table 3-7: IP fragmentation state diagram
DF	MF	Fragment status
0	0	Last fragment
0	1	Not the last fragment
1	0	Don’t fragment
1	1	Don’t fragment

The portion that requires fragmentation is the payload of the IP packet. For each newly created IP fragment, we need to populate the fields including ip_len (total IP packet length), ip_off (offset), and ip_sum (IP header checksum). The other fields should just remain the same as those in the original IP header before fragmentation.

ip_len: The total length of the IP packet, which includes both the header and the payload. Generally, the header length is 20 bytes, so ip_len would be the payload + 20. But this approach is not very safe, because in some cases, some IP packet headers also have contain IP options. So the correct way to do this is ip_len=payload+ip_hl*4. Because the IP header has a field called ip_hl that indicates the length of the IP header. It is important to multiply by 4 because ip_hl is calculated in units of 4 bytes.

ip_off: The offset of the IP packet, which refers to the offset of the IP fragment relative to the original message. The offset is measured in units of 8 bytes, so after fragmenting the original message, the offset must be divided by 8 before being filled into the IP header. It is important to note that the IP offset is the last 13 bits of ip_off. The first 3 bits of ip_off are the flag bits for the fragment. As shown in the table above, for fragments that are not the last one, both DF and MF should be set to 0. For the last fragment, DF should be set to 0, while MF should be set to 1.

ip_sum: It refers to the checksum of the IP header. The algorithm for calculating the checksum of the IP header is as follows:

Set the Checksum field of the IP header to zero.
Convert the IP header into binary.
Perform a one’s complement sum of the IP header in 16-bit (2-byte) units.
The result is the IP checksum.

Below is code for calculating the checksum:

SHORT checksum(USHORT* buffer, int size)
{
    unsigned long cksum = 0;
    while(size>1)
    {
        cksum += *buffer++;
        size -= sizeof(USHORT);
    }
    if(size)
    {
        cksum += *(UCHAR*)buffer;
    }
    cksum = (cksum>>16) + (cksum&0xffff); 
    cksum += (cksum>>16); 
    return (USHORT)(~cksum);
}

3.3.2 IP overlap

IP overlap is done on the basis of IP fragmentation and refers to the overlap between IP fragments. While IP fragmentation can evade detection, most modern IDSes typically reassemble IP fragments to restore the original message. In this case, IP fragmentation becomes ineffective, necessitating the use of IP overlap. IP overlap exploits a vulnerability arising from the inconsistency in how hosts and IDS process fragment reassembly. In general, there are two common solutions when it comes to IP overlap: either the later packet overwrites the earlier packet or the earlier packet overwrites the later packet. The following diagram graphically explains how IP overlap works:

On the left, a box with red text ATTACK. An arrow leads to two vertically stacked boxes ATTX and ACK, aligned so that the A of ACK coincides with the X of ATTX. The X is red and the other letters are black. An arrow leads to a large box labeled IDS, beneath which is the black text ATTXCK with the letter X highlighted in red. Another arrow leads to a large box labeled HOST, beneath which is the red word ATTACK. — Table 3-8: Schematic diagram of IP overlap

As illustrated in the diagram, there is now a malicious code called ATTACK, which is now split into two fragments: ATTX and ACK. An IP overlap occurs at the fourth position, where the first fragment contains X and the second fragment contains A. When the host or IDS attempts to reassemble these IP fragments, ambiguity arises, as different operating systems or protocol stacks handle this situation inconsistently. If we assume that IDS processes the packets by allowing the earlier packet to overwrite the later one, then the IP packet would be reassembled as ATTXCK, which is not the original message and does not contain the attack signature, thus it is able to evade detection by IDS. After the IP fragments arrive at the target host, the IP packet will successfully be reassembled as ATTACK if the host’s reassembly method is to allow the later packet to overwrite the earlier packet. This is the original malicious code, and the target host is successfully attacked while IDS fails to detect it.

This attack actually exploits the ambiguity in processing during IP overlap. Typically, there are many hosts behind an IDS, and these hosts are unlikely to have identical operating systems and protocol stacks. Therefore, discrepancies between how IDS and hosts process packets will always exist. That is, attackers can always exploit IP overlap to carry out attacks.

The difference between IP overlap and IP fragmentation lies solely in the overlapping payload portion of IP overlap; the generation method of the rest of the IP header is exactly the same as that of IP fragmentation. Therefore, when designing the IP overlap method for the system, we only need to generate the overlapping data and then directly invoke the IP fragmentation module. For example, if an IP packet is ABCDEF with a fragment size of 4 and an overlap size of 2, and the overwrite mode is that the later packet overwrites the earlier packet, then we first transform the data portion into AB**CD**EF**. Then, by invoking the IP fragmentation module, the data will be divided into three fragments: AB**, CD**, and EF**.

3.3.3 TCP segmentation

Similar to IP fragmentation, TCP segmentation works by segmenting the TCP payload so that the original signature of the malicious code is broken up, thereby evading detection by IDS. The difference between IP fragmentation and TCP segmentation is that IP fragmentation occurs at the network layer, while TCP segmentation occurs at the transport layer. Due to the complexity of the TCP protocol, there are more factors to consider in TCP segmentation.

To segment TCP, we need to know something about TCP headers. The diagram below illustrates the structure of a TCP header.

Diagram of a TCP header, 32 bits wide. Source Port (16 bits). Destination Port (16 bits). Sequence Number (32 bits). Acknowledgment Number (32 bits). Header Length (4 bits). Resv (0) (4 bits). CWR, ECE, URG, ACK, PSH, RST, SYN, FIN. Window Size (16 bits). TCP Checksum (16 bits). Urgent Pointer (16 bits). Options (variable). The Acknowledgment Number, ECE, ACK, and Window Size fields are highlighted in gray. On the left, arrows labeled Basic TCP Header (20 bytes) extend from the beginning of the header to the end of Urgent Pointer. On the right, arrows labeled TCP Header extend from the beginning to the end of Options. — Table 3-8: Schematic diagram of IP overlap

As shown above, the basic TCP header contains 20 bytes without additional TCP options. The TCP header contains source port, destination port, seq value, ack value, header length, TCP flags, window size, TCP header checksum, urgent pointer, etc.

In Linux’s tcp.h, tcp is defined as follows:

Since TCP is a stream-based, reliable network transmission protocol, when segmenting TCP, the only values that need to be changed are the seq value and the TCP checksum, as the seq value alone can represent a TCP segment, as explained below:

struct tcphdr {
    unsigned short th_sport; //Source Port
    unsigned short th_dport; //Destination Port
    unsigned int th_seq;     //seq Value
    unsigned int th_ack;     //ack Value
    unsigned int th_off:4,   //tcp Header Length
                 th_x2:4;
    unsigned char th_flags;  //tcp Flags
    unsigned short th_win;   //Window Size
    unsigned short th_sum;   //tcp Checksum
    unsigned short th_urp;   //Urgent Pointer
};

th_seq: It is the TCP sequence number, which is a 32-bit integer. After TCP segmentation, the sequence number of the new TCP message is the sequence number before TCP segmentation plus the offset of the segment.

th_sum: It is the TCP checksum. The TCP checksum is a simple verification method used to ensure that the TCP message has not been modified. The TCP checksum is populated by the sender and verified by the receiver. If the TCP checksum is incorrect, the TCP packet will be discarded directly.

Unlike the checksum at the IP layer, the checksum at the TCP layer and the TCP checksum algorithm are as follows:

Set the TCP checksum field to 0.
Convert the entire TCP message segment to binary.
Perform a one’s complement sum of the binary data in 16-bit units.
The resulting sum is the TCP checksum.

Below is the code for calculating the TCP checksum:

void modify_tcp_checksum(struct iphdr* ip_pkt){
    int ip_hdr_len=ip_pkt->ihl*4;
    int ip_tot_len=ntohs(ip_pkt->tot_len);
    int size=ip_tot_len-ip_hdr_len;
    u_int16_t* buffer=(u_int16_t*)(((char*)ip_pkt)+ip_hdr_len);
    uint32_t saddr=ip_pkt->saddr;
    uint32_t daddr=ip_pkt->daddr;
    ((struct tcphdr*)buffer)->check=0;
    uint32_t sum;
    uint16_t *w;
    int nleft;
    sum = 0;
    nleft = size;
    w = buffer;
    while (nleft > 1){
        sum += *w++;
        --nleft;
        --nleft;
    }
    if (nleft)
        sum += *w & ntohs(0xFF00);
    sum += (saddr & 0x0000FFFF) + (saddr >> 16);
    sum += (daddr & 0x0000FFFF) + (daddr >> 16);
    sum += htons(size);
    sum += htons(IPPROTO_TCP);
    sum = (sum >> 16) + (sum & 0xFFFF);
    sum += (sum >> 16);
    sum = ~sum;
    ((struct tcphdr*)buffer)->check=(uint16_t)sum;
}

It is important to note that after modifying the information in the TCP segment, the tot_len and checksum in the IP layer must also be modified, because modifying the information in the TCP segment also affects these two fields at the IP layer.

3.3.4 TCP segment overlap

TCP segment overlap works on the same principle as IP packet overlap, with the difference being that one occurs at the network layer and the other at the transport layer. Therefore, no further details will be elaborated here.

3.3.5 Modifying TTL

TTL (time to live) refers to the maximum number of network segments that IP packets are allowed to pass through before they are discarded by a router. The unit of TTL is the hop. Each time an IP packet passes through a router, its TTL value is decremented by one. If an IP packet reaching a certain router has a TTL of 0, then that packet will be discarded. A clever evasion can be achieved by subtly modifying the TTL value.

The following diagram graphically shows how to evade IDS detection by modifying the TTL value.

The diagram is horizontally divided into two parts. In the upper part, there is a box containing the text NORMAL, with additional labels SEQ=X and TTL=25. The TTL=25 is highlighted in red. An arrow from the first box reaches another box labeled IDS, but an arrow from there stops before it reaches another box labeled HOST. A curly brace above indicates the extent of the arrows and has the text 25 hops. The lower part is similar. The text NORMAL has changed to a red ATTACK, and the TTL=25 is now TTL=64. The SEQ=X is the same. An arrow reaches the IDS, which has the additional label Duplicate packet, pass through. Another arrow goes from the IDS to the HOST, which has a red label beneath that says Attack. — Table 3-9: Schematic diagram of evasion by modifying TTL

As shown in the diagram above, there are 64 hops in total from the attacker to the target host. Now there is a malicious code ATTACK. If ATTACK is directly sent to the target host, it will certainly be detected by IDS. At this time, if the TTL value is modified, evasion can be cleverly achieved.

We assume that the ATTACK attack packet has a sequence number of seq=x and a time to live of TTL=64. Before sending this ATTACK attack packet, we can construct a normal TCP packet called NORMAL. This NORMAL packet will have the same sequence number of seq=x but TTL=25. Then we send this NORMAL packet first. Since it is a normal packet, it will not be detected by the IDS. However, since the TTL of this NORMAL packet is only 25 but the TTL from the sender to the target host is 64, the NORMAL packet will be discarded before it reaches the target host. At this point, we send the ATTACK packet. When the ATTACK packet reaches IDS, IDS finds that the packet with seq=x has already been detected (from the NORMAL packet), and will therefore allow it to pass through. Therefore, evasion of IDS detection can be achieved by cleverly modifying the TTL.

The key to this evasion method lies in choosing an appropriate TTL so that the IP packet can reach IDS but not the target host. To achieve this, we can continuously modify the TTL to measure the number of hops from the source to IDS.

It is worth noting that modifying the TTL is still essentially constructing a new IP packet. Therefore, after modifying the TTL, it is necessary to modify the tot_len and checksum at the IP layer, and the checksum at the TCP layer, to make them conform to the rules.

3.3.6 Modifying TCP flags

TCP Flags form one of the most important fields in the TCP header. They represent the attributes of a TCP message. A TCP message has a total of five TCP flags: SYN, ACK, FIN, PSH, and RST. Below is an explanation of each of these flags:

SYN: Synchronization, used to synchronize sequence numbers during TCP connection establishment
ACK: Acknowledgment, used to acknowledge receipt of a TCP message
FIN: Finish, used to terminate a connection at the end of the transmission
PSH: Push, used to indicate that data is being transmitted
RST: Reset flag, used to reset a TCP connection

If you want to modify the flag of a particular TCP message, you only need to set the value of the flag to 1. It is worth noting that modifying the flags of TCP is still essentially constructing a new IP packet. Therefore, after modifying the flags of the TCP, it is necessary to modify the tot_len and checksum at the IP layer, and the checksum at the TCP layer, to make them conform to the rules.

3.3.7 Modifying MSS

MSS: Maximum Segment Size, which refers to the maximum length of a TCP message segment. Before discussing MSS, it is important to understand MTU (Maximum Transport Unit), which is determined by the Ethernet frame, typically 1500. The MSS size is usually determined when TCP establishes a connection. Because both TCP and IP packet headers are 20 bytes, the MSS is typically 1460.

If you want to modify the MSS of a particular TCP message, you only need to change the MSS field corresponding to the TCP message to the desired value. It is worth noting that modifying the flags of TCP is still essentially constructing a new IP packet. Therefore, after modifying the flags of the TCP, it is necessary to modify the tot_len and checksum at the IP layer, and the checksum at the TCP layer, to make them conform to the rules.

3.3.8 Modifying wscale

wscale is a window scale factor option. Before discussing the window scale factor option, it is necessary to understand the concept of window size. In the TCP transmission process, the sliding window protocol is used to enable faster data transmission. The size of the sending window indicates the rate at which packets can be sent or received. The window scale factor represents the multiplier by which the window size is scaled. For example, if the original window size is w and the window scale factor is x, then the new window size is calculated as w*2^x. Since wscale is only one byte, the maximum value of wscale is 255.

It should be noted that the window scale factor can only be carried in SYN/ACK packets and takes effect only when enabled in both packets.

Additionally, modifying TCP’s wscale is still essentially constructing a new IP packet. Therefore, after modifying the flags of TCP, it is necessary to modify the tot_len and checksum at the IP layer, and the checksum at the TCP layer, to make them conform to the rules.

Chapter 4: Implementation of an evasion system

Based on the design of the evasion system in Chapter 3, this paper implements an advanced evasion system based on SAPP, which contains eight evasion methods and supports user-defined combination of evasion commands. Meanwhile, since the system adopts a modular design, it supports dynamic addition of evasion methods, making it highly extensible.

The entire system is written in C language, with over 1500 lines of code spread across 19 files. The functionality of each file is described below.

4.1 Description of code files

4.1.1 AET_test.c

It is the entry file for the entire system and contains three functions:

AET_init: Plugin initialization function, which is executed when the platform loads the plugin for the first time.
AET_destory: Plugin destructor function, which is executed when the plugin stops running.
business_ip_entry: The entry for the plugin to obtain traffic from the platform

The diagram below illustrates these functions:

/* Plugin initialization */
int AET_init(){
printf("AET: succeed to init\n");
    init_command_set_system(); //Initialize evasion commands
    init_command_set_user();
}

/* Plugin destructor function */
void AET_destroy(){
    printf("AET: succeed to destroy\n");
}

/* Traffic entry point */
char business_ip_entry(struct streaminfo*f_stream,unsigned char routedir,int thread_seq,const void* entry_ip_pkt){
    printf("Succeed: businiss_ip_entry called");
    exec_command_set(&send_queue); //Execute evasion commands
    return APP_STATE_GIVEME;
}

4.1.2 makefile

The makefile specifies the compilation rules and dependencies among various files in the system. Since the system will eventually run as a plugin, it needs to be compiled as a .so dynamic link library. The contents of the makefile are shown below:

cc=gcc
objects = AET_test.o module_ip_frag.o module_ip_overlap.o
AET_test.so : $(objects)
    cc -g -Wall -shared -o AET_test.so $(objects)
AET_test.o : AET_test.c
    cc -g -Wall -fPIC -c AET_test.c
module_ip_frag.o : module_ip_frag.c
    cc -g -Wall -fPIC -c module_ip_frag.c
module_ip_overlap.o : module_ip_overlap.c
    cc -g -Wall -fPIC -c module_ip_overlap.c
.PHONY : clean
clean :
    rm AET_test.so $(objects)

It should be noted that the above makefile is not complete; it is only a partial excerpt provided to illustrate the purpose of the makefile.

4.1.3 configuer.c

This file is the controller file responsible for the entire process of evasion processing, including reading the configuration file, obtaining input traffic, executing evasion commands, sending the processed packets, etc. It is the most important part of the entire program. This file contains the following main functions.

/* Initialize the system command set; i.e., the evasion commands
   supported by the system */
void init_command_set_system();

/* Initialize the user command set; i.e., read the evasion commands
   configured by the user */
void init_command_set_user();

/* Execute the evasion commands specified in the configuration
   in sequence */
void exec_command_set();

4.1.4 Utils.c

This file is a set of functional functions required by the system. It extracts common functions that are needed across various modules and places them in the Utils.c file. This file contains the following functions.

/* Copy the header of another IP packet */
void copy_ip_header();

/* Copy the header of another TCP packet */
void copy_tcp_header();

/* Modify the checksum of an IP packet */
void modify_ip_checksum ();

/* Modify the checksum of a TCP packet */
void modify_tcp_checksum();

/* Custom strcpy function */
void mystrcpy();

4.1.5 module_ip_frag.c

This is the IP fragmentation module that takes packets to be fragmented as input and stores the fragmentation results in the send_queue. Please refer to the source code for the exact program.

4.1.6 module_ip_overlap.c

This is the IP overlap module that takes packets to be processed as input and stores the results obtained after IP overlap packet processing in the send_queue. Please refer to the source code for the exact program.

4.1.7 module_tcp_segment.c

This is the TCP segmentation module that takes packets to be processed as input and stores the results obtained after TCP segmentation processing in the send_queue. Please refer to the source code for the exact program.

4.1.8 module_tcp_segment.c

This is the TCP segment overlap module that takes packets to be processed as input and stores the results obtained after TCP segment overlap processing in the send_queue. Please refer to the source code for the exact program.

4.1.9 module_modify_ttl.c

This is the module modifying TTL of IP that takes packets to be processed as input and stores the packets with modified TTL in the send_queue. Please refer to the source code for the exact program.

4.1.10 module_modify_tcp_flags.c

This is the module modifying the flags in the TCP header that takes packets to be processed as input and stores the packets with the modified flags in the TCP header in the send_queue. Please refer to the source code for the exact program.

4.1.11 module_modify_mss.c

This is the module modifying the Maximum Segment Size (MSS) in the TCP header that takes packets to be processed as input and stores the packets with modified MSS in the send_queue. Please refer to the source code for the exact program.

4.1.12 module_modify_wscale.c

This is the module modifying the window factor option of TCP that takes packets to be processed as input and stores the packets with modified wscale in the send_queue. Please refer to the source code for the exact program.

4.1.13 module_send_packet.c

This is the module sending the processed packets in send_queue. Please refer to the source code for the exact program.

4.1.14 Various header files

In order to decouple the modules and facilitate better modular design, the system has created separate header files for each corresponding module. The header files for the system are listed below:

AET_test.h: The header file of AET_test.c, which includes the definitions of the functions inside AET_test.c.
configure.h: The header file of configure.c, which includes the definitions of the functions inside configure.c.
module.h: The header file of module.c, which includes the definitions of the functions inside module.c.
utils.h: The header file of utils.c, which includes the definitions of the functions inside utils.c.

Chapter 5: Experimental results and analysis

Since this experiment focuses on evasion processing of captured TCP/IP packets, the results of the experiment are mainly observed through packet capture. Because the experimental environment is linux, tcpdump was used to capture packets. Additionally, since the functionality of this system is similar to that of the open source software Fragroute, comparative experiments were conducted not only within our system but also in comparison with Fragroute.

1.1 Experimental procedure

Since the experiment aims to simulate real network communication, it was conducted within an intranet, and a total of three hosts were selected for the experiment, designated as A, B, and C. Hosts A and B were responsible for communication, while host C, on which the SAPP platform was running, was responsible for evasion processing. Packets sent by host A must undergo the evasion processing by host C before they were sent to host B. In the experiment, it was ensured that the traffic between A and B always passed through C. The diagram below illustrates these steps:

Three blue boxes arranged horizontally, labeled Host A, SAPP C, Host B. Arrows connect A to C, and C to B. — Figure 3-10: Schematic diagram of experimental connection

In this experiment, network communication was established using the nc command, and packet capture was performed using the tcpdump command. A brief description of the two commands is as follows: nc is an abbreviation of netcat. As the “Swiss Army Knife” in the field of networking, it is a simple yet reliable network tool. It can listen on arbitrary TCP/UDP ports and also function as a client to initiate TCP/UDP connections, so a TCP/UDP connection can be quickly established using the nc command. tcpdump is a powerful network packet capture tool for linux, built on pcap for packet capture. It supports filtering based on various criteria such as the network layer, protocol, port, and host, and it also supports logical statements such as “or”, “not”, and “not”. In this experiment, tcpdump was used for network packet capture.

The steps required in the experiment are as follows:

make &&make install //Compile and install the SAPP platform and the evasion system

./sapp //Run the SAPP platform

nc -t -l 9999 // Listen on TCP port 9999

nc -t 10.0.6.86 9999 // Establish a TCP connection with the machine 86

tcpdump -i eth1 'tcp and port 9999 and host 10.0.9.86' //Capture packets

1.2 Experiment results

The system implements a total of eight evasion methods. In this experiment, all eight evasion methods were tested and a total of 16 network packets were captured. The results of the experiment are as follows:

a) Before IP fragmentation:

A Wireshark screenshot. 1 frame is shown, a UDP datagram with 27 data bytes. The data payload is highlighted in red. — Figure 3-11: Before IP fragmentation

a1) After IP fragmentation:

A Wireshark screenshot. 5 frames are shown, IP fragments of a UDP datagram. Frame 3 is selected, with 8 data bytes. The data payload is highlighted in red. — Figure 3-12: After IP fragmentation

b) Before TCP segmentation:

A Wireshark screenshot. 7 frames are shown, a TCP SYN/SYN+ACK handshake followed by PSH and ACK packets. Frame 6 is selected, a PSH segment with 19 data bytes. The data payload is highlighted in red. — Figure 3-13: Before TCP segmentation

b1) After TCP segmentation:

A Wireshark screenshot. 8 frames are shown, numbered 2–9, a TCP conversation as before. Frame 6 is selected, a PSH segment with 8 data bytes. The data payload is highlighted in red. — Figure 3-14: After TCP segmentation

c) Before modifying TTL:

A Wireshark screenshot. 1 frame is shown, a UDP datagram with 14 data bytes. “Time to live: 64” is highlighted in red. — Figure 3-15: Before modifying TTL

c1) After modifying TTL:

A Wireshark screenshot. 2 frames are shown, UDP datagrams. Frame 1 is selected, a malformed packet which Wireshark has marked with [BAD UDP LEN]. The UDP source and destination ports are coming from some ASCII that is visible in the data payload. “Total Length: 34” is highlighted in red. Reading the hex dump, the IP TTL is 64. (This is evidently the wrong screenshot to illustrate TTL modification.) — Figure 3-16: After modifying TTL

d) Before modifying MSS:

A Wireshark screenshot. 7 frames are shown, a TCP conversation starting with a SYN/SYN+ACK handshake. Frame 1 is selected, the SYN packet. “Maximum segment size: 1460 bytes” is highlighted in red. There are 20 bytes of options in total: MSS, SACK permitted, Timestamps, NOP. — Figure 3-17: Before modifying MSS

d1) After modifying MSS

A Wireshark screenshot. 7 frames are shown, a TCP conversation. Frame 4 is selected, a PSH+ACK segment. “Maximum segment size: 1024 bytes” is highlighted in red. There are 16 bytes of options in total: NOP, NOP, Timestamps, MSS. UI chrome in this screenshot looks like macOS. — Table 3-18: After modifying MSS

1.3 Comparison with Fragroute

Since the functionality of the system is similar to that of Fragroute, a comparative experiment was conducted with the open source software Fragroute in order to better illustrate the experiment results.

Fragroute is an open source evasion tool operating at the TCP/IP layer. Released in March 2002 by http://www.monkey.org/~dugsong/, Fragroute caused a significant upheaval in the field of intrusion detection, and the discussions regarding Fragroute became a hot topic in March and April.

Fragroute is capable of intercepting, modifying, and rewriting outgoing messages, implementing most of the evasion technologies at the TCP/IP layer. This includes TCP segmentation, IP fragmentation, IP overlap, and modifying TCP and IP header options.

Fragroute is an evasion tool that runs on the local host. It operates on the sender’s machine and completes the evasion before messages are actually sent out. The principle of Fragroute is as follows:

Add a route to the sender’s routing list so that all messages destined for the target host are redirected to the local lo interface.
Listen on the local lo interface and filter the packets destined for the target host and perform pcap packet capture.
Read the user’s configuration file to perform evasion processing on the captured messages.
Send the processed messages to the target host.

In order to conduct a comparative experiment with Fragroute, in this paper, Fragroute was installed and utilized to perform the same evasion processing as this system. The conclusions drawn are as follows:

In terms of functionality, there is no difference between the two systems. The functions that Fragroute can implement can also be implemented by this system. Both are capable of performing evasion processing at the TCP/IP layer.
In terms of compatibility, since Fragroute was released in 2002, it has been 15 years, which inevitably leads to some compatibility issues. Testing revealed that Fragroute is not compatible with CentOS 7. In contrast, our system does not have this problem.
In terms of universality, since Fragroute is an open-source tool, it relies on third-party libraries such as libpcap, libevent, and libdnet. This system’s underlying services rely on the interfaces provided by the SAPP platform. Additionally, it runs on the SAPP platform as a plugin, making it a specific software specific to a particular platform. In contrast, Fragroute does not have this problem, so it is superior to this system in terms of universality.

1.4 Analysis of experiment results

This system implements a total of eight evasion methods and supports the combination of evasion methods. During the experimental process, it was found that the evasion processing performed by this system effectively achieved the desired outcomes.

In essence, this system only implements a toolset or framework for evasion methods at the TCP/IP layer, and the effectiveness of the evasion depends on the appropriate combination of evasion methods and the suitable selection of evasion parameters.

In addition, as mentioned above, this system runs as a plugin on the SAPP platform and the underlying services are dependent on SAPP’s interfaces. So it’s an environment-specific, platform-specific evasion tool. In terms of universality, this is a defect of this system.