Professional Documents
Culture Documents
3, MAY/JUNE 2015
Abstract—Most anomaly detection systems rely on machine learning algorithms to derive a model of normality that is later used to
detect suspicious events. Some works conducted over the last years have pointed out that such algorithms are generally susceptible to
deception, notably in the form of attacks carefully constructed to evade detection. Various learning schemes have been proposed to
overcome this weakness. One such system is Keyed IDS (KIDS), introduced at DIMVA “10. KIDS” core idea is akin to the functioning of
some cryptographic primitives, namely to introduce a secret element (the key) into the scheme so that some operations are infeasible
without knowing it. In KIDS the learned model and the computation of the anomaly score are both key-dependent, a fact which
presumably prevents an attacker from creating evasion attacks. In this work we show that recovering the key is extremely simple
provided that the attacker can interact with KIDS and get feedback about probing requests. We present realistic attacks for two different
adversarial settings and show that recovering the key requires only a small amount of queries, which indicates that KIDS does not meet
the claimed security properties. We finally revisit KIDS’ central idea and provide heuristic arguments about its suitability and limitations.
Index Terms—Adversarial classification, anomaly detection, intrusion detection systems, secure machine learning
Ç
1 INTRODUCTION
persistent key that is used during a period of time, possibly The setting used in [5] assumes an adversary with full
because changing the key implies retraining the classifier. If knowledge of the classifier to be evaded. Shortly after, Lowd
Kerckhoffs’ principle is to be followed, it must be assumed and Meek [10] studied how evasion can be done when such
that the security of the scheme depends solely on the information is unavailable. They formulate the adversarial
secrecy of the key and the procedure used to generate it. classifier reverse engineering problem (ACRE) as the task of
Anagram can be used both as randomized or as a keyed learning sufficient information about a classifier to construct
classifier, depending on the variant used. We will further attacks, instead of looking for optimal strategies. The authors
discuss this later in Section 6. use a membership oracle as implicit adversarial model: the
attacker is given the opportunity to query the classifier with
1.1 Contributions any chosen instance to determine whether it is labeled as
malicious or not. Consequently, a reasonable objective is to
In this work, we make the following contributions:
find instances that evade detection with an affordable num-
1. We argue that any keyed anomaly detection system ber of queries. A classifier is said to be ACRE learnable if
(or, more generally, any keyed classifier) must pre- there exists an algorithm that finds a minimal-cost instance
serve one fundamental property: The impossibility evading detection using only polynomially-many queries.
for an attacker to recover the key under any reason- Similarly, a classifier is ACRE k-learnable if the cost is not
able adversarial model. We deliberately choose not minimal but bounded by k. Among the results given in [10],
to analyze how difficult is for an attacker to evade it is proved that linear classifiers with continuous features
detection if the classifier is keyed. We believe that are ACRE k-learnable under linear cost functions. Therefore,
this is a related, but different problem. these classifiers should not be used in adversarial environ-
2. We pose the key-recovery problem as one of adversar- ments. Subsequent work by Nelson et al. [14], [15] general-
ial learning. By adapting the adversarial setting pro- izes these results to convex-inducing classifiers, showing
posed by Lowd and Meek [10] in a related problem that it is generally not necessary to reverse engineer the deci-
(reverse engineering of a classifier), we introduce the sion boundary to construct undetected instances of near-
notion of gray- and black-box key-recovery attacks. minimal cost.
3. We present two instantiations of such attacks for For the interested reader, Nelson et al. [13] have recently
KIDS, one for each model. Our attacks take the form surveyed some open problems and challenges related to the
of query strategies that make the classifier leak some classifier evasion problem. More generally, some additional
information about the key. Both are very efficient works have revisited the role of machine learning in secu-
and show that KIDS does not meet the fundamental rity applications, with particular emphasis on anomaly
security property discussed above. Furthermore, we detection [7], [17], [18], [19].
have implemented and experimentally confirmed
the correctness of our attacks. 2.2 Strategies to Thwart Evasion
4. Building on related work in the broader field of Kolesnikov et al. [9] demonstrate that polymorphic mimicry
secure machine learning (e.g., [1], [2], [3], [5], [10], worms, based on encryption and data encoding to obfuscate
[13], [14], [15]), we pose some additional questions their content, are able to evade frequency distribution-based
and provide constructive discussion about the suit- anomaly detectors like PAYL [21]. PAYL models byte-value
ability, limitations, and possible structure of keyed frequency distributions (i.e., 1-grams), so detection can be
classifiers. avoided by padding anomalous sequences with an appro-
The remainder of this paper is organized as follows. In priate amount of normal traffic. In order to counteract poly-
Section 2 we provide a brief overview of related work in the morphic mimicry worms, PAYL authors developed
field of adversarial machine learning. For completeness, a Anagram [22], an anomaly detector that models n-grams
description of KIDS is given in Section 3. In Section 4 we observed in normal traffic. Anagram also introduces a new
introduce the adversarial model adopted, describe and ana- strategy, called randomization, to hinder evasion. There are
lyze our attacks, and discuss the results obtained experi- two possible kinds of randomization, namely randomized
mentally. KIDS’s core idea is revisited and further modeling and randomized testing. In the former, packets
discussed in Section 5, and Section 6 concludes the paper. are split into several substrings using a randomly-generated
bitmask. Substrings coming from the same packet position
are modeled and tested separately. Since the bitmask is kept
2 RELATED WORK secret, an attacker only succeeds if he manages to craft an
2.1 Classifier Evasion and Adversarial Learning attack vector such that the data is normal with respect to
Dalvi et al. explored in [5] the problem of computing opti- any randomly selected portion of a packet. This clearly
mal strategies to modify an attack so that it evades detection makes evasion harder, but substantially increases the over-
by a Na€ıve Bayes classifier. They formulate the problem in head of the IDS. Alternatively, randomized testing also par-
game-theoretic terms, where each modification made to an titions packets randomly into several chunks, but tests each
instance comes at a price, and successful detection and eva- of them against the same classifier, which does not incur
sion have measurable utilities to the classifier and the adver- any substantial overhead.
sary, respectively. The authors study how to detect such Randomization and/or using an ensemble of classifiers
optimally modified instances by adapting the decision sur- have also been proposed in the context of spam detection.
face of the classifier, and also discuss how the adversary For example, Biggio et al. [3] studied how to introduce ran-
might react to this. domness in the design of the classifier, preventing the
314 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 12, NO. 3, MAY/JUNE 2015
adversary from having exact knowledge about one or more anomalous if SðpÞ > t, where t is a conveniently chosen
system parameters. A similar approach was presented by threshold.
Perdisci et al. in [16]. The work in [3] uses multiple classi- The anomaly score is given by the product of two sepa-
fiers and randomly chooses the weights assigned to each rate scores. The first, termed the word score and denoted
classifier in the decision. The task for the attacker is much Sw ðpÞ, is computed as:
harder then, since he can never guess the detector’s configu-
ration. The main problem of this strategy is that it can influ- 1X k
1
Sw ðpÞ ¼ ; (1)
ence negatively the overall detection performance, k i¼1 nðwi Þ
particularly increasing the false positive rate.
Zhou et al. [23] presented similar strategies to thwart where k is the number of words in p and nðwi Þ the number of
good-word attacks on spam filters. Their scheme transforms appearances of wi , as computed during training. If a word wi
each email into a bag of multiple segments (instances), and that did not appear during training appears in p (i.e.,
then applies multiple-instance logistic regression to the nðwi Þ ¼ 0), the corresponding term in the sum is set to 2
bags. An email is classified as spam if at least one instance instead of infinity. Thus, every previously unseen word con-
in the corresponding bag is spam; otherwise it is marked as tributes twice to Sw ðpÞ compared to a word that was seen once
legitimate. This bags-of-words strategy performs better (nðwi Þ ¼ 1).
than single-instance learners such as support vector The transition score, denoted St ðpÞ, is calculated accord-
machines (SVMs) or Na€ıve Bayes. A similar approach was ing to a similar formula:
explored in [20] to detect masquerade mimicry attacks.
1X m
1
St ðpÞ ¼ ; (2)
2.3 Towards Secure Machine Learning m i¼1 nðti Þ
Barreno et al. [1], [2] have pondered on the risks of applying where m is the number of transitions in p (i.e., k 1) and nðti Þ
machine learning algorithms to security domains. They is the frequency of transition ti in the learned model.
introduce a taxonomy that groups attacks on machine learn- The overall score SðpÞ assigned to a payload is obtained as:
ing systems into different categories, depending on whether
the adversary influences training or just analyzes an already SðpÞ ¼ Sw ðpÞ St ðpÞ: (3)
trained system; whether the goal is to force just one misclas-
sification, or else to generate too many so the system Thus, the appearance of frequent words and transitions con-
becomes unusable; etc. The authors also provide useful dis- tributes to mantain SðpÞ low, and vice versa.
cussion on potential countermeasures and enumerate vari-
ous open problems. 3.3 Key Selection
Keys in KIDS are selected so as to ensure good detection
quality. The receiver operating characteristic (ROC) curve is
3 KIDS-A KEYED INTRUSION DETECTION SYSTEM chosen in [12] as the method to quantify how well a particu-
In 2010, Mrdovic and Drazenovic [12] proposed Keyed Intru- lar key performs. The authors employ a labeled data set con-
sion Detection System, a key dependent network anomaly sisting of attack-free HTTP traffic and tailored attacks
detector that inspects packet payloads. The proposal tries to generated with Metasploit [11]. An initial key composed of
adapt to intrusion detection systems Kerckhoffs’ principle 20 delimiters (CR, LF, TAB, SPACE, “,”, “.”, “:”, “/”,”,0 “&”,
stating that a cryptosystem should be secure even if every- “?”, “=”, “(”, “)”, “[”, “]”, “””, “;”, “<”, “>”) was first
thing about the system, except the key, is public knowledge. selected using domain-specific knowledge, and the
obtained ROC curve shows the model thus built is quite
3.1 Training Mode effective.
KIDS divides each payload into words. A word is defined as The authors explored next whether similar results can
a sequence of bytes located between two delimiters, these be obtained using random keys. Different keys of size 15,
being any two special bytes belonging to a secret set D. A 20, 25, and 30 were generated by choosing random delim-
key D consists therefore of a chosen set of delimiters. Each iters with values between 0 and 255. According to their
key produces a unique set of normal words and, accord- experimental results, some of these random keys yield, in
ingly, a unique classifier. terms of ROC curves, detection results as good as those
KIDS is trained using normal (i.e., attack-free) payloads obtained with the human-generated key. The paper sug-
only. Given a key, each payload in the training set is seg- gests to repeat this procedure every time a new key has
mented into words and the frequency of each word is to be chosen.
counted. In addition, the number of occurrences of pairs of
words (called transitions) is also counted. The model con- 4 KEY-RECOVERY ATTACKS ON KIDS
sists of these two lists: one with each observed word, wi , In this section we describe various attacks on KIDS aimed at
and its frequency, nðwi Þ; and another with each observed recovering the secret set of delimiters (i.e., the key). We
transition, wi ! wj , and its frequency, nðwi ! wj Þ. group these attacks into two broad classes, depending on
what feedback from KIDS the attacker may have access to.
3.2 Detection Mode Before presenting our attacks, we first describe the adver-
In the detection phase, KIDS assigns an anomaly score, SðpÞ, sarial model adopted and give grounds for our main
to each incoming payload p. Subsequently, p is labeled as assumptions.
TAPIADOR ET AL.: KEY-RECOVERY ATTACKS ON KIDS, A KEYED ANOMALY DETECTION SYSTEM 315
Case 1: d 2
= D
In such a case, p is processed as just one word,
which in turn has not been previously seen as
nðw1 k d k w2 Þ ¼ 0. Consequently, we have
Sw ðpÞ ¼ b; (4)
where b is the value assigned to a previously unseen
word or transition. Even though in KIDS this value is
set to 2, in our analysis we consider the more general Fig. 2. Key-recovery attack on gray-box KIDS.
case. Likewise
The central idea behind our attack is actually quite Again, (13) can be expressed in terms of St ðqÞ as
simple. We will provide KIDS with a normal payload
concatenated with a carefully constructed tail. Such a tail 1 1
St ðpÞ ¼ ðk 1ÞSt ðqÞ þb
contains a large number of unseen words separated by k1 nðk1 ! k Þ
the candidate delimiter. If the delimiter does not belong 1 1
¼ St ðqÞ þ b :
to the key, the entire tail will be processed as just one k1 nðk1 ! k Þ
word and the anomaly score will be roughly similar to
(14)
that of the original payload. If this is the case, then the
payload will be marked as normal with high probability. Note that, in both (12) and (14), the only difference
Conversely, if the delimiter does belong to the key, the with respect to Sw ðqÞ and St ðqÞ is the addition of a posi-
tail will be fragmented into a large number of previously tive term. For convenience, let us call them
unseen words and transitions. This will negatively impact
the anomaly score, invariably resulting in an anomalous 1 1
Dw ¼ b (15)
payload. We next provide a more formal description and k nðk Þ
analysis of the attack.
and
Assume a payload q composed of words 1 ; . . . ; k sepa-
rated by delimiters dj1 ; . . . ; djk1 , i.e., q ¼ 1 k dj1 k 2 k dj2
1 1
k k djk1 k k . Assume too that q is normal, i.e. anomðqÞ ¼ Dt ¼ b : (16)
k1 nðk1 ! k Þ
false. Let w2 be a word unseen during training, i.e.,
nðw2 Þ ¼ 0. We now construct a probing payload p consisting Thus we have Sw ðpÞ ¼ Sw ðqÞ þ Dw and St ðpÞ ¼
of payload q followed by a tail t, where t is formed by the con- St ðqÞ þ Dt . The resulting anomaly score is therefore
catenation of ‘ repetitions of w2 separated by the candidate
delimiter d; i.e., t ¼ d k w2 k d k w2 k d k k d k w2 and SðpÞ ¼ Sw ðpÞSt ðpÞ
p ¼ q k t. ¼ ðSw ðqÞ þ Dw ÞðSt ðqÞ þ Dt Þ
We next analyze the behavior of KIDS when p is pro-
¼ Sw ðqÞSt ðqÞ þ Sw ðqÞDt þ St ðqÞDw þ Dw Dt
vided as input. Again, there are two cases, depending on
whether d is part of the key D or not: ¼ SðqÞ þ ðSw ðqÞDt þ St ðqÞDw þ Dw Dt Þ
¼ SðqÞ þ D:
Case 1: d 2
= D
In this case, p is split into k words: the first k 1 (17)
original words already present in q plus the tail t pre-
ceded by n . Thus, we have The right-hand side term D in (17) depends on k
!
1 X k1
1 1 and q’s anomaly score. An upper bound for its con-
Sw ðpÞ ¼ þ tribution to p’s anomaly score can be derived as fol-
k i¼1 nði Þ nðk k tÞ
! (10) lows. On the one hand
1 X k1
1
¼ þb : Sw ðqÞ < b and St ðqÞ < b: (18)
k i¼1 nði Þ
Note, however, that q is normal and therefore both
We also have scores will be significantly lower than b. On the
other hand
1X k
1 b b
Sw ðqÞ ¼ : (11) Dw < and Dt < : (19)
k i¼1 nði Þ k k1
Thus
Now using (11), expression (10) can be rewritten as
D ¼ Sw ðqÞDt þ St ðqÞDw þ Dw Dt
1 1
Sw ðpÞ ¼ kSw ðqÞ þb b2 b2 b2
k nðk Þ < þ þ
(12) k k 1 kðk 1Þ (20)
1 1
¼ Sw ðqÞ þ b : b2 b2 b2 3b2
k nðk Þ < þ þ ¼ :
k1 k1 k1 k1
Similarly, for the transition score we have
Recall, that anomðpÞ ¼ false iff SðpÞ ¼ SðqÞ þ D < t.
!
X
k2 As the increment D in q’s anomaly score can be upper
1 1 1
St ðpÞ ¼ þ bounded by (20), the probability of p being classified as
k1 nði ! iþ1 Þ nðk1 ! ðk k tÞÞ
i¼1
! normal essentially depends on the following
1 X
k 2
1 conditions:
¼ þb :
k 1 i¼1 nði ! iþ1 Þ 1. q is “sufficiently” normal, i.e. SðqÞ is very low.
(13) 2. k is “sufficiently” large, i.e. D is very low.
318 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 12, NO. 3, MAY/JUNE 2015
1
St ðpÞ ¼ ððk 1ÞSt ðqÞ þ ‘bÞ
kþ‘1
(24)
k1 ‘b
¼ St ðqÞ þ :
kþ‘1 kþ‘1
Fig. 3. Upper bounds of the anomaly score increment as a fraction of t Note that, in both (22) and (24), the terms multi-
when d 2 = D in the black-box attack (b ¼ 2). plying Sw ðqÞ and St ðqÞ tend to 0 as ‘ increases,
whereas the right-most terms tend to b. Thus, a suffi-
ciently large value of ‘ will drive both scores close to
In Fig. 3 we give plots of the upper bound for D in
their upper bounds, resulting in an overall anomaly
relation to the detection threshold t. For example, if
score SðpÞ ¼ Sw ðpÞSt ðpÞ b2 . We recall here that b is
t ¼ 1:5 and q is tokenized into k ¼ 40 words, D will
the value assigned to words and transitions unseen
be at most 21 percent of t (i.e., SðpÞ < SðqÞ þ 0:21t).
during training, and the value recommended in
Consequently, this means that p will be classified as
KIDS is 2. Consequently, a score of b2 will inevitably
normal if SðqÞ 0:79t.
fall beyond any reasonable detection threshold, and
Note that in this scenario the attacker has no con-
hence anomðpÞ ¼ true.
trol over the internal structure of q, as the key D is
In summary, such a payload p can be used as a probabilistic
unknown and, therefore, k is unknown too. Conse-
distinguisher to tell whether d is part of the key or not, since:
quently, success is likely but not guaranteed, a fact
which introduces a probabilistic component in the If d 2 D, then anomðpÞ ¼ true with probability 1,
attack. We will address this point later on when dis- given a sufficiently large value of ‘.
cussing the overall procedure. Nevertheless, we sug- If d 2
= D, then anomðpÞ ¼ false with high probability,
gest to use a payload q as long and frequent as although dependent on the “quality” of q as dis-
possible, as this will increase the likelihood of satis- cussed above.
fying at least one of the previous conditions. Further-
more, the probability of success can be increased by 4.3.1 Complexity
using a q formed by the concatenation of various nor- The existence of false positives in our distinguishing
mal payloads. This will translate into a slight incre- method (i.e., situations when d 2 = D but nevertheless
ment of the score due to potentially anomalous anomðpÞ ¼ true) is due to using a q of “poor quality”, as
transitions in the limits between the original pay- explained above. Such false positives can be ruled out by
loads, but will considerably increase k. repeating the process with different q’s and determining D
Case 2: d 2 D as the intersection of all the resulting keys. Note that, in
In this case, p is split into k þ ‘ words: the first k doing so, the existence of just one good payload in the set suf-
original words already present in q plus ‘ times the fices to recover the correct key. As a consequence, the com-
word w2 . Thus, we have
! plexity of this attack is slightly higher than for the case of
1 Xk
1 X ‘
1 the gray-box setting: Again, each trial makes exactly
Sw ðpÞ ¼ þ
k þ ‘ i¼1 nði Þ i¼1 nðw2 Þ 256 queries to KIDS, and several trials should be attempted
! (21) to rule out possible false positives. If T is the number of nor-
1 Xk
1
¼ þ ‘b : mal payloads available to the attacker, then the attack
k þ ‘ i¼1 nði Þ requires T 256 queries, plus the cost of computing an inter-
section. A description of the attack is given in Fig. 4.
Again, this can be rewritten in terms of Sw ðqÞ as Since the attack succeeds if there is at least one appropri-
1 ate q, the overall probability of correctly recovering the key
Sw ðpÞ ¼ ðkSw ðqÞ þ ‘bÞ after T attempts is
kþ‘
(22)
k ‘b
¼ Sw ðqÞ þ : PBB ðT Þ ¼ 1 ð1 P ðqi ÞÞT (25)
kþ‘ kþ‘
TAPIADOR ET AL.: KEY-RECOVERY ATTACKS ON KIDS, A KEYED ANOMALY DETECTION SYSTEM 319
In the ðk 1Þth and kth iterations, qðiÞ is w and w k d, queries (we do not consider here the case when the algo-
respectively. In both cases we have rithm fails because of the choice of a discussed above).
The average word length is, in turn, related to the key
ðiÞ 1 size, with words becoming generally shorter when the key
Sðq Þ ¼ a: (27)
nðwÞ consists of more delimiters, although this also depends on
the underlying generative model for payloads (i.e., the
probability of observing each byte at each position). In
It may occur that a prefix of w is also a word seen
general, it is expected that jw1 j will be low for payloads
during training, so the score given by (27) would be
associated with usual network traffic (e.g., HTTP or FTP
obtained for some i < k 1. As it should be clear
services). On the other hand, the algorithm fails if p does
later, this does not affect the analysis, as the algo-
not satisfy the requirements assumed above, i.e., having a
rithm keeps processing p until i ¼ k þ 1 and always
first word with positive count and the first byte of the sec-
returns w.
ond with zero count. Let pw1 be the probability of a pay-
2. i ¼ k þ 1.
load satisfying these conditions. In our experience, this
In this case, qðiÞ ¼ w k d k t½1, which yields an
occurs extremely often, since the first portion of the pay-
anomaly score
load generally transports protocol signaling (e.g., service/
resource names) very common among payloads, making
1 1 1 1
SðqðiÞ Þ ¼ þ b b ¼ b2 þ b: (28) pw1 close to 1.
2 nðwÞ 2 2nðwÞ
In summary, each run of the algorithm can be seen as an
Note that experiment that makes jw1 j þ 2 queries and succeeds with
probability pw1 . Thus, the probability of generating at least
1 2 1 1 one valid w1 after n trials of the algorithm (assuming inde-
b þ b > b iff b > 2 1 (29)
2 2nðwÞ 2nðwÞ pendent trials) is
Case 2: d 2
= D.
In this case, the tail t is split into ‘ words. Note,
however, that now w2 (in particular, just one b) plays
the role of the delimiter and d is considered a word.
The result depends on whether nðdÞ is strictly greater
than zero or not:
-nðdÞ ¼ 0
This situation is equivalent to case 2 in Sec-
tion 4.3: p is split into k þ ‘ words, with a tail full
of previously unseen words and transitions. In
this case, anomðpÞ ¼ true and the algorithm
incorrectly takes d as a true delimiter.
Fig. 6. Algorithm to find w2 . - nðdÞ > 0
In this case, the result depends on whether
elements are drawn randomly and independently, then the transitions of the form d ! d have or have not a
probability of generating at least one valid w2 after m positive count. If nðd ! dÞ ¼ 0, then the transi-
queries to KIDS is tion score St of the tail will be very high, possi-
bly making the overall score of p anomalous.
m
256 jDj The details are similar to those discussed for
P2 ðmÞ ¼ 1 1 pw2 (34) case 2 in Section 4.3, although only applying to
256
St ðpÞ. As in the case above, the result is that d is
which, again, increments exponentially with m. For key sizes incorrectly taken as a true delimiter. However, if
ranging from 15 to 30, as suggested in [12], the probability of nðd ! dÞ > 0, the result in unpredictable as it
finding a valid w2 with just 1 query falls between 0:92 pw2 and depends on the final score of p. Therefore, d
0:94 pw2 . Using some domain-specific knowledge may help might be discarded or not.
the attacker in selecting candidate words so that pw2 is close to In summary, we have:
1. For the purposes of this paper, we have chosen words con-
sisting of repetitions of the same byte b. This has proven to If b 2
= D and the chosen word w2 is good, the attack
be adequate for payloads of most application protocols, as succeeds with the aforementioned probability.
such strings are not generally found in them, particularly for If b 2 D, the roles of words and delimiters are
values of sufficiently high (say, > 10). Thus, assuming that swapped. In this case, the output of the algorithm is
pw2 1, the probability of finding w2 with just one query to a subset of DC (the complement of D). In particular,
KIDS is greater than 0.9. Using similar reasoning, it is it consists of at least all individual bytes e 2= D such
straightforward to see that P2 ð2Þ > 0:99. that nðeÞ ¼ 0 or nðe ! eÞ ¼ 0.
jDj
The second case occurs with probability 256 . As key
sizes suggested in [12] are relatively small (from 15 to 30),
4.4.3 Black-Box Setting: Finding w2 this knowledge could be used to tell whether the returned
The procedure given above to find w2 cannot be applied key is the true key or not by simply inspecting its size.
to the black-box setting since it requires access to the Furthermore, even if the obtained D is too large to be the
anomaly score of the probing payloads. In this case, we true key, knowing that it is a subset of DC is still quite
suggest to use the attack described in Section IV-C with a valuable, as the true key can be estimated by just taking
word w2 generated as in the previous algorithm, i.e., com- the complement. A corollary of this result is that the size
posed of a randomly chosen byte b repeated times. The of D should be kept secret too. However, in the case of
analysis is then equivalent to the one given in the com- KIDS there may be some fundamental limitation, as keys
plexity analysis of Section 4.4.2: If (i) b 2= D; and (ii) the composed of too few or too many delimiters might not
resulting w2 is a word unseen during training, then the produce useful detection models. This needs to be further
attack succeeds with probability P2 ðmÞ PBB ðT Þ. How- investigated.
ever, if the chosen byte b turns out to be a delimiter (i.e.,
jDj
b 2 D, with occurs with probability 256 ), the algorithm 4.4.4 Attack Complexity Revisited
behaves differently. Recall that the attack iterates over all
To conclude this section, in Table 1 we summarize the
possible delimiters d (line 3 in Fig. 4). Now:
overall complexity of the attacks presented in this paper,
Case 1: d 2 D. including the procedures used to find w1 and w2 dis-
In this case, the tail t ¼ d k w2 k d k w2 k d k cussed above.
k d k w2 used in the payload p ¼ q k t will be dis-
carded by the tokenization process as it contains no 4.5 Experimental Results
words. As SðpÞ ¼ SðqÞ, the payload will inevitably We have experimentally validated our attacks with an
be labeled as normal and the attack will not take the implementation of KIDS written in C. The system was
delimiter d as belonging to the key. The overall result trained with 2000 HTTP payloads captured in a univer-
is that all true delimiters d 2 D will not be identified. sity network. The data set does not include attacks, as
This happens with probability 1. they are not necessary to recover the key. Following the
322 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 12, NO. 3, MAY/JUNE 2015
TABLE 1
Summary of the Attacks Presented in This Paper with Their Complexity and the Probability of Success
design principles given in [12], our experiments have when access to the system is given for a short period of
been conducted with key sizes ranging from 15 to 30, time. In general, such time is:
even though this parameter has little influence on the
results. In all cases, the delimiters are randomly gener- tattack ¼ Nq ðtpre þ ts þ tq þ tr þ tpost Þ þ tloc (35)
ated avoiding repetitions, and the detection threshold is where
chosen to guarantee that at least 99 percent of the train-
ing set falls below it. We note that this way of selecting Nq is the number of queries to KIDS involved in the
a key does not coincide with the procedure given in [12], attack.
where the authors suggest a method involving both nor- tpre is the time required to prepare the query.
mal and attack traffic. This, however, is irrelevant to our ts is the time taken by the payload to reach KIDS.
attacks, as they work on an already trained system tq is the time taken by KIDS to process the payload.
regardless of how the key has been chosen. tr is the time taken for the result to reach the
In the case of the gray-box attacks, words w1 and w2 attacker.
are automatically extracted from one normal payload by tpost is the time required to process the result.
following the procedures described in Section 4.4. tloc is the time taken by the local computations made
According to our practical experience, the values of n, by the key-recovery algorithm.
jw1 j, and m (see Table 1) remain very low for the scenar- In our experiments, tpre , tpost and tloc are negligible. The
ios tested. For example, w1 is consistently recovered from average time to process a payload (tq ) is given in Table 2.
just one payload (i.e., n ¼ 1 and the algorithm never Even though this time actually depends on the payload
fails) and these words rarely have more than jw1 j ¼ 15 length, we have found that the variation is negligible for the
bytes. This conforms to the intuition given above, but it values involved in our attacks. Finally, both ts and tr
is reinforced by the fact that we used HTTP traffic where strongly depend on the attack setting. Thus, if the attack is
the first bytes of every payload refer to websites and carried out remotely, their sum will roughly be equal to the
resources already present during training. As for w2 , we average network latency, measured by the round trip time
used ¼ 16 and systematically obtained a valid w2 in (RTT). Finally, the number of queries depends on the spe-
less than m ¼ 3 attempts. We ran the attack multiple cific attack, with Nq ¼ 257 for the gray-box model and
times with randomly generated keys and, in all cases, we Nq ¼ T 256 for the black-box model.
correctly recover all the delimiters as expected. Tables 3 and 4 show the total key-recovery time in two
For the black-box attacks, we used a subset of T ran- different settings. In the first one, the RTT between the
domly chosen payloads and made them available to the attacker and KIDS was around 50 ms (low latency), whereas
attacker. Different combinations of T and the parameter ‘ in the second it was around 195 ms (high latency). In both
were tried. As anticipated, the probability of correctly cases, the results were averaged over 50 executions, each
recovering all the key elements increases both with T and, one with a different randomly chosen key. For the gray-box
especially, with ‘. In fact, a low value of T suffices if it con- attacks, recovering the key takes around 13 s for the low-
tains “good” payloads, as defined in Section 4.3, whereas latency scenario and around 50 s for the high-latency net-
the success probability dramatically decreases for low val- work. Each one of the T iterations of the black-box attack
ues of ‘. In our case, values T 5 and ‘ > 10 proved enough takes a similar time, so the key can be recovered in approxi-
to correctly recover the key. Nevertheless, we emphasize mately one minute for a low-latency network, and in
that such parameters will generally be very dependent on around 5 minutes for the high-latency setting. As a final
the specific data set used to train the system. note, It must be emphasized that, in practice, the dominant
In practice, an important issue is the overall time
required by the attacker to recover the key, particularly TABLE 3
Experimental Average Time (in Seconds) to Recover
the Key by the Gray-Box Attack
TABLE 2
Average Time Taken by Our KIDS Implementation
to Process a Payload
TAPIADOR ET AL.: KEY-RECOVERY ATTACKS ON KIDS, A KEYED ANOMALY DETECTION SYSTEM 323
settings, depending on the feedback given by KIDS to prob- [3] B. Biggio, G. Fumera, and F. Roli, “Adversarial Pattern Classifica-
tion Using Multiple Classifiers and Randomisation,” Proc. IAPR
ing queries. Int’l Workshop Structural, Syntactic, and Statistical Pattern Recogni-
To the best of our knowledge, our work is the first to tion, pp. 500-509, 2008.
demonstrate key-recovery attacks on a keyed classifier. Sur- [4] B. Biggio, B. Nelson, and P. Laskov, “Support Vector Machines
prisingly, our attacks are extremely efficient, showing that it Under Adversarial Label Noise,” J. Machine Learning Research,
vol. 20, pp. 97-112, 2011.
is reasonably easy for an attacker to recover the key in any [5] N. Dalvi, P. Domingos, Mausam, S. Sanghai, and D. Verma,
of the two settings discussed. Such a lack of security may “Adversarial Classification,” Proc. 10th ACM SIGKDD Int’l Conf.
reveal that schemes like KIDS were simply not designed to Knowledge Discovery and Data Mining (KDD ’04), pp. 99-108, 2004.
[6] P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, and W. Lee,
prevent key-recovery attacks. However, we have argued “Polymorphic Blending Attacks,” Proc. 15th Conf. USENIX Secu-
that resistance against such attacks is essential to any classi- rity Symp., 2006.
fier that attempts to impede evasion by relying on a secret [7] C. Gates and C. Taylo, “Challenging the Anomaly Detection Para-
piece of information. We have provided discussion on this digm: A Provocative Discussion,” Proc. New Security Paradigms
Workshop (NSPW), pp. 21-29, 2006.
and other questions in the hope of stimulating further [8] A. Kolcz and C.H. Teo, “Feature Weighting for Improved Classifier
research in this area. Robustness,” Proc. Sixth Conf. Email and Anti-Spam (CEAS ’09), 2009.
The attacks here presented could be prevented by intro- [9] O. Kolesnikov, D. Dagon, and W. Lee, “Advanced Polymorphic
ducing a number of ad hoc countermeasures to the system, Worms: Evading IDS by Blending in with Normal Traffic,” Proc.
USENIX Security Symp., 2005.
such as limiting the maximum length of words and pay- [10] D. Lowd and C. Meek, “Adversarial Learning,” Proc. 11th ACM
loads, or including such quantities as classification features. SIGKDD Int’l Conf. Knowledge Discovery in Data Mining (KDD ’05),
We suspect, however, that these variants may still be vul- pp. 641-647, 2005.
[11] Metasploit Framework, www.metasploit.com, 2013.
nerable to other attacks. Thus, our recommendation for [12] S. Mrdovic and B. Drazenovic, “KIDS-Keyed Intrusion Detection
future designs is to base decisions on robust principles System,” Proc. Seventh Int’l Conf. Detection of Intrusions and Mal-
rather than particular fixes. ware, and Vulnerability Assessment (DIMVA ’10), pp. 173-182, 2010.
Going beyond KIDS, it remains to be seen whether simi- [13] B. Nelson, B.I.P. Rubinstein, L. Huang, A.D. Joseph, and J.D.
Tygar, “Classifier Evasion: Models and Open Problems,” Proc.
lar schemes (e.g., Anagram [22]) are secure against key- Int’l ECML/PKDD Conf. Privacy and Security Issues in Data Mining
recovery attacks. As discussed in Section 1, our attacks (or and Machine Learning (PSDML ’10), pp. 92-98, 2011.
variants of them) are focused on keyed classifiers, and we [14] B. Nelson, A.D. Joseph, S.J. Lee, and S. Rao, “Near-Optimal Eva-
sion of Convex-Inducing Classifiers,” J. Machine Learning Research,
believe that they will not carry over randomized classifiers. vol. 9, pp. 549-556, 2010.
We note that, in its present form, KIDS cannot be easily ran- [15] B. Nelson, B.I.P. Rubinstein, L. Huang, A.D. Joseph, S.J. Lee, S.
domized, as choosing a new key implies training the classi- Rao, and J.D. Tygar, “Query Strategies for Evading Convex-Induc-
fier again, which is clearly impractical in real-world ing Classifiers,” J. Machine Learning Research, vol. 13, pp. 1293-
1332, May 2012.
scenarios. In the case of Anagram, the authors discuss one [16] R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee, “McPAD: A
mode of operation where the key is used to split the packet Multiple Classifier System for Accurate Payload-Based Anomaly
in various portions so that each of them is checked against a Detection,” Computer Networks, vol. 5, no. 6, pp. 864-881, 2009.
[17] K. Rieck, “Computer Security and Machine Learning: Worst Ene-
different Bloom filter. This scheme bears numerous resem-
mies or Best Friends?” Proc. DIMVA Workshop Systems Security
blances to KIDS and the key may be recovered with attacks (SYSSEC), 2011.
similar to those presented here. Nevertheless, this needs [18] R. Sommer and V. Paxson, “Outside the Closed World: On Using
further investigation and will be addressed in future work. Machine Learning for Network Intrusion Detection,” Proc. IEEE
Symp. Security and Privacy, pp. 305-316, 2010.
Our focus in this work has been on recovering the key [19] Y. Song, M. Locasto, A. Stavrou, A.D. Keromytis, and S.J. Stolfo,
through efficient procedures, demonstrating that the classi- “On the Infeasibility of Modeling Polymorphic Shellcode: Re-
fication process leaks information about it that can be lever- Thinking the Role of Learning in Intrusion Detection Systems,”
aged by an attacker. However, the ultimate goal is to evade Machine Learning, vol. 81, no. 2, pp. 179-205, 2010.
[20] J.E. Tapiador and J.A. Clark, “Masquerade Mimicry Attack Detec-
the system, and we have just assumed that knowing the key tion: A Randomised Approach,” Computers & Security, vol. 30,
is essential to craft an attack that evades detection or, at no. 5, pp. 297-310, 2011.
least, that significantly facilitates the process. It remains to [21] K. Wang, G. Cretu, and S. Stolfo, “Anomalous Payload-Based
Worm Detection and Signature Generation,” Proc. Eighth Int’l
be seen whether a keyed classifier such as KIDS can be just Conf. Recent Advances in Intrusion Detection (RAID ’05), pp. 227-
evaded without explicitly recovering the key. If the answer 246, 2005.
is in the affirmative, then the key does not ensure resistance [22] K. Wang, J. Parekh, and S. Stolfo, “Anagram: A Content Anomaly
against evasion. Detector Resistant to Mimicry Attack,” Proc. Ninth Int’l Conf. Recent
Advances in Intrusion Detection (RAID ’06), pp. 226-248, 2006.
[23] Y. Zhou, Z. Jorgensen, and M. Inge, “Combating Good Word
ACKNOWLEDGMENTS Attacks on Statistical Spam Filters with Multiple Instance
Learning,” Proc. 19th IEEE Int’l Conf. Tools with Artificial Intelli-
The authors are very grateful to the anonymous reviewers gence (ICTAI ’07), pp. 298-305, 2007.
for constructive feedback and insightful suggestions that
helped to significantly improve the quality of this work. Juan E. Tapiador received the MSc and PhD
degrees in computer science from the University
of Granada, in 2000 and 2004, respectively. He
REFERENCES is an associate professor of computer science at
Universidad Carlos III de Madrid. Prior to joining
[1] M. Barreno, B. Nelson, R. Sears, A.D. Joseph, and J.D. Tygar, “Can UC3M, he was a research associate at the Uni-
Machine Learning be Secure?” Proc. ACM Symp. Information, Com- versity of York, United Kingdom. His main
puter and Comm. Security (ASIACCS ’06 ), pp. 16-25, 2006. research interests include applied cryptography
[2] M. Barreno, B. Nelson, A.D. Joseph, and J.D. Tygar, “The Security and network security.
of Machine Learning,” Machine Learning, vol. 81, no. 2, pp. 121-
148, 2010.
TAPIADOR ET AL.: KEY-RECOVERY ATTACKS ON KIDS, A KEYED ANOMALY DETECTION SYSTEM 325
Agustin Orfila received the BSc degree in phys- Benjamin Ramos received the BSc degree in
ics from Universidad Complutense de Madrid and mathematics and the PhD degree in computer
the PhD degree in computer science from Uni- science from Universidad Carlos III de Madrid.
versidad Carlos III de Madrid. He is an associate He is an associate professor in the Department
professor of computer science at Universidad of Computer Science at Universidad Carlos III de
Carlos III de Madrid. His main interests lie in the Madrid. His main interests lie in the field of com-
field of network and computer security. puter security.
Arturo Ribagorda received the MSc degree in " For more information on this or any other computing topic,
telecommunications engineering and the PhD please visit our Digital Library at www.computer.org/publications/dlib.
degree in computer science. He is a professor at
Universidad Carlos III de Madrid, where he also
serves as head of the COSEC Lab in the Depart-
ment of Computer Science. He has more than 25
years of R&D experience in computer and infor-
mation security, and has authored four books
and more than 100 articles in these areas.