NetSec ◬ est. February 2019.

Acta #013

2021 February 12
(Fake News) (Symbolic TCP)

Its all in a name: detecting and labeling bots by their name Computational and Mathematical Organization Theory (2018) [PDF, INFO]

Automated social media bots have existed almost as long as the social media environments they inhabit. Their emergence has triggered numerous research efforts to develop increasingly sophisticated means to detect these accounts. These efforts have resulted in a cat and mouse cycle in which detection algorithms evolve trying to keep up with ever evolving bots. As part of this continued evolution, our research proposes a multi-model ‘tool-box’ approach in order to conduct detection at various tiers of data granularity. To support this toolbox approach this research also uses random string detection applied to user names to filter twitter streams for bot accounts and use this as labeled training data for follow on research.

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery
Network and Distributed System Security (NDSS), 2020 [PDF]

A key characteristic of commonly deployed deep packet inspection (DPI) systems is that they implement a simplified state machine of the network stack that often differs from that of end hosts. The discrepancies between the two state machines have been exploited to bypass such DPI based middleboxes.However, most prior approaches to do so rely on manually crafted adversarial packets, which not only are labor intensive but may not work well across a plurality of DPI-based middleboxes.Our goal in this work is to develop an automated way to craft candidate adversarial packets, targeting TCP implementations in particular. Our approach to achieving this goal hinges on the key insight that while the TCP state machines of DPI implementations are obscure, those of the end hosts are well established. Thus, in our system SYMTCP, using symbolic execution, we systematically explore the TCP implementation of an end host, identifying candidate packets that can reach critical points in the code (e.g.,which causes the packets to be accepted or dropped/ignored);such automatically identified packets are then fed through theDPI middlebox to determine if a discrepancy is induced and the middlebox can be eluded.

We find that our approach is extremely effective. It can generate tens of thousands of candidate adversarial packets in less than an hour. When evaluating against multiple state-of-the-art DPI systems such as Zeek and Snort, aswell as a state-level censorship system, viz. the Great Firewall ofChina, we identify not only previously known evasion strategies,but also novel ones that were never previously reported (e.g.,involving the urgent pointer). The system can be extended easily towards other combinations of operating systems and DPImiddleboxes, and serves as a valuable tool for testing future DPIs’robustness against evasion attempts.

Last Updated on 9 Apr 2021 (CC BY-SA 4.0)