Evasion Techniques (Fragmentation, Encryption, and Polymorphism)

#Flying Under the Radar: IDS Evasion#link

Attackers continually develop techniques designed to reduce the effectiveness of network detection systems. By exploiting protocol ambiguities, leveraging encryption, or modifying malware characteristics, they attempt to conceal malicious activity from security monitoring tools.

Fragmentation and Reassembly Challenges

Historically, attackers used IP fragmentation and overlapping fragments to evade intrusion detection systems. If a monitoring device reconstructed traffic differently than the destination host, an attacker could potentially cause the IDS to observe different data than the target system processed. Modern IDS platforms include sophisticated reassembly and normalization capabilities to mitigate these techniques.

While fragmentation-based evasion is less effective against modern systems, unusual fragment rates or malformed packet structures can still indicate reconnaissance or malicious activity.

Encryption and Polymorphism

Encryption can limit the effectiveness of payload-based inspection because application data is protected from direct observation. However, defenders can still analyze metadata such as connection patterns, certificates, TLS fingerprints, and traffic behavior. Polymorphic malware further complicates detection by continuously modifying its code or appearance to avoid static signatures.

• ▪Enable stream reassembly and normalization
• ▪Monitor encrypted traffic metadata
• ▪Use behavioral detection capabilities
• ▪Investigate abnormal fragmentation patterns
• ▪Combine network and endpoint visibility