An advanced evasion technique (AET) is a type of network attack that combines several different known evasion methods to create a new technique that's delivered over several layers of the network simultaneously. The code in the AET itself is not necessarily malicious; the danger is that it provides the attacker with undetectable access to the network.

There are currently about 200 known evasion techniques that are recognized by vendor products. An AET can create literally millions of "new" evasion techniques from just a couple of combinations -- none of which would be recognized by current intrusion detection system (IDS) vendor products. If all 200 were used, the permutations would be unlimited.

Here is a very simplified explanation for how an AET works:

Let's say that the words "attack" and "intrude" represent two strings of known malicious code. When an IDS identifies those strings in a request, the system intervenes and denies entry.

If, however, "kaarindtuettcr" and "tittnrrakdeuac" were part of a request, the system wouldn't recognize the code as simply being the well-known malicious strings "attack" and "intrude" combined and rearranged in a new way. The IDS would not intervene and entry would be allowed.

The Finnish data security vendor Stonesoft was the first to identify and report on the danger of AETs. The Community Emergency Response Team (CERT) in Finland is working with Stonesoft and other network security suppliers to address vulnerabilities that are being exposed during testing.

See also: metamorphic and polymorphic malware

Softstone demonstrates how AETs work in this short video.

20 Oct 2010