DOI: 10.1007/978-3-540-70542-0_14
|View full text |Cite
|
Sign up to set email alerts
|

A Tool for Offline and Live Testing of Evasion Resilience in Network Intrusion Detection Systems

Abstract: Abstract. In this work we undertake the creation of a framework for testing the degree to which network intrusion detection systems (NIDS) detect and handle evasion attacks. Our prototype system, idsprobe, takes as input a packet trace and from it constructs a configurable set of variant traces that introduce different forms of ambiguities that can lead to evasions. Our test harness then uses these variant traces in either an offline configuration, in which the NIDS under test reads traffic from the traces dir… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
6
0

Publication Types

Select...
3
3
1

Relationship

0
7

Authors

Journals

citations
Cited by 7 publications
(6 citation statements)
references
References 9 publications
0
6
0
Order By: Relevance
“…Combinations. Evasions based on modifications at each of the application, transport and network layers of the TCP/IP stack are described in [32] and [33]. Cheng et al [32] described general evasion techniques and examined the detection performance of signature-based NIDS when performing mutation of known attacks.…”
Section: Related Workmentioning
confidence: 99%
“…Combinations. Evasions based on modifications at each of the application, transport and network layers of the TCP/IP stack are described in [32] and [33]. Cheng et al [32] described general evasion techniques and examined the detection performance of signature-based NIDS when performing mutation of known attacks.…”
Section: Related Workmentioning
confidence: 99%
“…In paper [5], prototype system IDSprobe is introduced which tests the accuracy of NIDS to detect and handle evasion attacks. Author of paper [7] introduces Split Detect approach where in he focuses on splitting the signature into pieces.By splitting the signature the attacker is forced to include at least one piece of information completely and then the abnormal behavior of packets can be identified.…”
Section: ____________________________________________________________mentioning
confidence: 99%
“…Besides the evasion tools listed in Table I, a few other tools can also generate evasion traffic, such as FTester (dev.inversepath.com/trac/ftester), idsprobe [37] and AGENT [38]. These tools can play several combinations of evasion techniques based on packet splitting and duplicate insertion, as well as a few payload mutations.…”
Section: B Evasion Toolsmentioning
confidence: 99%
“…We assess only signature-based IPSs since they are dominant in operational environments [2]. We also notice that Juan et al [37] …”
Section: Evasion Testingmentioning
confidence: 99%