An experience developing an IDS stimulator for the black-box testing of network intrusion detection systems

Mutz, D.; Vigna, Giovanni; Kemmerer, Richard A.

doi:10.1109/csac.2003.1254342

Cited by 62 publications

(51 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, an over-stimulation attack occurs when an attacker knows the signatures of a NIDS and forces it to generate a huge amount of alarms [26]. In such situation, the security officer analyzing the alerts would be overwhelmed and an actual attack may not be detected.…”

Section: Attacks On Nidsmentioning

confidence: 99%

Randomized Anagram revisited

Pastrana

Orfila

Tapiador

et al. 2014

Journal of Network and Computer Applications

View full text Add to dashboard Cite

When compared to signature-based Intrusion Detection Systems (IDS), anomaly detectors present the potential advantage of detecting previously unseen attacks, which makes them an attractive solution against zero-day exploits and other attacks for which a signature is unavailable. Most anomaly detectors rely on machine learning algorithms to derive a model of normality that is later used to detect suspicious events. Such algorithms, however, are generally susceptible to evasion by means of carefully constructed attacks that are not recognized as anomalous. Different strategies to thwart evasion have been proposed over the last years, including the use of randomization to make somewhat uncertain how each packet will be processed. In this paper we analyze the strength of the randomization strategy suggested for Anagram, a well-known anomaly detector based on n-gram models. We show that an adversary who can interact with the system for a short period of time with inputs of his choosing will be able to recover the secret mask used to process packets. We describe and discuss an efficient algorithm to do this and report our experiences with a prototype implementation. Furthermore, we show that the specific form of randomization suggested for Anagram is a double-edged sword, as knowledge of the mask makes evasion easier than in the non-randomized case. We finally discuss a simple countermeasure to prevent our attacks.

show abstract

Section: Attacks On Nidsmentioning

confidence: 99%

Randomized Anagram revisited

Pastrana

Orfila

Tapiador

et al. 2014

Journal of Network and Computer Applications

View full text Add to dashboard Cite

show abstract

“…Darren et al [14] introduced the general testing approach called Mucus which analyzes the data captured from the system. The authors used cross testing experiments with both an open-source and commercial tool.…”

Section: Related Workmentioning

confidence: 99%

Adaptive Hybrid Model for Network Intrusion Detection and Comparison among Machine Learning Algorithms

Haque¹,

Al-Kharobi²

2015

IJMLC

View full text Add to dashboard Cite

Abstract-In this paper, we propose a novel method using ensemble learning scheme for classifying network intrusion detection from the most renowned KDD cup dataset. We have shown that reducing the dimensionality of the large dataset provides most accurate detection. Additionally, several machine learning algorithms are used to generate the accuracy metrics and analyzed further for proper comparison. Our approach found out that this algorithm outperforms all other learning techniques. Our goal is to analyze the network intrusion data and find out the best components and use them for the attack analysis. This scheme can be used in parallel with the intrusion detection system to augment its prediction performance for the future data packets. Empirical results show that the input dimensionality reduction can provide lightweight intrusion detection system that can be embedded with the vulnerable system for generating correct classification with significance improvement in execution time.

show abstract

“…By false positive we mean all network activities that are licit or harmless to the protected systems, but that have been erroneously signaled by the NIDS as a security threat. We should also consider that several techniques can be utilized by skilled attackers to cover up the attack traces by forcing a NIDS to generate storms of irrelevant alerts [2,3]. If the NIDS is working properly, the real attack is likely identified and signaled, but important alerts are hidden among several thousands of other irrelevant and misleading alerts.…”

Section: Intrusion Alert Filtering and Rankingmentioning

confidence: 99%

Selective alerts for runtime protection of distributed systems

Colajanni¹,

Gozzi²,

Marchetti³

2008

Data Mining IX

View full text Add to dashboard Cite

Network Intrusion Detection Systems (NIDS) are popular components for a fast detection of network attacks and intrusions, but their efficacy is limited by overwhelming amounts of false alarms that have to be manually managed by system administrators. In order to improve the efficacy of attack detection and reduce the amount of false positives, we propose a novel scheme for runtime alert management. It filters innocuous attacks by taking advantage of the correlation between the NIDS alerts and detailed information concerning the protected information systems, that is retrieved from heterogeneous and unstructured data sources. Thanks to the proposed scheme, an alert is sent to the system administrator only if an attack threatens some real vulnerability of the protected hosts. Otherwise, as it occurs in the large majority of the cases, the alert is stored for a subsequent offline analysis. The viability and efficacy of the proposed solution are demonstrated through an operative prototype that has been tested in networks subject to realistic attacks.

show abstract

An experience developing an IDS stimulator for the black-box testing of network intrusion detection systems

Cited by 62 publications

References 9 publications

Randomized Anagram revisited

Randomized Anagram revisited

Adaptive Hybrid Model for Network Intrusion Detection and Comparison among Machine Learning Algorithms

Selective alerts for runtime protection of distributed systems

Contact Info

Product

Resources

About