Evaluating intrusion prevention systems with evasions

Särelä, Mikko; Kyöstilä, Tomi; Kiravuo, Timo; Manner, Jukka

doi:10.1002/dac.3339

Cited by 6 publications

(2 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Vidal et al [6] classified the most representative evasion techniques into five categories: Insertion and Evasion, Denial of Service, Malware Obfuscation, Link Layer, and Application Layer. A single evasion technique is called an atomic evasion [7]. Xiong et al [8] summarized common atomic evasion techniques and at least 147 atomic evasions have been discovered [9].…”

Section: Introductionmentioning

confidence: 99%

“…Modern NIDS vendors publish extensive performance testing results regarding the line speed and breadth of attacks detected by their systems, but little information regarding their resilience to evasions. A recent effectiveness evaluation of 35 well-known evasions against nine commercial and one free state-of-the-art NIDS showed that even a single evasion technique from the 1990s with suitable parameters can successfully evade the detection of the best existing NIDS [7]. Cheng et al [11] assessed the effectiveness of evasion techniques for FortiGate, Snort and ZyXEL.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Detection and Recognition of Atomic Evasions Against Network Intrusion Detection/Prevention Systems

et al. 2019

View full text Add to dashboard Cite

Network evasions can bypass network intrusion detection/prevention systems to deliver exploits, attacks, or malware to victims without being detected. This paper presents a novel method for the detection and recognition of atomic network evasions by the classification of a transmission control protocol (TCP) stream's packet behavior. The syntax for the conversion of TCP streams to codeword streams is proposed to facilitate the extraction of statistical features while preserving the evasion behavior attributes of original network flows. We developed a feature extraction method of employing the normalized term frequencies of codewords to characterize intra and inter packet attribute patterns hidden in actual TCP streams. A TCP stream is then transformed to a fixed length numeric feature vector. Supervised multi-class classifiers are built on the extracted feature vectors to differentiate different types of evasions from normal streams. The quantitative evaluations on an evasion dataset consisting of normal network flows and eight types of atomic evasion flows demonstrated that the proposed approach achieved an encouraging performance with an accuracy of 98.95%. INDEX TERMSNetwork intrusion detection/prevention, network evasion, term frequency and inverse document frequency.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%