A Tool for Offline and Live Testing of Evasion Resilience in Network Intrusion Detection Systems

Authors:
Leo Juan;Christian Kreibich;Chih-Hung Lin;Vern Paxson
Affiliations:
Institute For Information Industry, Taipei City, Taiwan;International Computer Science Institute, Berkeley, USA;Institute For Information Industry, Taipei City, Taiwan;International Computer Science Institute, Berkeley, USA
Venue:
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Year:
2008

Citing 10
Cited 1

Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Active Mapping: Resisting NIDS Evasion without Altering Traffic

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A high-level programming environment for packet trace anonymization and transformation

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Protocol scrubbing: network security through transparent flow modification

IEEE/ACM Transactions on Networking (TON)
Testing network-based intrusion detection signatures using mutant exploits

Proceedings of the 11th ACM conference on Computer and communications security
Automatic Generation and Analysis of NIDS Attacks

ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Design and implementation of netdude, a framework for packet trace manipulation

ATEC '04 Proceedings of the annual conference on USENIX Annual Technical Conference
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
A virtual honeypot framework

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Enhancing the accuracy of network-based intrusion detection with host-based context

DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues

Information Sciences: an International Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this work we undertake the creation of a framework for testing the degree to which network intrusion detection systems (NIDS) detect and handle evasion attacks. Our prototype system, idsprobe, takes as input a packet trace and from it constructs a configurable set of variant traces that introduce different forms of ambiguities that can lead to evasions. Our test harness then uses these variant traces in either an offline configuration, in which the NIDS under test reads traffic from the traces directly, or a livesetup, in which we employ replay technology to feed traffic over a physical network past a NIDS reading directly from a network interface, and to potentially live victim machines. Summary reports of the differences in NIDS output tell the analyst to what degree the NIDS's results vary, reflecting sensitivities to (and possible detections of) different evasions. We demonstrate idsprobeusing two popular open-source NIDSs and report on their respective abilities in dealing with evasive traffic.