Enhancing research into usable privacy and security
Proceedings of the 27th ACM international conference on Design of communication
Optimizing anomaly detector deployment under evolutionary black-box vulnerability testing
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
| Hi-index | 0.00 |
Mimicry attacks have been the focus of detector research where the objective of the attacker is to generate an attack that evades detection while achieving the attacker’s goals. If such an attack can be found, it implies that the target detector is vulnerable against mimicry attacks. In this work, we emphasize that there are two components of a buffer overflow attack: the preamble and the exploit. Although the attacker can modify the exploit component easily, the attacker may not be able to prevent preamble from generating anomalous behavior since during preamble stage, the attacker does not have full control. Previous work on mimicry attacks considered an attack to completely evade detection, if the exploit raises no alarms. On the other hand, in this work, we investigate the source of anomalies in both the preamble and the exploit components against two anomaly detectors that monitor four vulnerable UNIX applications. Our experiment results show that preamble can be a source of anomalies, particularly if it is lengthy and anomalous.