Alert verification evasion through server response forging

Authors:
Adam D. Todd;Richard A. Raines;Rusty O. Baldwin;Barry E. Mullins;Steven K. Rogers
Affiliations:
Center for Cyberspace Research, Air Force Institute of Technology, Department of Electrical and Computer Engineering, Wright-Patterson AFB, OH and Air Force Research Laboratory, Wright-Patterson A ...;Center for Cyberspace Research, Air Force Institute of Technology, Department of Electrical and Computer Engineering, Wright-Patterson AFB, OH and Air Force Research Laboratory, Wright-Patterson A ...;Center for Cyberspace Research, Air Force Institute of Technology, Department of Electrical and Computer Engineering, Wright-Patterson AFB, OH and Air Force Research Laboratory, Wright-Patterson A ...;Center for Cyberspace Research, Air Force Institute of Technology, Department of Electrical and Computer Engineering, Wright-Patterson AFB, OH and Air Force Research Laboratory, Wright-Patterson A ...;Center for Cyberspace Research, Air Force Institute of Technology, Department of Electrical and Computer Engineering, Wright-Patterson AFB, OH and Air Force Research Laboratory, Wright-Patterson A ...
Venue:
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Year:
2007

Citing 10
Cited 0

Mimicry attacks on host-based intrusion detection systems

Proceedings of the 9th ACM conference on Computer and communications security
Enhancing byte-level network intrusion detection signatures with context

Proceedings of the 10th ACM conference on Computer and communications security
Network traffic anomaly detection based on packet bytes

Proceedings of the 2003 ACM symposium on Applied computing
Unsupervised learning techniques for an intrusion detection system

Proceedings of the 2004 ACM symposium on Applied computing
A Comprehensive Approach to Intrusion Detection Alert Correlation

IEEE Transactions on Dependable and Secure Computing
Detection and prevention of stack buffer overflow attacks

Communications of the ACM
Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion

IEEE Security and Privacy
Network–Level polymorphic shellcode detection using emulation

DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Polymorphic worm detection using structural information of executables

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

Intrusion Detection Systems (IDSs) are necessary components in the defense of any computer network. Network administrators rely on IDSs to detect attacks, but ultimately it is their responsibility to investigate IDS alerts and determine the damage done. With the number of alerts increasing, IDS analysts have turned to automated methods to help with alert verification. This research investigates this next step of the intrusion detection process. Some alert verification mechanisms attempt to identify successful intrusion attempts based on server responses and protocol analysis. This research examines the server responses generated by four different exploits across four different Linux distributions. Next, three techniques capable of forging server responses on Linux operating systems are developed and implemented. This research shows that these new alert verification evasion methods can make attacks appear unsuccessful even though the exploitation occurs. This type of attack ignores detection and tries to evade the verification process.