A framework for malicious workload generation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Testing network-based intrusion detection signatures using mutant exploits
Proceedings of the 11th ACM conference on Computer and communications security
Using Battery Constraints within Mobile Hosts to Improve Network Security
IEEE Security and Privacy
Protomatching network traffic for high throughputnetwork intrusion detection
Proceedings of the 13th ACM conference on Computer and communications security
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion
IEEE Security and Privacy
Energy Efficiency of Intrusion Detection Systems in Wireless Sensor Networks
WI-IATW '06 Proceedings of the 2006 IEEE/WIC/ACM international conference on Web Intelligence and Intelligent Agent Technology
Plug & execute framework for network traffic generation
Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Simulating content in traffic for benchmarking intrusion detection systems
Proceedings of the 4th International ICST Conference on Simulation Tools and Techniques
An application-level content generative model for network applications
Proceedings of the 5th International ICST Conference on Simulation Tools and Techniques
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
Hi-index | 0.00 |
Signature-based intrusion detection systems use a set ofattack descriptions to analyze event streams, looking forevidence of malicious behavior. If the signatures are expressedin a well-defined language, it is possible to analyzethe attack signatures and automatically generate eventsor series of events that conform to the attack descriptions.This approach has been used in tools whose goal is to forceintrusion detection systems to generate a large number ofdetection alerts. The resulting "alert storm" is used to desensitizeintrusion detection system administrators and hideattacks in the event stream. We apply a similar technique toperform testing of intrusion detection systems. Signaturesfrom one intrusion detection system are used as input toan event stream generator that produces randomized syntheticevents that match the input signatures. The resultingevent stream is then fed to a number of different intrusiondetection systems and the results are analyzed. This paperpresents the general testing approach and describes thefirst prototype of a tool, called Mucus, that automaticallygenerates network traffic using the signatures of the Snortnetwork-based intrusion detection system. The paper describespreliminary cross-testing experiments with both anopen-source and a commercial tool and reports the results.An evasion attack that was discovered as a result of analyzingthe test results is also presented.