Fault Injection for Dependability Validation: A Methodology and Some Applications
IEEE Transactions on Software Engineering
State Transition Analysis: A Rule-Based Intrusion Detection Approach
IEEE Transactions on Software Engineering
Testing and evaluating computer intrusion detection systems
Communications of the ACM
ACM Transactions on Information and System Security (TISSEC)
Computer
Validation of Sensor Alert Correlators
IEEE Security and Privacy
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
Proceedings of the 12th ACM conference on Computer and communications security
On evolving buffer overflow attacks using genetic programming
Proceedings of the 8th annual conference on Genetic and evolutionary computation
Profiling self-propagating worms via behavioral footprinting
Proceedings of the 4th ACM workshop on Recurring malcode
Protomatching network traffic for high throughputnetwork intrusion detection
Proceedings of the 13th ACM conference on Computer and communications security
Evading network anomaly detection systems: formal reasoning and practical techniques
Proceedings of the 13th ACM conference on Computer and communications security
An architecture for generating semantics-aware signatures
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Detecting targeted attacks using shadow honeypots
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
A hybrid machine learning approach to network anomaly detection
Information Sciences: an International Journal
Memsherlock: an automated debugger for unknown memory corruption vulnerabilities
Proceedings of the 14th ACM conference on Computer and communications security
Automating DDoS experimentation
DETER Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007
International Journal of Information and Computer Security
A Tool for Offline and Live Testing of Evasion Resilience in Network Intrusion Detection Systems
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Fast and Black-box Exploit Detection and Signature Generation for Commodity Software
ACM Transactions on Information and System Security (TISSEC)
Boosting Web Intrusion Detection Systems by Inferring Positive Signatures
OTM '08 Proceedings of the OTM 2008 Confederated International Conferences, CoopIS, DOA, GADA, IS, and ODBASE 2008. Part II on On the Move to Meaningful Internet Systems
Panacea: Automating Attack Classification for Anomaly-Based Network Intrusion Detection Systems
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
An overview of network evasion methods
Information Security Tech. Report
An SVM-based machine learning method for accurate internet traffic classification
Information Systems Frontiers
Protocol normalization using attribute grammars
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
HMM-web: a framework for the detection of attacks against web applications
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Tools for worm experimentation on the DETER testbed
International Journal of Communication Networks and Distributed Systems
A case for exploit-robust and attack-aware protocol RFCs
IPDPS'06 Proceedings of the 20th international conference on Parallel and distributed processing
Network intrusion detection: dead or alive?
Proceedings of the 26th Annual Computer Security Applications Conference
Neural visualization of network traffic data for intrusion detection
Applied Soft Computing
Escape from monkey island: evading high-interaction honeyclients
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
A model-based attack injection approach for security validation
Proceedings of the 4th international conference on Security of information and networks
Testing CAB-IDS through mutations: on the identification of network scans
KES'06 Proceedings of the 10th international conference on Knowledge-Based Intelligent Information and Engineering Systems - Volume Part II
A general model and guidelines for attack manifestation generation
CRITIS'07 Proceedings of the Second international conference on Critical Information Infrastructures Security
Mitigating program security vulnerabilities: Approaches and challenges
ACM Computing Surveys (CSUR)
WAFFle: fingerprinting filter rules of web application firewalls
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Methods for testing network-intrusion detection systems
Scientific and Technical Information Processing
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Information Sciences: an International Journal
Towards application classification with vulnerability signatures for IDS/IPS
Proceedings of the First International Conference on Security of Internet of Things
Hi-index | 0.00 |
Misuse-based intrusion detection systems rely on models of attacks to identify the manifestation of intrusive behavior. Therefore, the ability of these systems to reliably detect attacks is strongly affected by the quality of their models, which are often called "signatures." A perfect model would be able to detect all the instances of an attack without making mistakes, that is, it would produce a 100% detection rate with 0 false alarms. Unfortunately, writing good models (or good signatures) is hard. Attacks that exploit a specific vulnerability may do so in completely different ways, and writing models that take into account all possible variations is very difficult. For this reason, it would be beneficial to have testing tools that are able to evaluate the "goodness" of detection signatures. This work describes a technique to test and evaluate misuse detection models in the case of network-based intrusion detection systems. The testing technique is based on a mechanism that generates a large number of variations of an exploit by applying mutant operators to an exploit template. These mutant exploits are then run against a victim host protected by a network-based intrusion detection system. The results of the systems in detecting these variations provide a quantitative basis for the evaluation of the quality of the corresponding detection model.