A Tool for Offline and Live Testing of Evasion Resilience in Network Intrusion Detection Systems

(Extended Abstract)
  • Leo Juan
  • Christian Kreibich
  • Chih-Hung Lin
  • Vern Paxson
Conference paper

DOI: 10.1007/978-3-540-70542-0_14

Part of the Lecture Notes in Computer Science book series (LNCS, volume 5137)
Cite this paper as:
Juan L., Kreibich C., Lin CH., Paxson V. (2008) A Tool for Offline and Live Testing of Evasion Resilience in Network Intrusion Detection Systems. In: Zamboni D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2008. Lecture Notes in Computer Science, vol 5137. Springer, Berlin, Heidelberg

Abstract

In this work we undertake the creation of a framework for testing the degree to which network intrusion detection systems (NIDS) detect and handle evasion attacks. Our prototype system, idsprobe, takes as input a packet trace and from it constructs a configurable set of variant traces that introduce different forms of ambiguities that can lead to evasions. Our test harness then uses these variant traces in either an offline configuration, in which the NIDS under test reads traffic from the traces directly, or a live setup, in which we employ replay technology to feed traffic over a physical network past a NIDS reading directly from a network interface, and to potentially live victim machines. Summary reports of the differences in NIDS output tell the analyst to what degree the NIDS’s results vary, reflecting sensitivities to (and possible detections of) different evasions. We demonstrate idsprobe using two popular open-source NIDSs and report on their respective abilities in dealing with evasive traffic.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Leo Juan
    • 1
  • Christian Kreibich
    • 2
  • Chih-Hung Lin
    • 1
  • Vern Paxson
    • 2
  1. 1.Institute For Information IndustryTaipei CityTaiwan
  2. 2.International Computer Science InstituteBerkeleyUSA

Personalised recommendations