Hiding Intrusions: From the Abnormal to the Normal and Beyond

  • Kymie Tan
  • John McHugh
  • Kevin Killourhy
Conference paper

DOI: 10.1007/3-540-36415-3_1

Part of the Lecture Notes in Computer Science book series (LNCS, volume 2578)
Cite this paper as:
Tan K., McHugh J., Killourhy K. (2003) Hiding Intrusions: From the Abnormal to the Normal and Beyond. In: Petitcolas F.A.P. (eds) Information Hiding. IH 2002. Lecture Notes in Computer Science, vol 2578. Springer, Berlin, Heidelberg

Abstract

Anomaly based intrusion detection has been held out as the best (perhaps only) hope for detecting previously unknown exploits. We examine two anomaly detectors based on the analysis of sequences of system calls and demonstrate that the general information hiding paradigm applies in this area also. Given even a fairly restrictive definition of normal behavior, we were able to devise versions of several exploits that escape detection. This is done in several ways: by modifying the exploit so that its manifestations match “normal,” by making a serious attack have the manifestations of a less serious but similar attack, and by making the attack look like an entirely different attack. We speculate that similar attacks are possible against other anomaly based IDS and that the results have implications for other areas of information hiding.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Kymie Tan
    • 1
  • John McHugh
    • 2
  • Kevin Killourhy
    • 1
  1. 1.Department of Computer ScienceCarnegie Mellon UniversityPittsburghUSA
  2. 2.CERT ®Coordination Center and Center for Computer and Communications SecurityCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations