Hiding Intrusions: From the Abnormal to the Normal and Beyond

  • Kymie Tan
  • John McHugh
  • Kevin Killourhy
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2578)


Anomaly based intrusion detection has been held out as the best (perhaps only) hope for detecting previously unknown exploits. We examine two anomaly detectors based on the analysis of sequences of system calls and demonstrate that the general information hiding paradigm applies in this area also. Given even a fairly restrictive definition of normal behavior, we were able to devise versions of several exploits that escape detection. This is done in several ways: by modifying the exploit so that its manifestations match “normal,” by making a serious attack have the manifestations of a less serious but similar attack, and by making the attack look like an entirely different attack. We speculate that similar attacks are possible against other anomaly based IDS and that the results have implications for other areas of information hiding.


Intrusion Detection Anomaly Detector System Call Intrusion Detection System Information Hiding 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Denning, D. E.: An intrusion detection model. IEEE Transactions on Software Engineering SE-13 (1987) 222–232 1, 3CrossRefGoogle Scholar
  2. [2]
    Tan, K.M.C., Maxion, R.A.: “Why 6?” Defining the operational limits of stide, an anomaly–based intrusion detector. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA (2002) 2, 5Google Scholar
  3. [3]
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longsta., T.A.: A sense of self for unix processes. In: Proceedings 1996 IEEE Symposium on Security and Privacy, Los Alamitos, CA, IEEE Computer Society Press (1996) 2, 4, 5Google Scholar
  4. [4]
    Provos, N.: Steganography press information. On line report of work performed at the University of Michigan Center for Information Technology Integration (2002) Observed at as of 4 february 2002 2
  5. [5]
    Provos, N., Honeyman, P.: Detecting steganographic content on the internet. In: ISOC NDSS’02, San Diego, CA (2002) 2Google Scholar
  6. [6]
    Anderson, J.P.: Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co., Fort Washington, PA (1980) Available online at 3
  7. [7]
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, CA (1999) 133–145 4, 5, 7Google Scholar
  8. [8]
    Maxion, R.A., Tan, K.M.C.: Anomaly detection in embedded systems. IEEE Transactions on Computers 51 (2002) 108–120 5CrossRefGoogle Scholar
  9. [9]
    Pop, S., Card, R.: Restore(8) system manager’s manual. Included in dump version 0.4b13 software package (2000) 8Google Scholar
  10. [11]
    Troan, E., Brows, P.: Tmpwatch(8). Included in tmpwatch version 2.2 software package (2000) 9Google Scholar
  11. [12]
    Yurchenko, A.Y.: Tmpwatch arbitrary command execution vulnerability. Internet– (2000) bugtraq id 1785 9, 13
  12. [13]
    Jaconson, V.: Traceroute(8). Included in traceroute version 1.4a5 software package (1997) 10Google Scholar
  13. [15]
    Kaempf, M.: Lbnl traceroute heap corruption vulnerability (2000) bugtraq id 1739 11Google Scholar
  14. [16]
    Wagner, D., Soto, P.: Mimicry attacks on host–based intrusion detection systems. In: 9th ACM Conference on Computer and Communications Security. (2002) To Appear 14Google Scholar
  15. [17]
    Tan, K. M., Killourhy, K. S., Maxion, R.A.: Undermining an anomaly–based intrusion detection system using common exploits. In Wespi, A., Vigna, G., Deri, L., eds.: 5th International Symposium, RAID 2002. Number 2516 in LNCS, Zurich, Switzerland, Springer (2002) 54–73 14Google Scholar
  16. [18]
    Lee, W., Xiang, D.: ‘Information–theoretic measures for anomaly detection’. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, IEEE Computer Society Press, Los Alamitos, CA (2001) 130–143 16Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Kymie Tan
    • 1
  • John McHugh
    • 2
  • Kevin Killourhy
    • 1
  1. 1.Department of Computer ScienceCarnegie Mellon UniversityPittsburghUSA
  2. 2.CERT ®Coordination Center and Center for Computer and Communications SecurityCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations