A Tool for Offline and Live Testing of Evasion Resilience in Network Intrusion Detection Systems

(Extended Abstract)
  • Leo Juan
  • Christian Kreibich
  • Chih-Hung Lin
  • Vern Paxson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5137)


In this work we undertake the creation of a framework for testing the degree to which network intrusion detection systems (NIDS) detect and handle evasion attacks. Our prototype system, idsprobe, takes as input a packet trace and from it constructs a configurable set of variant traces that introduce different forms of ambiguities that can lead to evasions. Our test harness then uses these variant traces in either an offline configuration, in which the NIDS under test reads traffic from the traces directly, or a live setup, in which we employ replay technology to feed traffic over a physical network past a NIDS reading directly from a network interface, and to potentially live victim machines. Summary reports of the differences in NIDS output tell the analyst to what degree the NIDS’s results vary, reflecting sensitivities to (and possible detections of) different evasions. We demonstrate idsprobe using two popular open-source NIDSs and report on their respective abilities in dealing with evasive traffic.


Intrusion Detection Test Trace Live Test Input Trace Packet Trace 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Group, N.: Network IPS Testing Procedure (V4.0) (2006),
  2. 2.
    Shankar, U., Paxson, V.: Active mapping: resisting NIDS evasion without altering traffic. In: Proc. Symposium on Security and Privacy, pp. 44–61 (2003)Google Scholar
  3. 3.
    Dreger, H., Kreibich, C., Paxson, V., Sommer, R.: Enhancing the accuracy of network-based intrusion detection with host-based context. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548. Springer, Heidelberg (2005)Google Scholar
  4. 4.
    Taleck, G.: Ambiguity Resolution via Passive OS Fingerprinting. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 192–206. Springer, Heidelberg (2003)Google Scholar
  5. 5.
    Handley, M., Paxson, V., Kreibich, C.: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In: Proc. USENIX Security Symposium (2001)Google Scholar
  6. 6.
    Watson, D., Smart, M., Malan, G.R., Jahanian, F.: Protocol Scrubbing: Network Security through Transparent Flow Modification. IEEE/ACM Transactions on Networking 12(2), 261–273 (2004)CrossRefGoogle Scholar
  7. 7.
    Pang, R., Paxson, V.: A High-Level Programming Environment for Packet Trace Anonymization and Transformation. In: Proceedings of the ACM SIGCOMM Conference (August 2003)Google Scholar
  8. 8.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  9. 9.
    Kreibich, C.: Design and Implementation of Netdude, a Framework for Packet Trace Manipulation. In: Proc. USENIX Technical Conference, FREENIX track (2004)Google Scholar
  10. 10.
    Biondi, P.: Scapy, a powerful interactive packet manipulation program,
  11. 11.
    Provos, N.: A Virtual Honeypot Framework. In: Proceedings of the 13th USENIX Security Symposium, pp. 1–14 (2004)Google Scholar
  12. 12.
    SourceFire: Snort, the Open Source Network Intrusion Detection System,
  13. 13.
    Ptacek, T., Newsham, T.: Insertion, evasion, and denial of service: Eluding network intrusion detection. Secure Networks, Inc. (January 1998)Google Scholar
  14. 14.
    Vigna, G., Robertson, W., Balzarotti, D.: Testing network-based intrusion detection signatures using mutant exploits. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 21–30 (2004)Google Scholar
  15. 15.
    Rubin, S., Jha, S., Miller, B.: Automatic Generation and Analysis of NIDS Attacks. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), vol. 00, pp. 28–38 (2004)Google Scholar
  16. 16.
    Marty, R.: Thor – A Tool to Test Intrusion Detection Systems by Variations of Attacks. Master’s thesis, Swiss Federal Institute of Technology, Zurich, Switzerland (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Leo Juan
    • 1
  • Christian Kreibich
    • 2
  • Chih-Hung Lin
    • 1
  • Vern Paxson
    • 2
  1. 1.Institute For Information IndustryTaipei CityTaiwan
  2. 2.International Computer Science InstituteBerkeleyUSA

Personalised recommendations