Title: Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems
Authors: Cheng, Tsung-Huan
Lin, Ying-Dar
Lai, Yuan-Cheng
Lin, Po-Ching
Department of Computer Science
Keywords: IDS/IPS;evasion;attacks;signature
Issue Date: 2012
Abstract: Detecting attacks disguised by evasion techniques is a challenge for signature-based Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs). This study examines five common evasion techniques to determine their ability to evade recent systems. The denial-of-service (DoS) attack attempts to disable a system by exhausting its resources. Packet splitting tries to chop data into small packets, so that a system may not completely reassemble the packets for signature matching. Duplicate insertion can mislead a system if the system and the target host discard different TCP/IP packets with a duplicate offset or sequence. Payload mutation fools a system with a mutative payload. Shellcode mutation transforms an attacker's shellcode to escape signature detection. This study assesses the effectiveness of these techniques on three recent signature-based systems, and among them, explains why Snort can be evaded. The results indicate that duplicate insertion becomes less effective on recent systems, but packet splitting, payload mutation and shellcode mutation can be still effective against them.
URI: http://hdl.handle.net/11536/21310
ISSN: 1553-877X
DOI: 10.1109/SURV.2011.092311.00082
Volume: 14
Issue: 4
Begin Page: 1011
End Page: 1020
Appears in Collections:Articles

Files in This Item:

  1. 000315392500005.pdf