Controlling Intrusion Detection Systems by Generating False Positives: Squealing Proof-of-Concept

نویسنده

  • William Yurcik
چکیده

We introduce a new class of attack against a network signature-based Intrusion Detection System (IDS) which we have tested using SNORT and we call “Squealing”. This vulnerability has significant implications since it can be generalized to any IDS. While signature-based IDSs have implementation problems with high false positive rates that require tuning, we show a more serious general vulnerability in that packets can be crafted to match attack signatures such that alarms can be selectively triggered allowing a target IDS to be externally controlled by a malicious attacker.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

An Achilles’ Heel in Signature-Based IDS: Squealing False Positives in SNORT

We report a vulnerability to network signature-based IDS which we have tested using Snort and we call “Squealing”. This vulnerability has significant implications since it can easily be generalized to any IDS. The vulnerability of signature-based IDS to high false positive rates has been welldocumented but we go further to show (at a high level) how packets can be crafted to match attack signat...

متن کامل

A Novel Signature-based Traffic Classification Engine to Reduce False Alarms in Intrusion Detection Systems

Pattern matching plays a significant role in ascertaining network attacks and the foremost prerequisite for a trusted intrusion detection system (IDS) is accurate pattern matching. During the pattern matching process packets are scanned against a pre-defined rule sets. After getting scanned, the packets are marked as alert or benign by the detection system. Sometimes the detection system genera...

متن کامل

Log Correlation for Intrusion Detection: A Proof of Concept

Intrusion detection is an important part of networkedsystems security protection. Although commercial products exist, finding intrusions has proven to be a difficult task with limitations under current techniques. Therefore, improved techniques are needed. We argue the need for correlating data among different logs to improve intrusion detection systems accuracy. We show how different attacks a...

متن کامل

Protecting a Moving Target: Addressing Web Application Concept Drift

Because of the ad hoc nature of web applications, intrusion detection systems that leverage machine learning techniques are particularly well-suited for protecting websites. The reason is that these systems are able to characterize the applications’ normal behavior in an automated fashion. However, anomaly-based detectors for web applications suffer from false positives that are generated whene...

متن کامل

High Order Non-stationary Markov Models and Anomaly Propagation Analysis in Intrusion Detection System (ids)

A new concept targeted to decrease false positive rates of anomaly based intrusion detection operating in the system call domain is proposed. To mitigate false positives, network based correlation of collected anomalies from different hosts is suggested, as well as a new means of host-based anomaly detection. The concept of anomaly propagation is based on the premise that false alarms do not pr...

متن کامل

ذخیره در منابع من

ذخیره در منابع من قبلا به منابع من ذحیره شده

{@ msg_add @}


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2002