Name
Title | ||
|---|---|---|
An Experience Developing an IDS Stimulator for the Black-Box Testing of Network Intrusion Detection Systems |
Abstract | ||
|---|---|---|
Signature-based intrusion detection systems use a set ofattack descriptions to analyze event streams, looking forevidence of malicious behavior. If the signatures are expressedin a well-defined language, it is possible to analyzethe attack signatures and automatically generate eventsor series of events that conform to the attack descriptions.This approach has been used in tools whose goal is to forceintrusion detection systems to generate a large number ofdetection alerts. The resulting "alert storm" is used to desensitizeintrusion detection system administrators and hideattacks in the event stream. We apply a similar technique toperform testing of intrusion detection systems. Signaturesfrom one intrusion detection system are used as input toan event stream generator that produces randomized syntheticevents that match the input signatures. The resultingevent stream is then fed to a number of different intrusiondetection systems and the results are analyzed. This paperpresents the general testing approach and describes thefirst prototype of a tool, called Mucus, that automaticallygenerates network traffic using the signatures of the Snortnetwork-based intrusion detection system. The paper describespreliminary cross-testing experiments with both anopen-source and a commercial tool and reports the results.An evasion attack that was discovered as a result of analyzingthe test results is also presented. |
Year | DOI | Venue |
|---|---|---|
2003 | 10.1109/CSAC.2003.1254342 | ACSAC |
Keywords | DocType | ISBN |
ids stimulator,attack signature,different intrusiondetection system,detection system,software testing,evasion attacks,intrusion detection system,event stream,detection system administrator,black-box testing,signature-based intrusion detection system,snortnetwork-based intrusion detection system,attack description,evasion attack,traffic generation,intrusion detection,network intrusion detection systems,message authentication,black box testing,computer networks | Conference | 0-7695-2041-3 |
Citations | PageRank | References |
42 | 3.65 | 10 |
Authors | ||
3 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Darren Mutz | 1 | 533 | 33.58 |
| Giovanni Vigna | 2 | 7121 | 507.72 |
| Richard Kemmerer | 3 | 449 | 25.88 |