Simulating Concurrent Intrusionsfor Testing Intrusion Detection Systems : Parallelizing Intrusions

For testing Intrusion Detection Systems (IDS), it is essential that we be able to simulate intrusions in diierent forms (both sequential and parallelized) in order to comprehensively test and evaluate the detection capability of an IDS. This paper presents an algorithm for automatically transforming a sequential intrusive script into a set of parallel intrusive scripts (formed by a group of parallel threads) which simulate a concurrent intrusion. The main goal of parallelizing an intrusion is to distract an IDS's attention away from the intrusive activity. We identify constraints on the execution order among commands, and the way commands can be classiied based on the eeect of their execution. Synchronization and communication mechanisms are used to guarantee that the execution order among commands is preserved even under the paral-lelized scenario. We show that, experimentally, our work constitutes a major part of testing the ability of an IDS to detect intrusions and is especially useful for the users and developers of IDSs. We show that an intrusion is less likely to be detected if the suspicious activity is distributed over several sessions. Finally, we discuss some aspects of parallelizing intrusive scripts, including some practical diiculties that are open problems for future research.

[1]  David A. Padua,et al.  Dependence graphs and compiler optimizations , 1981, POPL '81.

[2]  Ken Kennedy,et al.  Conversion of control dependence to data dependence , 1983, POPL '83.

[3]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[4]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[5]  Utpal Banerjee,et al.  Dependence analysis for supercomputing , 1988, The Kluwer international series in engineering and computer science.

[6]  Paul S. Wang An Introduction to Berkeley Unix , 1988 .

[7]  Zhiyuan Li,et al.  An Efficient Data Dependence Analysis for Parallelizing Compilers , 1990, IEEE Trans. Parallel Distributed Syst..

[8]  Don Libes,et al.  expect: Curing Those Uncontrollable Fits of Interaction , 1990, USENIX Summer.

[9]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[10]  Harold Joseph Highland,et al.  Testing Intrusion Detection Systems: Design Methodologies and Results from an Early Prototype , 1995 .