Chapter 16 - IDS Evasion

The purpose of this chapter is to elucidate intrusion detection system (IDS). One of the laws of security is that all signature-based detection mechanisms can be bypassed. This is as true for (IDS) signatures as it is for virus signatures. IDS systems, which have all the problems of a virus scanner, and alsothe job of modeling network state, must operate at several layers simultaneously, and they can be fooled at each of those layers. This chapter covers techniques for evading IDSs, which include playing games at the packet level, application level, and morphing the machine code. Each of these types can be used individually, or together, to evade detection by an IDS. This chapter presents several examples of how an attack might evade detection. These systems typically trigger on events by referencing network activity against an attack signature database. If a match is made, an alert will take place and will be logged for future reference. It is the makeup of this signature database that is the weak point of these systems.