论文信息 - Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection

Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection

Abstract : All currently available network intrusion detection (ID) systems rely upon a mechanism of data collection passive protocol analysis-which is fundamentally flawed. In passive protocol analysis, the intrusion detection system (IDS) unobtrusively watches all traffic on the network, and scrutinizes it for patterns of suspicious activity. We outline in this paper two basic problems with the reliability of passive protocol analysis: (1) there isn't enough information on the wire on which to base conclusions about what is actually happening on networked machines, and (2) the fact that the system is passive makes it inherently "fail-open," meaning that a compromise in the availability of the IDS doesn't compromise the availability of the network. We define three classes of attacks which exploit these fundamentally problems---insertion, evasion and denial of service attacks--and describe how to apply these three types of attacks to IP and TCP protocol analysis. We present the results of tests of the efficacy of our attacks against four of the most popular network intrusion detection systems on the market. All of the ID systems tested were found to be vulnerable to each of our attacks. This indicates that network ID systems cannot be fully trusted until they are fundamentally redesigned.

Thomas Henry Ptacek | Timothy Nakula Newsham | T. Ptacek | Tim Newsham

[1] Mike St. Johns. Authentication server , 1985, RFC.

[2] Alfonso Valdes,et al. Live Traffic Analysis of TCP/IP Gateways , 1998, NDSS.

[3] Randall J. Atkinson,et al. Security Architecture for the Internet Protocol , 1995, RFC.

[4] J. P. Ed,et al. Transmission control protocol- darpa internet program protocol specification , 1981 .

[5] Charles E. Kahn,et al. A common intrusion detection framework , 2000 .

[6] Van Jacobson,et al. TCP Extensions for High Performance , 1992, RFC.

[7] Vern Paxson,et al. End-to-end Internet packet dynamics , 1997, SIGCOMM '97.

[8] Vern Paxson,et al. Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[9] Karl N. Levitt,et al. GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[10] Hugo Krawczyk,et al. A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[11] Jon Postel,et al. Internet Protocol , 1981, RFC.

[12] Biswanath Mukherjee,et al. A Methodology for Testing Intrusion Detection Systems , 1996, IEEE Trans. Software Eng..

[13] Laurent Joncheray. A Simple Active Attack Against TCP , 1995, USENIX Security Symposium.