ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Testing network-based intrusion detection signatures using mutant exploits
Full text PdfPdf (197 KB)
Source Conference on Computer and Communications Security archive
Proceedings of the 11th ACM conference on Computer and communications security table of contents
Washington DC, USA
SESSION: Network intrusions table of contents
Pages: 21 - 30  
Year of Publication: 2004
ISBN:1-58113-961-6
Authors
Giovanni Vigna  University of California, Santa Barbara, CA
William Robertson  University of California, Santa Barbara, CA
Davide Balzarotti  Reliable Software Group and University of California, Santa Barbara, CA
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 37,   Downloads (12 Months): 235,   Citation Count: 12
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
Save this Article to a Binder    Display Formats: BibTex  EndNote ACM Ref   
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1030083.1030088
What is a DOI?

ABSTRACT

Misuse-based intrusion detection systems rely on models of attacks to identify the manifestation of intrusive behavior. Therefore, the ability of these systems to reliably detect attacks is strongly affected by the quality of their models, which are often called "signatures." A perfect model would be able to detect all the instances of an attack without making mistakes, that is, it would produce a 100% detection rate with 0 false alarms. Unfortunately, writing good models (or good signatures) is hard. Attacks that exploit a specific vulnerability may do so in completely different ways, and writing models that take into account all possible variations is very difficult. For this reason, it would be beneficial to have testing tools that are able to evaluate the "goodness" of detection signatures. This work describes a technique to test and evaluate misuse detection models in the case of network-based intrusion detection systems. The testing technique is based on a mechanism that generates a large number of variations of an exploit by applying mutant operators to an exploit template. These mutant exploits are then run against a victim host protected by a network-based intrusion detection system. The results of the systems in detecting these variations provide a quantitative basis for the evaluation of the quality of the corresponding detection model.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Anzen. nidsbench: A Network Intrusion Detection System Test Suite. http://packetstorm.widexs.nl/UNIX/IDS/nidsbench/, 1999.
 
2
S. Aubert. Idswakeup. http://www.hsc.fr/ressources/outils/idswakeup/, 2000.
 
3
W. Du and A. P. Mathur. Vulnerability Testing of Software System Using Fault Injection. Technical Report, COAST, Purdue University, West Lafayette, IN, US, April 1998.
4
Robert Durst , Terrence Champion , Brian Witten , Eric Miller , Luigi Spagnuolo, Testing and evaluating computer intrusion detection systems, Communications of the ACM, v.42 n.7, p.53-61, July 1999  [doi>10.1145/306549.306571]
5
Robert Durst , Terrence Champion , Brian Witten , Eric Miller , Luigi Spagnuolo, Testing and evaluating computer intrusion detection systems, Communications of the ACM, v.42 n.7, p.53-61, July 1999  [doi>10.1145/306549.306571]
 
6
Jean Arlat , Martine Aguera , Louis Amat , Yves Crouzet , Jean-Charles Fabre , Jean-Claude Laprie , Eliane Martins , David Powell, Fault Injection for Dependability Validation: A Methodology and Some Applications, IEEE Transactions on Software Engineering, v.16 n.2, p.166-182, February 1990  [doi>10.1109/32.44380 ]
 
7
C. Giovanni. Fun with Packets: Designing a Stick. http://www.eurocompton.net/stick/, 2002.
 
8
Joshua Haines , Dorene Kewley Ryder , Laura Tinnel , Stephen Taylor, Validation of Sensor Alert Correlators, IEEE Security and Privacy, v.1 n.1, p.46-56, January 2003  [doi>10.1109/MSECP.2003.1176995]
 
9
R. Marty. Thor: A Tool to Test Intrusion Detection Systems by Variations of Attacks. ETH Zurich Diploma Thesis, March 2002.
 
10
Koral Ilgun , R. A. Kemmerer , Phillip A. Porras, State Transition Analysis: A Rule-Based Intrusion Detection Approach, IEEE Transactions on Software Engineering, v.21 n.3, p.181-199, March 1995  [doi>10.1109/32.372146 ]
 
11
ISS. Realsecure 7.0. http://www.iss.net/, 2004.
 
12
Jeffrey A. Clark , Dhiraj K. Pradhan, Fault Injection, Computer, v.28 n.6, p.47-56, June 1995  [doi>10.1109/2.386985 ]
 
13
K2. ADMmutate. http://www.ktwo.ca/security.html, 2004.
 
14
R. Lippmann, D. Fried, I. Graf, J. Haines, K. Kendall, D. McClung, D. Weber, S. Webster, D. Wyschogrod, R. Cunningham, and M. Zissman. Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. In Proceedings of the DARPA Information Survivability Conference and Exposition, Volume 2, Hilton Head, SC, January 2000.
15
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.262-294, Nov. 2000  [doi>10.1145/382912.382923]
 
16
Metasploit Project. Metasploit. http://www.metasploit.com/, 2004.
 
17
Darren Mutz , Giovanni Vigna , Richard Kemmerer, An Experience Developing an IDS Stimulator for the Black-Box Testing of Network Intrusion Detection Systems, Proceedings of the 19th Annual Computer Security Applications Conference, p.374, December 08-12, 2003
 
18
Neohapsis OSEC Project. Neohapsis OSEC. http://osec.neohapsis.com/, 2004.
 
19
Netscape Communications Corporation. SSL 2.0 Protocol Specification. http://wp.netscape.com/eng/security/SSL_2.html, 1995.
 
20
Network Security Services Group. NSS IDS Evaluation (4th Edition). http://www.nss.co.uk/ips, 2004.
 
21
Network Working Group. Internet Protocol, Version 6 (IPv6) Specification. http://www.faqs.org/rfcs/rfc2460.html, 1998.
 
22
Network Working Group. Hypertext Transfer Protocol -- HTTP/1.1. http://www.w3.org/Protocols/rfc2616/rfc2616.html, 1999.
 
23
Next Generation Software Security Ltd. NGSS Evaluation. http://www.nextgenss.com/, 2004.
 
24
T.H. Ptacek and T.N. Newsham. Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection. Technical Report, Secure Networks, January 1998.
 
25
R. J. Lipton R. A. DeMillo and F. G. Sayward. Hints on test data selection: Help for the practicing programmer. IEEE Computer, 11(4):34--43, 1978.
 
26
M. Ranum. Experience Benchmarking Intrusion Detection Systems. NFR Security White Paper, December 2001.
 
27
R. Graham. SideStep. http://www.robertgraham.com/tmp/sidestep.html, 2004.
 
28
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
 
29
D. Aitel. Sharefuzz. http://www.atstake.com/research/tools/vulnerability_scanning/, 2004.
 
30
Sniph. Snot. http://www.sec33.com/sniph/, 2001.
 
31
D. Aitel. Spike. http://www.immunitysec.com/resources/freesoftware.shtml, 2004.
 
32
The Apache HTTP Server Project. Apache HTTP Server. http://httpd.apache.org/, 2004.
 
33
The OpenSSL Project. OpenSSL. http://www.openssl.org/, 2004.
 
34
Jeffrey Voas , Gary McGraw , Lora Kassab , Larry Voas, A 'Crystal Ball' for Software Liability, Computer, v.30 n.6, p.29-36, June 1997  [doi>10.1109/2.587545 ]

CITED BY  12
Hilmi Güneş Kayacik , Malcolm Heywood , Nur Zincir-Heywood, On evolving buffer overflow attacks using genetic programming, Proceedings of the 8th annual conference on Genetic and evolutionary computation, July 08-12, 2006, Seattle, Washington, USA
 
Jelena Mirkovic , Brett Wilson , Alefiya Hussain , Sonia Fahmy , Peter Reiher , Roshan Thomas , Stephen Schwab, Automating DDoS experimentation, Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007, p.4-4, August 06-07, 2007, Boston, MA
 
Hai Wang , Peng Liu , Lunquan Li, Evaluating the survivability of Intrusion Tolerant Database systems and the impact of intrusion detection deficiencies, International Journal of Information and Computer Security, v.1 n.3, p.315-340, June 2007
Xuxian Jiang , Dongyan Xu, Profiling self-propagating worms via behavioral footprinting, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
Emre C. Sezer , Peng Ning , Chongkyung Kil , Jun Xu, Memsherlock: an automated debugger for unknown memory corruption vulnerabilities, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
Prahlad Fogla , Wenke Lee, Evading network anomaly detection systems: formal reasoning and practical techniques, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
 
Giorgio Giacinto , Roberto Perdisci , Mauro Del Rio , Fabio Roli, Intrusion detection in computer networks by a modular ensemble of one-class classifiers, Information Fusion, v.9 n.1, p.69-82, January, 2008
 
Vinod Yegneswaran , Jonathon T. Giffin , Paul Barford , Somesh Jha, An architecture for generating semantics-aware signatures, Proceedings of the 14th conference on USENIX Security Symposium, p.7-7, July 31-August 05, 2005, Baltimore, MD
Jedidiah R. Crandall , Zhendong Su , S. Felix Wu , Frederic T. Chong, On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
 
Taeshik Shon , Jongsub Moon, A hybrid machine learning approach to network anomaly detection, Information Sciences: an International Journal, v.177 n.18, p.3799-3821, September, 2007
Shai Rubin , Somesh Jha , Barton P. Miller, Protomatching network traffic for high throughputnetwork intrusion detection, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
 
K. G. Anagnostakis , S. Sidiroglou , P. Akritidis , K. Xinidis , E. Markatos , A. D. Keromytis, Detecting targeted attacks using shadow honeypots, Proceedings of the 14th conference on USENIX Security Symposium, p.9-9, July 31-August 05, 2005, Baltimore, MD

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)


General Terms:
Security


Keywords:
intrusion detection, quality metrics, security testing

Collaborative Colleagues:
Giovanni Vigna: colleagues
William Robertson: colleagues
Davide Balzarotti: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2008 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player