2002
DOI: 10.1007/3-540-36084-0_4
|View full text |Cite
|
Sign up to set email alerts
|

Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits

Abstract: Abstract. Over the past decade many anomaly-detection techniques have been proposed and/or deployed to provide early warnings of cyberattacks, particularly of those attacks involving masqueraders and novel methods. To date, however, there appears to be no study which has identified a systematic method that could be used by an attacker to undermine an anomaly-based intrusion detection system. This paper shows how an adversary can craft an offensive mechanism that renders an anomaly-based intrusion detector blin… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
93
1

Year Published

2005
2005
2016
2016

Publication Types

Select...
4
2
2

Relationship

0
8

Authors

Journals

citations
Cited by 133 publications
(94 citation statements)
references
References 9 publications
0
93
1
Order By: Relevance
“…Variety of anomaly detection methods utilizing this approach has been proposed [5][6][7][8][9][10][11]. Forrest [5], for example, introduced a simple anomaly detection method based on monitoring the system calls issued by privileged processes.…”
Section: Anomaly Detection Systemsmentioning
confidence: 99%
“…Variety of anomaly detection methods utilizing this approach has been proposed [5][6][7][8][9][10][11]. Forrest [5], for example, introduced a simple anomaly detection method based on monitoring the system calls issued by privileged processes.…”
Section: Anomaly Detection Systemsmentioning
confidence: 99%
“…The seminal research on mimicry [9,24] and evasion attacks [20][21][22] demonstrated a critical shortcoming of model-based anomaly detection. Attackers can avoid detection by altering their attacks to appear as a program's normal execution.…”
Section: Related Workmentioning
confidence: 99%
“…Mimicry and evasion attacks avoid detection by transforming an attack sequence of system calls so that it is accepted by a program model yet still carries out the same malicious action. Previous research found examples of mimicry attacks against high-privilege processes restricted by a model-based detector [20][21][22]24]. However, the attacks were constructed manually by iterating between an attack sequence and a program model until the attack could be made to appear normal.…”
Section: Introductionmentioning
confidence: 99%
See 1 more Smart Citation
“…Several researchers have pointed out the need to include the resistance against attacks as part of the evaluation of an IDS [25,27,11,34,29,30,13]. However, the traditional evaluation metrics are based on ideas mainly developed for nonsecurity related fields and therefore, they do not take into account the role of an adversary and the evaluation of the system against this adversary.…”
Section: Introductionmentioning
confidence: 99%