Skip to main content
Springer Nature Link
Log in

Alert Verification Evasion Through Server Response Forging

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4637))

Included in the following conference series:

  • 1783 Accesses

Abstract

Intrusion Detection Systems (IDSs) are necessary components in the defense of any computer network. Network administrators rely on IDSs to detect attacks, but ultimately it is their responsibility to investigate IDS alerts and determine the damage done. With the number of alerts increasing, IDS analysts have turned to automated methods to help with alert verification. This research investigates this next step of the intrusion detection process. Some alert verification mechanisms attempt to identify successful intrusion attempts based on server responses and protocol analysis. This research examines the server responses generated by four different exploits across four different Linux distributions. Next, three techniques capable of forging server responses on Linux operating systems are developed and implemented. This research shows that these new alert verification evasion methods can make attacks appear unsuccessful even though the exploitation occurs. This type of attack ignores detection and tries to evade the verification process.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Intrusion-detection System: Wikipedia: The Free Encyclopedia (2006), http://en.wikipedia.org/wiki/Intrusion_Detection_System

  2. Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection. Secure Networks, Inc. (January 1998)

    Google Scholar 

  3. Del Carlo, C., et al.: Intrusion detection evasion (2003)

    Google Scholar 

  4. Snort Documentation (2006), http://www.snort.org/docs/

  5. Axelsson, S.: Intrusion detection systems: A survey and taxonomy. Chalmers University (March 2000)

    Google Scholar 

  6. Lindqvist, U., Porras, P.A.: Detecting computer and network misuse through the Production-Based Expert System Toolset(P-BEST). Doktorsavhandlingar vid Chalmers Tekniska Hogskola, pp. 161-189 (1999)

    Google Scholar 

  7. Sommer, R., Paxson, V.: Enhancing byte-level network intrusion detection signatures with context. In: Proceedings of the 10th ACM conference on Computer and communication security, pp. 262–271. ACM Press, New York (2003)

    Chapter  Google Scholar 

  8. Zanero, S., Savaresi, S.M.: Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM symposium on Applied computing, pp. 412–419. ACM Press, New York (2004)

    Chapter  Google Scholar 

  9. Chebrolu, S., Abraham, A., Thomas, J.: Feature Deduction and Ensemble Design of Intrusion Detection Systems. Computers and Security, Elsevier Science (2005)

    Google Scholar 

  10. Kruegel, C., Robertson, W.: Alert Verification: Determining the Success of Intrusion Attempts. In: Proc. First Workshop the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004) (July 2004)

    Google Scholar 

  11. Valeur, F., et al.: Comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing 1(3), 146–169 (2004)

    Article  Google Scholar 

  12. Zhou, J., Carlson, A.J., Bishop, M.: Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis. In: Computer Security Applications Conference, 21st Annual, pp. 117–126 (2005)

    Google Scholar 

  13. Kruegel, C., et al.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  14. Timm, K.: IDS Evasion Techniques and Tactics. SecurityFocus (Infocus) 7 (2002)

    Google Scholar 

  15. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM conference on Computer and communications security, pp. 255–264. ACM Press, New York (2002)

    Chapter  Google Scholar 

  16. Chaboya, D.J., Raines, R.A., Baldwin, R.O., Mullins, B.E.: Network Intrusion Detection Systems Evasion Techniques and Solutions. IEEE Security and Privacy 4(6), 36–43 (2006)

    Article  Google Scholar 

  17. Fedora User Documentation (2006), http://fedora.redhat.com/docs/

  18. The Top Ten Distributions: A Beginner’s Guide to Choosing a (Linux) Distribution (2006), http://distrowatch.com/dwres.php?resource=major

  19. Metasploit Framework User Guide (2005), http://www.metasploit.com/projects/Framework/docs/userguide.pdf

  20. Lamping, U., Sharpe, R., Warnicke, E.: Ethereal User’s Guide (2005), http://www.ethereal.com/docs/eug_html_chunked/

  21. Workstation 5: Powerful Virtual Machine Software for the Technical Professional (2006), http://www.vmware.com/pdf/ws55_manual.pdf

  22. Samba Fragment Reassembly Overflow: Open Source Vulnerability Database (2004), http://www.osvdb.org/6323

  23. GNU Mailutils imap4d Server Client Command Format String: Open Source Vulnerability Database (2005), http://www.osvdb.org/16857

  24. PoPToP PPTP Negative Read Overflow: Open Source Vulnerability Database (2005), http://www.osvdb.org/3293

  25. Samba call_trans2open() Function Overflow: Open Source Vulnerability Database (2005), http://www.osvdb.org/4469

  26. Jacobson, V., Leres, C., McCanne, S.: PCAP (2003), http://www.tcpdump.org/pcap/pcap.html

  27. Linux Shellcode (2007), http://www.metasploit.com/shellcode_linux.html

  28. UNIX Assembly Codes Development for Vulnerabilities Illustration Purposes (2001), http://lsd-pl.net/projects/asmcodes.zip

  29. Chong, S.K.: History and Advances in Windows Shellcode. Phrack (2004)

    Google Scholar 

  30. Kuperman, B.A., et al.: Detection and prevention of stack buffer overflow attacks. Communications of the ACM 48(11), 50–56 (2005)

    Article  Google Scholar 

  31. Current Exploits (2007), http://metasploit.com/projects/Framework/exploits.html

  32. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-Level Polymorphic Shellcode Detection Using Emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  33. Mahoney, M.: Network Traffic Anomaly Detection Based on Packet Bytes. In: Proc. ACM-SAC, pp. 346–350 (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Center for Cyberspace Research, Air Force Institute of Technology, Department of Electrical and Computer Engineering, 2950 Hobson Way, Bldg 642, Wright-Patterson AFB, OH 45433-7765, Sensors Directorate, Air Force Research Laboratory, Wright-Patterson AFB, OH 45433-7765,  

    Adam D. Todd, Richard A. Raines, Rusty O. Baldwin, Barry E. Mullins & Steven K. Rogers

Authors
  1. Adam D. Todd
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Richard A. Raines
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rusty O. Baldwin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Barry E. Mullins
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Steven K. Rogers
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Christopher Kruegel Richard Lippmann Andrew Clark

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Todd, A.D., Raines, R.A., Baldwin, R.O., Mullins, B.E., Rogers, S.K. (2007). Alert Verification Evasion Through Server Response Forging. In: Kruegel, C., Lippmann, R., Clark, A. (eds) Recent Advances in Intrusion Detection. RAID 2007. Lecture Notes in Computer Science, vol 4637. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74320-0_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-74320-0_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-74319-4

  • Online ISBN: 978-3-540-74320-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics