Abstract
Over the past decade many anomaly-detection techniques have been proposed and/or deployed to provide early warnings of cyber-attacks, particularly of those attacks involving masqueraders and novel methods. To date, however, there appears to be no study which has identified a systematic method that could be used by an attacker to undermine an anomaly-based intrusion detection system. This paper shows how an adversary can craft an offensive mechanism that renders an anomaly-based intrusion detector blind to the presence of on-going, common attacks. It presents a method that identifies the weaknesses of an anomaly-based intrusion detector, and shows how an attacker can manipulate common attacks to exploit those weaknesses. The paper explores the implications of this threat, and suggests possible improvements for existing and future anomaly-based intrusion detection systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Herve Debar, Marc Dacier, and Andreas Wespi. Towards a taxonomy of intrusion-detection systems. Computer Networks, 31(8):805–822, April 1999.
Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. A sense of self for unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, 6-8 May 1996, Oakland, California, pages 120–128, IEEE Computer Society Press, Los Alamitos, California, 1996.
Cristian Gafton. passwd(1). Included in passwd version 0.64.1-1 software package, January 1998.
Anup K. Ghosh, Aaron Schwartzbard, and Michael Schatz. Learning program behavior profiles for intrusion detection. In Proceedings of the 1st Workshop on Intrusion Detection and Network Monitoring, 9-12 April 1999, Santa Clara, California, pages 51–62, The USENIX Association, Berkeley, California, 1999.
Anup K. Ghosh, James Wanken, and Frank Charron. Detecting anomalous and unknown intrusions against programs. In Proceedings of the 14th Annual Computer Security Applications Conference, 7-11 December 1998, Phoenix, Arizona, pages 259–267, IEEE Computer Society Press, Los Alamitos, 1998.
Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3):151–180, 1998.
Van Jacobson. Traceroute(8). Included in traceroute version 1.4a5 software package, April 1997.
Michel “MaXX” Kaempf. Traceroot2: Local root exploit in LBNL traceroute. Internet: http://packetstormsecurity.org/0011-exploits/traceroot2.c, March 2002.
Sandeep Kumar. Classification and Detection of Computer Intrusions. PhD thesis, Purdue University, West Lafayette, Indiana, August 1995.
Teresa Lunt. Automated audit trail analysis and intrusion detection: A survey. In Proceedings of the 11th National Computer Security Conference, Baltimore, Maryland, pages 65–73, October 1988.
Carla Marceau. Characterizing the behavior of a program using multiple-length N-grams. In New Security Paradigms Workshop, 18–22 September 2000, Ballycotton, County Cork, Ireland, pages 101–110, ACM Press, New York, New York, 2001.
Roy A. Maxion and Kymie M. C. Tan. Anomaly detection in embedded systems. IEEE Transactions on Computers, 51(2):108–120, February 2002.
Andrew P. Moore. CERT/CC vulnerability note VU#176888, July 2002. Internet: http://www.kb.cert.org/vuls/id/176888.
Thomas H. Ptacek and Timothy N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Secure Networks, Inc., Calgary, Alberta, Canada, January 1998.
Wojciech Purczynski (original author) and “lst” (author of improvements). Epcs2: Exploit for execve/ptrace race condition in Linux kernel up to 2.2.18. Internet: http://www.securiteam.com/exploits/5NP061P4AW.html, March 2002.
SecurityFocus Vulnerability Archive. LBNL Traceroute Heap Corruption Vulnerability, Bugtraq ID 1739. Internet: http://online.securityfocus.com/bid/1739, March 2002.
SecurityFocus Vulnerability Archive. Linux PTrace/Setuid Exec Vulnerability, Bugtraq ID 3447. Internet: http://online.securityfocus.com/bid/3447, March 2002.
Anil Somayaji and Geoffrey Hunsicker. IMMSEC Kernel-level system call tracing for Linux 2.2, Version 991117. Obtained through private communication. Previous version available on the Internet: http://www.cs.unm.edu/~immsec/software/, March 2002.
Kymie M. C. Tan and Roy A. Maxion. “Why 6?” Defining the operational limits of stide, an anomaly-based intrusion detector. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, 12-15 May 2002, Berkeley, California, pages 188–201, IEEE Computer Society Press, Los Alamitos, California, 2002.
David Wagner and Drew Dean. Intrusion detection via static analysis. In Proceedings of the 2001 IEEE Symposium on Security and Privacy, 14-16 May 2001, Berkeley, California, IEEE Computer Society Press, Los Alamitos, California, 2001.
Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. Detecting intrusions using system calls: Alternative data models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, 9-12 May 1999, Oakland, California, pages 133–145, IEEE Computer Society Press, Los Alamitos, California, 1999.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tan, K.M.C., Killourhy, K.S., Maxion, R.A. (2002). Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_4
Download citation
DOI: https://doi.org/10.1007/3-540-36084-0_4
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00020-4
Online ISBN: 978-3-540-36084-1
eBook Packages: Springer Book Archive