Authors: Moad Alhamaty , Ali Yazdian , Fathi Al-qadasi

Abstract:

A common way to elude the signature-based Network Intrusion Detection System is based upon changing a recognizable attack to an unrecognizable one via the IDS. For example, in order to evade sign accommodation with intrusion detection system markers, a hacker spilt the payload packet into many small pieces or hides them within messages. In this paper we try to model the main fragmentation attack and create a new module in the intrusion detection architecture system which recognizes the main fragmentation attacks through verification of integrity checking of TCP packet in order to prevent elusion of the system and also to announce the necessary alert to the system administrator.

Keywords: Intrusion detection system, Evasion techniques, Fragmentation attacks, TCP Packet integrity.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1330867

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1799

References:

[1] Mark Handley and Vern Paxson ,"Network Intrusion Detection :Evasion Traffic Normalization, and End-to-End Protocol Semantics. In USENIX Security Symposium, Washington,DC August 2001
[2] InSeon Yoo and Ulrich Ultes-Nitsche,"Towards Run-Time Protocol Anomaly Detection and Verification.2001
[3] Joel Scambray ,Stuart Mcclure and George Kurtz,"Hacking Exposed:Network Security Secrets &Solutions Second Edition 2002.
[4] T.H Ptacek and T.N.Newsham. Insersion,evasion,and denial of service:Eluding network intrusion detection. Technical Report T2R- 0Y6,secure Netowrk,Inc.,Cagary,al-berta,Canda 1998.
[5] Jason Anderson,"An Analysis of Fragmentation attacks", March 15, 2001.
[6] T.H. Ptacek and T.N. Newsham. Custom attack Simulation Language (CASL). Available at www.sockpuppet.org/tqbf/casl.html.
[7] V.Paxson. Bro: a system for detecting network intruders in real-time. Computer Networks, 31(23/24),December 1999.
[8] SHai Rubin, Somesh Jha, and Barton P.Miller, "Automatic Generation and Analysis of NIDS Attacks", University of Wisconsin,Madison Computer Sciences Departemnt. 2004
[9] Ozgur Depren, Murat Topallar, Emin anarim, M.Kemal Ciliz," An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks",Information and Communication Security (BUICS) Lab Bebek ,Istanvul,Turkey 2005.
[10] Matthew V.Mahoney,"Network Traffic Anomaly Detection Based on Packet Bytes", Florida Instite of Technology,Melbourne, Florida.2002
[11] Bharat Goyal,Sriranjani Sitaraman,Srinivasan rishnamurthy,"Intrusion detection system: An Overview" Department of Computer Science University of Texas at Dallas.2003
[12] Network analysis and Porotocl Sniffing .Available at www.networkgeneral.com/Sniffer_Portable_Eval.aspx
[13] Network sinffer and packet builder available at www.sniff-em.com
[14] Packet Builder and attack script runner available at http://www.EngageSecurity.com
[15] IP-tools for attack generator avalible at www.alhacker.com
[16] Scanning and Fragmentation attack tools available at www.securityfocus.com/download/Nmap/
[17] D.Song. Fragroute: a TCP/IP Fragmenter, April 2002. Available at www.monkey.org/~dugsong/fragroute.
[18] MIT University Lab. http://www.ll.mit.edu/IST/ideval/dataset/
[19] G.Ziemba Alantec ,D.Reed,"Security Consideration For IP Fragment Filtering", Cisco Systems "RFC 1858" October 1995.
[20] Sumit Siddharth,"Evading NIDS",6-12-2005. available at www.securityfocus.com/infocus/1852.
[21] Andrew R.Backer ,Brian Caswell ,Mike Poor,"Snort 2.1", Second Edition 2004, Syngress Publisher, Page 248-250.