An Achilles Heel in Signature-Based IDS : Squealing False Positives in SNORT
作者: Samuel Patton
DOI:
关键词:
摘要: We report a vulnerability to network signature-based IDS which we have tested using Snort and call “Squealing”. This has significant implications since it can easily be generalized any IDS. The of high false positive rates been welldocumented but go further show (at level) how packets crafted match attack signatures such that alarms on target conditioned or disabled then exploited. is the first academic treatment this already reported CERT Coordination Center National Infrastructure Protection Center. Independently, other tools based “squealing” are poised appear that, while validating our ideas, also gives cause for concern. keywords: squealing, positive, intrusion detection, IDS, signature-based, misuse behavior, snort
raid-symposium.org 参考文章(8)
Richard E. Schantz, Franklin Webber, Partha P. Pal, Joseph P. Loyall, Building Adaptive and Agile Applications Using Intrusion Detection and Response. network and distributed system security symposium. ,(2000)
Klaus Julisch, Dealing with False Positives in Intrusion Detection ,(2000)
W. Richard Stevens, UNIX Network Programming: Networking APIs: Sockets and XTI Prentice Hall PTR. ,(1997)
W. Richard Stevens, Networking APIs : sockets and XTI Prentice Hall PTR. ,(1998)
W. Richard Stevens, TCP/IP Illustrated, Volume 1 : The Protocols ,(1994)
R.P. Lippmann, D.J. Fried, I. Graf, J.W. Haines, K.R. Kendall, D. McClung, D. Weber, S.E. Webster, D. Wyschogrod, R.K. Cunningham, M.A. Zissman, Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation darpa information survivability conference and exposition. ,vol. 2, pp. 12- 26 ,(2000) , 10.1109/DISCEX.2000.821506
John McHugh, Testing Intrusion detection systems ACM Transactions on Information and System Security. ,vol. 3, pp. 262- 294 ,(2000) , 10.1145/382912.382923
Stefan Axelsson, The base-rate fallacy and the difficulty of intrusion detection ACM Transactions on Information and System Security. ,vol. 3, pp. 186- 205 ,(2000) , 10.1145/357830.357849