Authors Sean McAllister, Engin Kirda and Christopher Kruegel in their paper "Leveraging User Interactions for In-Depth Testing of Web Applications" talk about a new scanner (automated testing tool) which they have put in place for detecting web application vulnerabilities as the reflected and stored cross site scripting.
Their claim is that the new tool deleveloped would be able to identify more defects comparatively. This is due to the fact that more number of test cases could be generated leading to more test scenario coverage for the web applications.
In the process of their evaluation, they have tested three applications with 3 other existing scanners along with their new developed one. Burp Spider, w3af spider and Acunetix Web Vulnerability are the others. They had concentrated on blogging applications, Forum application and online shopping application.
The authors feel that black box testing might not be very efficient as it lacks the capability to enter to all the requisite pages to perform the testing. While the tool they have developed has the feature to store and use the values keyed in so as to enter into the pages of the application and ensure there is no possible vulnerability injected in.
In order to ensure that they application does a deeper testing, the techniques adopted by them include guided fuzzing and stateful fuzzing.
In the case of guided fuzzing, it stores the previous valid values entered by the user and tries to reevaluate the page and compares the existence of any possible intrusion. They also use the extended fuzzing concept where-in they try to extensively use the data and dig even deeper into the application. Next is the stateful fuzzing which was built to ensure that the use cases are not repeated often as a result of the requirement of guided fuzzing in performing the testing of the applications. They call this as the undesirable side-effects.
They seem to be happy with what they have produced and talk about no extention to their current work.
Friday, November 6, 2009
Swarm attacks
swarm attacks against networks are in trend these days, where-in the aim of the attacker is not to win his bid immediately but to win in increments there-by resulting in the performance degradation of the IDS systems.
Though the IDS systems are being tested for misuse patterns of the system, such attacks go beyond the scanner. One reason could be a repeated performance without violation could train the IDS system to accept that as a basic behavior or the network its protecting.
Hence the authors Simon P Chung and Aloysius K. Mok in their paper "Swarm Attacks against Network-level Emulation/ Analysis" (11th international symposium, RAID 2008 Cambridge, MA, USA, September 2008 Proceedings) try to analyze the possibility of breaking through the network by attacking the system incrementally. Their work is to understand if the IDS in place will defer to detect such an attack. They have implemented an attack similar to this for 8 different systems to see if the behavior will differ.
Now the question that arises is, we have different testing methodologies that concentrate on misuse and anamoly based intrusion detection. If the swarm attack is to fall under the category of repeating the same attack more number of times but performing limited violations, it is not a misuse patter of intrusion detection.
How can the IDS be trained such that it is able to understand such swarm attacks.
Further the authors quote that due to time gap between two attacks of the swarm attack, there is higher probability of even the Intrusion prevention systems not identifying the trend thereby evading the identification of the attack that is existing.
Future work as quoted by the authors is that they want to extend their research extensively on both types of systems to understand what the real time behavior
RAID - Recent Advances in Intrusion Detection
Though the IDS systems are being tested for misuse patterns of the system, such attacks go beyond the scanner. One reason could be a repeated performance without violation could train the IDS system to accept that as a basic behavior or the network its protecting.
Hence the authors Simon P Chung and Aloysius K. Mok in their paper "Swarm Attacks against Network-level Emulation/ Analysis" (11th international symposium, RAID 2008 Cambridge, MA, USA, September 2008 Proceedings) try to analyze the possibility of breaking through the network by attacking the system incrementally. Their work is to understand if the IDS in place will defer to detect such an attack. They have implemented an attack similar to this for 8 different systems to see if the behavior will differ.
Now the question that arises is, we have different testing methodologies that concentrate on misuse and anamoly based intrusion detection. If the swarm attack is to fall under the category of repeating the same attack more number of times but performing limited violations, it is not a misuse patter of intrusion detection.
How can the IDS be trained such that it is able to understand such swarm attacks.
Further the authors quote that due to time gap between two attacks of the swarm attack, there is higher probability of even the Intrusion prevention systems not identifying the trend thereby evading the identification of the attack that is existing.
Future work as quoted by the authors is that they want to extend their research extensively on both types of systems to understand what the real time behavior
RAID - Recent Advances in Intrusion Detection
An overview of testing issues in IDS
The paper gives a list of possible measurements which could be obtained as a result of testing the IDS.
Centres that are currently spending efforts on testing the IDS include the following:
1. University of California at DAVIS
2. IBM Zurich
3. MIT Lincoln Laboratory
4. Air Force Research Laboratory
5. MITRE
6. Neohapsis/ Network-Computing
7. The NSS Group
8. Network World Fusion
List of challenges as quoted include the following
1. Difficulties in Collecting Attack Scripts and Victim Software
2. Differing Requirements for Testing Signature Based vs. Anomaly Based
IDSs
3. Differing Requirements for Testing Network Based vs. Host Based IDSs
4. Four Approaches to Using Background Traffic in IDS Tests
- Testing using no background traffic/logs
- Testing using real traffic/logs
- Testing using sanitized traffic/logs
- Testing by generating traffic on a testbed network
Recommendations
1. Shared Datasets
2. Attack Traces
3. Cleansing Real Data
4. Sensor and Detector Alert Datasets
5. Real-life performance metrics
6. New Technologies
Centres that are currently spending efforts on testing the IDS include the following:
1. University of California at DAVIS
2. IBM Zurich
3. MIT Lincoln Laboratory
4. Air Force Research Laboratory
5. MITRE
6. Neohapsis/ Network-Computing
7. The NSS Group
8. Network World Fusion
List of challenges as quoted include the following
1. Difficulties in Collecting Attack Scripts and Victim Software
2. Differing Requirements for Testing Signature Based vs. Anomaly Based
IDSs
3. Differing Requirements for Testing Network Based vs. Host Based IDSs
4. Four Approaches to Using Background Traffic in IDS Tests
- Testing using no background traffic/logs
- Testing using real traffic/logs
- Testing using sanitized traffic/logs
- Testing by generating traffic on a testbed network
Recommendations
1. Shared Datasets
2. Attack Traces
3. Cleansing Real Data
4. Sensor and Detector Alert Datasets
5. Real-life performance metrics
6. New Technologies
Subscribe to:
Posts (Atom)
