Swarm attacks

swarm attacks against networks are in trend these days, where-in the aim of the attacker is not to win his bid immediately but to win in increments there-by resulting in the performance degradation of the IDS systems.

Though the IDS systems are being tested for misuse patterns of the system, such attacks go beyond the scanner. One reason could be a repeated performance without violation could train the IDS system to accept that as a basic behavior or the network its protecting.

Hence the authors Simon P Chung and Aloysius K. Mok in their paper "Swarm Attacks against Network-level Emulation/ Analysis" (11th international symposium, RAID 2008 Cambridge, MA, USA, September 2008 Proceedings) try to analyze the possibility of breaking through the network by attacking the system incrementally. Their work is to understand if the IDS in place will defer to detect such an attack. They have implemented an attack similar to this for 8 different systems to see if the behavior will differ.

Now the question that arises is, we have different testing methodologies that concentrate on misuse and anamoly based intrusion detection. If the swarm attack is to fall under the category of repeating the same attack more number of times but performing limited violations, it is not a misuse patter of intrusion detection.

How can the IDS be trained such that it is able to understand such swarm attacks.

Further the authors quote that due to time gap between two attacks of the swarm attack, there is higher probability of even the Intrusion prevention systems not identifying the trend thereby evading the identification of the attack that is existing.

Future work as quoted by the authors is that they want to extend their research extensively on both types of systems to understand what the real time behavior

RAID - Recent Advances in Intrusion Detection