Characterization and Solution to A Stateful IDS Evasion

Issam Aib, Tung Tran, and Raouf Boutaba
University of Waterloo, Waterloo, ON, Canada
(iaib, t3tran, rboutaba)@uwaterloo.ca
2009 29th IEEE International Conference on Distributed Computing Systems

In this paper, the authors discuss about the concept of signature evasion, where-in the attackers on purpose try to tamper with the flow stored as a regular flow to complete the attack.

The authors explain this concept through an FTP session intrusion. The steps or states involved in the flow of a normal and admin user authentication are coded as rule set and. Here, the authors say that a normal user by following his states, can innately access a file which he/ she is not authorized to view. This is possible without raising any alarm.

Among the set of rules that are defined for a specific operation, if a fake network packet (in the example scenario) can trigger a signature, then the signature is considered to be evasive (i.e. something which can be deceived easily)

Thus in order to address such a scenario, they have come up with an algorithm based on deterministic finite automate, i.e. using the states of the flow to raise the false positive alarms in the right time.

The set of rules that are defined for a specific flow of operation could contain both an evasive rule and a target rule (which assists in identifying the attack).