Thoughts

The aim is to figure out the signature evasions in NIDS systems. Currently how does it work ?

There are rule sets (or could be considered as policy) defined which mimic the real series of event execution, based on which the NIDS identifies if the system is working fine of there are possible intrusions.

Now the existence of the NIDS system or any IDS is known to all. So intruders also come up with a counter attack so as to successful in their venture. The fact is however the IDS is designed to figure out the vulnerable , the rule sets cannot be perfect, there are possible loop holes and the intruders capitalize on these loop holes.

Research has been done to understand the possible signature evasion in the case of an NIDS system with deterministic FSM in place. Test data generator by name AGENT has been implemented using prologue to test the NIDS and identify the possible evasions. Now this test data is based on the rule set and it targets both black and white hat problems.

What we want to do is try to generate test data from the deterministic FSM defined based on the rule set. Research has also been done to identify algorithms which will fix the evasions by considering the FSM of the rule set defined.

Revisiting what we want to do
1. We want to figure out the evasions in the rule sets for the IDS. Rule sets direct the IDS with respect to their performance. If we can identify the evasion in the rule set, we can directly related that to the performance of the NIDS
2. So the rule set can be defined as FSM. We can identify possible evasions. Generate test data depicting those evasions and then use the test data to test the IDS systems. If the system can detect the intrusion then the system is well defined. If not then this would be considered as an evasion to the system.