Possible study that should be undertaken:
When we draw an FSM for a specific situation which gets translated to a ruleset , all that we can identify is that the evasive path ... what could a possible evasive path ? Is it not the state where-in the alarm trigger is expected and there is no alarm raised for an attack ... so in this scenario ... even if we are able to generate test cases from the FSM ... how far is this going to be towards our goal of identifying evasions in the IDS system from the users point of view ...
Now let us consider a situation ... where-in we are aware of the possible modes of evasion available for a kind of attack ... say sql-injection ... would it not be beneficial to identify a testing technique ... that mainly assess the IDS system if it is evasive ... and then maybe compare the systems for check which one performs better with respect to a given evasion ...
Is it not better to have a tool developed which would automatically test the IDS systems for the evasions and check what all evasions it is vulnerable to ? Coz for a developer before he/ she uses the IDS system they want to understand if it is prone to known evasions ... this could also be done from the IDS system developer point of view ... they need a tool to identify ... now the next question is how is this different from the AGENT tool developed ... as we understand the tool is mainly used to generate automated test data which can be run on the IDS system there-by identifying possible evasions by going through the code ... now what we want to avoid is reading through the code to understand the evasions ...
first point we need to be clear is who we are targetting this application ... if it for the IDS system developers ... then there is a possibility that there might be new evasions ... if we are targetting for the developers who are going to use the IDS system then ... we can assume that the evasions that needs to be checked are mostly known ... hence the tool should directly test the IDS system for those evasions ... ?
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment