Investigating the evasion-resilience of Network Intrusion Detection Systems

Network Intrusion Detection Systems provide an extra security precaution by detecting attacks that have bypassed the firewall. Knowledge-based intrusion detection systems rely upon rules to trigger alerts, mainly based upon the occurrence of certain keywords. However, attackers can send evading attack packets that will try to avoid detection by the IDS, and tools can be obtained to automate such attacks. A crucial question is therefore the extent to which modern IDS are resilient to evasion attempts of this type. This paper presents the results of experiments conducted using the Nikto evasion tool against the Snort IDS, with the aim of assessing Snort's alerting capabilities when mutated attack packets were sent to a web server. It was found that Snort alerted for about half of the attack packets. In addition, some weaknesses were identified in Snort's ability to detecting certain evasion attacks, which can be solved by creating customized rules. As a result of these findings, the paper also discusses a new detection method, based upon the division of large request strings into smaller ones, analyzing each of them against the rules. The total danger level of these combined strings could decide if the IDS would alert for the request.