Detection and Recognition of Atomic Evasions Against Network Intrusion Detection/Prevention Systems

Network evasions can bypass network intrusion detection/prevention systems to deliver exploits, attacks, or malware to victims without being detected. This paper presents a novel method for the detection and recognition of atomic network evasions by the classification of a transmission control protocol (TCP) stream's packet behavior. The syntax for the conversion of TCP streams to codeword streams is proposed to facilitate the extraction of statistical features while preserving the evasion behavior attributes of original network flows. We developed a feature extraction method of employing the normalized term frequencies of codewords to characterize intra and inter packet attribute patterns hidden in actual TCP streams. A TCP stream is then transformed to a fixed length numeric feature vector. Supervised multi-class classifiers are built on the extracted feature vectors to differentiate different types of evasions from normal streams. The quantitative evaluations on an evasion dataset consisting of normal network flows and eight types of atomic evasion flows demonstrated that the proposed approach achieved an encouraging performance with an accuracy of 98.95%.