Intrusion Detection System Based On The Integrity of TCP Packet
A common way to elude the signature-based Network Intrusion Detection System is based upon changing a recognizable attack to an unrecognizable one via the IDS. For example, in order to evade sign accommodation with intrusion detection system markers, a hacker spilt the payload packet into many small pieces or hides them within messages. In this paper we try to model the main fragmentation attack and create a new module in the intrusion detection architecture system which recognizes the main fragmentation attacks through verification of integrity checking of TCP packet in order to prevent elusion of the system and also to announce the necessary alert to the system administrator.
[1] Mark Handley and Vern Paxson ,"Network Intrusion Detection :Evasion
Traffic Normalization, and End-to-End Protocol Semantics. In USENIX
Security Symposium, Washington,DC August 2001
[2] InSeon Yoo and Ulrich Ultes-Nitsche,"Towards Run-Time Protocol
Anomaly Detection and Verification.2001
[3] Joel Scambray ,Stuart Mcclure and George Kurtz,"Hacking
Exposed:Network Security Secrets &Solutions Second Edition 2002.
[4] T.H Ptacek and T.N.Newsham. Insersion,evasion,and denial of
service:Eluding network intrusion detection. Technical Report T2R-
0Y6,secure Netowrk,Inc.,Cagary,al-berta,Canda 1998.
[5] Jason Anderson,"An Analysis of Fragmentation attacks", March 15, 2001.
[6] T.H. Ptacek and T.N. Newsham. Custom attack Simulation Language
(CASL). Available at www.sockpuppet.org/tqbf/casl.html.
[7] V.Paxson. Bro: a system for detecting network intruders in real-time.
Computer Networks, 31(23/24),December 1999.
[8] SHai Rubin, Somesh Jha, and Barton P.Miller, "Automatic Generation
and Analysis of NIDS Attacks", University of Wisconsin,Madison
Computer Sciences Departemnt. 2004
[9] Ozgur Depren, Murat Topallar, Emin anarim, M.Kemal Ciliz," An
intelligent intrusion detection system (IDS) for anomaly and misuse
detection in computer networks",Information and Communication
Security (BUICS) Lab Bebek ,Istanvul,Turkey 2005.
[10] Matthew V.Mahoney,"Network Traffic Anomaly Detection Based on
Packet Bytes", Florida Instite of Technology,Melbourne, Florida.2002
[11] Bharat Goyal,Sriranjani Sitaraman,Srinivasan rishnamurthy,"Intrusion
detection system: An Overview" Department of Computer Science
University of Texas at Dallas.2003
[12] Network analysis and Porotocl Sniffing .Available at
www.networkgeneral.com/Sniffer_Portable_Eval.aspx
[13] Network sinffer and packet builder available at www.sniff-em.com
[14] Packet Builder and attack script runner available at
http://www.EngageSecurity.com
[15] IP-tools for attack generator avalible at www.alhacker.com
[16] Scanning and Fragmentation attack tools available at
www.securityfocus.com/download/Nmap/
[17] D.Song. Fragroute: a TCP/IP Fragmenter, April 2002. Available at
www.monkey.org/~dugsong/fragroute.
[18] MIT University Lab. http://www.ll.mit.edu/IST/ideval/dataset/
[19] G.Ziemba Alantec ,D.Reed,"Security Consideration For IP Fragment
Filtering", Cisco Systems "RFC 1858" October 1995.
[20] Sumit Siddharth,"Evading NIDS",6-12-2005. available at
www.securityfocus.com/infocus/1852.
[21] Andrew R.Backer ,Brian Caswell ,Mike Poor,"Snort 2.1", Second
Edition 2004, Syngress Publisher, Page 248-250.
[1] Mark Handley and Vern Paxson ,"Network Intrusion Detection :Evasion
Traffic Normalization, and End-to-End Protocol Semantics. In USENIX
Security Symposium, Washington,DC August 2001
[2] InSeon Yoo and Ulrich Ultes-Nitsche,"Towards Run-Time Protocol
Anomaly Detection and Verification.2001
[3] Joel Scambray ,Stuart Mcclure and George Kurtz,"Hacking
Exposed:Network Security Secrets &Solutions Second Edition 2002.
[4] T.H Ptacek and T.N.Newsham. Insersion,evasion,and denial of
service:Eluding network intrusion detection. Technical Report T2R-
0Y6,secure Netowrk,Inc.,Cagary,al-berta,Canda 1998.
[5] Jason Anderson,"An Analysis of Fragmentation attacks", March 15, 2001.
[6] T.H. Ptacek and T.N. Newsham. Custom attack Simulation Language
(CASL). Available at www.sockpuppet.org/tqbf/casl.html.
[7] V.Paxson. Bro: a system for detecting network intruders in real-time.
Computer Networks, 31(23/24),December 1999.
[8] SHai Rubin, Somesh Jha, and Barton P.Miller, "Automatic Generation
and Analysis of NIDS Attacks", University of Wisconsin,Madison
Computer Sciences Departemnt. 2004
[9] Ozgur Depren, Murat Topallar, Emin anarim, M.Kemal Ciliz," An
intelligent intrusion detection system (IDS) for anomaly and misuse
detection in computer networks",Information and Communication
Security (BUICS) Lab Bebek ,Istanvul,Turkey 2005.
[10] Matthew V.Mahoney,"Network Traffic Anomaly Detection Based on
Packet Bytes", Florida Instite of Technology,Melbourne, Florida.2002
[11] Bharat Goyal,Sriranjani Sitaraman,Srinivasan rishnamurthy,"Intrusion
detection system: An Overview" Department of Computer Science
University of Texas at Dallas.2003
[12] Network analysis and Porotocl Sniffing .Available at
www.networkgeneral.com/Sniffer_Portable_Eval.aspx
[13] Network sinffer and packet builder available at www.sniff-em.com
[14] Packet Builder and attack script runner available at
http://www.EngageSecurity.com
[15] IP-tools for attack generator avalible at www.alhacker.com
[16] Scanning and Fragmentation attack tools available at
www.securityfocus.com/download/Nmap/
[17] D.Song. Fragroute: a TCP/IP Fragmenter, April 2002. Available at
www.monkey.org/~dugsong/fragroute.
[18] MIT University Lab. http://www.ll.mit.edu/IST/ideval/dataset/
[19] G.Ziemba Alantec ,D.Reed,"Security Consideration For IP Fragment
Filtering", Cisco Systems "RFC 1858" October 1995.
[20] Sumit Siddharth,"Evading NIDS",6-12-2005. available at
www.securityfocus.com/infocus/1852.
[21] Andrew R.Backer ,Brian Caswell ,Mike Poor,"Snort 2.1", Second
Edition 2004, Syngress Publisher, Page 248-250.
@article{"International Journal of Information, Control and Computer Sciences:52850", author = "Moad Alhamaty and Ali Yazdian and Fathi Al-qadasi", title = "Intrusion Detection System Based On The Integrity of TCP Packet", abstract = "A common way to elude the signature-based Network Intrusion Detection System is based upon changing a recognizable attack to an unrecognizable one via the IDS. For example, in order to evade sign accommodation with intrusion detection system markers, a hacker spilt the payload packet into many small pieces or hides them within messages. In this paper we try to model the main fragmentation attack and create a new module in the intrusion detection architecture system which recognizes the main fragmentation attacks through verification of integrity checking of TCP packet in order to prevent elusion of the system and also to announce the necessary alert to the system administrator.
", keywords = "Intrusion detection system, Evasion techniques,
Fragmentation attacks, TCP Packet integrity.", volume = "1", number = "11", pages = "3425-5", }
