how to test an ids
play

How to Test an IDS? GENESIDS: An Automated System for Generating - PowerPoint PPT Presentation

Mar 28, 2024 •285 likes •671 views

How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix Erlacher , Falko Dressler Network Intrusion Detection Systems (NIDS) Analyze network traffjc for malicous activity Felix Erlacher: How to Test an

  1. How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix Erlacher , Falko Dressler

  2. Network Intrusion Detection Systems (NIDS) Analyze network traffjc for malicous activity Felix Erlacher: How to Test an IDS? GENESIDS 2 ▶ Anomaly based NIDS ▶ Have a model of ’normal’ traffjc ▶ Detect and alert deviations from ’normal’ traffjc ▶ Signature based NIDS ▶ Have rule-set of known attacks and incidents ▶ Detect rule patterns in analyzed network traffjc → Example: Snort

  3. How to test a NIDS? Manually creating attack traffjc? time intensive cumbersome SUMMARY: traces do not contain enough unique attacks Felix Erlacher: How to Test an IDS? GENESIDS 3 ▶ Real traffjc? ▶ hard to get ▶ public traces: old, no payload ▶ contains only very few attacks

  4. SUMMARY: traces do not contain enough unique attacks How to test a NIDS? Felix Erlacher: How to Test an IDS? GENESIDS 3 ▶ Real traffjc? ▶ hard to get ▶ public traces: old, no payload ▶ contains only very few attacks ▶ Manually creating attack traffjc? ▶ time intensive ▶ cumbersome

  5. SUMMARY: traces do not contain enough unique attacks How to test a NIDS? Felix Erlacher: How to Test an IDS? GENESIDS 3 ▶ Real traffjc? ▶ hard to get ▶ public traces: old, no payload ▶ contains only very few attacks ▶ Manually creating attack traffjc? ▶ time intensive ▶ cumbersome

  6. How to test a NIDS! GENESIDS: Generating Events for Signature-based Intrusion Detection Systems Felix Erlacher: How to Test an IDS? GENESIDS 4 ▶ INPUT: Set of attack descriptions ▶ Snort syntax ▶ HTTP attacks ▶ OUTPUT: Stateful network traffjc containing attack patterns ▶ One fmow per attack ▶ Annotated with an attack ID

  7. Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5

  8. Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5

  9. Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5

  10. Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5

  11. Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5

  12. Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5

  13. Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5

  14. Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5

  15. Rule example: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) genesids -f example.rule -s example.com Felix Erlacher: How to Test an IDS? GENESIDS 5

  16. Example traffjc in Wireshark: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) Felix Erlacher: How to Test an IDS? GENESIDS 6

  17. Example traffjc in Wireshark: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) Felix Erlacher: How to Test an IDS? GENESIDS 6

  18. Example traffjc in Wireshark: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) Felix Erlacher: How to Test an IDS? GENESIDS 6

  19. Example traffjc in Wireshark: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) Felix Erlacher: How to Test an IDS? GENESIDS 6

  20. Example traffjc in Wireshark: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST"; http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) Felix Erlacher: How to Test an IDS? GENESIDS 6

  21. Example traffjc in Wireshark: alert tcp any any -> any any ( msg:"This is an example rule"; content:"POST";http_method; uricontent:"|2F|evil.jpg"; pcre:"/AttackBody-V[0-9].*/P"; sid:1234567; rev:0;) Felix Erlacher: How to Test an IDS? GENESIDS 6

  22. GENESIDS Evaluation: Goals & Rules All supported Snort rules from: Snort.org subscriber rule-set Snort.org community rule-set Emerging Threats rule-set TOTAL 8101 difgerent rules Felix Erlacher: How to Test an IDS? GENESIDS 7 ▶ Ability to generate a variety of difgerent attacks ▶ Generated attacks trigger expected event

  23. GENESIDS Evaluation: Goals & Rules All supported Snort rules from: TOTAL 8101 difgerent rules Felix Erlacher: How to Test an IDS? GENESIDS 7 ▶ Ability to generate a variety of difgerent attacks ▶ Generated attacks trigger expected event ▶ Snort.org subscriber rule-set ▶ Snort.org community rule-set ▶ Emerging Threats rule-set

  24. GENESIDS Evaluation steps Felix Erlacher: How to Test an IDS? GENESIDS 8 TCP Connection HTTP Server Step 1 GENESIDS Signatures Signatures tcpdump 00101100101 Network 01001010010 00001110111 Trace 11100110100 10111010010 01010111111 Rules

  25. GENESIDS Evaluation steps Felix Erlacher: How to Test an IDS? GENESIDS 8 TCP Connection HTTP Server Step 1 GENESIDS tcpdump 00101100101 00101100101 Network Network 01001010010 01001010010 00001110111 00001110111 Trace Trace 11100110100 11100110100 10111010010 10111010010 Snort 01010111111 01010111111 Signatures Step 2 Alerts Rules Rules

  26. Evaluation results: Generated attacks Felix Erlacher: How to Test an IDS? GENESIDS 9 10000 Attacks Sent 8000 Attacks 6000 4000 2000 0 0 20 40 60 80 100 Experiment Run ▶ GENESIDS: 8101 attacks generated (out of 8101 rules)

  27. Evaluation results: True positives Felix Erlacher: How to Test an IDS? GENESIDS 10 10000 Attacks Sent 8000 Snort True Pos. Alerts Attacks 6000 4000 2000 0 0 20 40 60 80 100 Experiment Run ▶ Snort: 7877 (avg) true positive alerts triggered (out of 8101)

  28. Evaluation results: False positives triggered by 3 rules) Felix Erlacher: How to Test an IDS? GENESIDS 11 10000 Attacks Sent Snort True Pos. Alerts 5000 Snort False Pos. Alerts 2000 Attacks 1000 500 200 100 0 20 40 60 80 100 Experiment Run ▶ Snort: 2847 (avg) false positive alerts triggered (62%

  29. Evaluation results: False negatives not trigger the corresponding alert) Felix Erlacher: How to Test an IDS? GENESIDS once (out of 100) 12 10000 Attacks Sent Snort True Pos. Alerts 5000 Snort False Pos. Alerts 2000 Attacks 1000 500 200 Snort False Negatives 100 0 20 40 60 80 100 Experiment Run ▶ Snort: 223 (avg) false negatives (generated attacks that did ▶ Total of 363 rules generated attack not triggering at least

  30. Conclusion GENESIDS: Generating attack traffjc for NIDS testing defjnitions Felix Erlacher: How to Test an IDS? GENESIDS 13 ▶ Accepting Snort syntax → thousands of up-to-date attack ▶ 97% of generated attacks triggered corresponding alert ▶ Less than 3% failed to trigger corresponding alert

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Engineering Best Practices Test, test, test, and test some more; test as you go Start from a

Engineering Best Practices Test, test, test, and test some more; test as you go Start from a

Engineering Best Practices Test, test, test, and test some more; test as you go Start from a known working state, take small steps Make things visible (gdb, printf, logic analyzer) Methodical, systematic approach. Form hypotheses and perform

755 views • 38 slides
Test automation Whenever we alter our code, we should re-test Our collections of test cases

Test automation Whenever we alter our code, we should re-test Our collections of test cases

Test automation Whenever we alter our code, we should re-test Our collections of test cases can be substantial, and each test case can be large: manual testing is slow, error-prone Ideally, we would like a tool or script that lets us

186 views • 7 slides
Here is some test text Here is some test text Here is some test text By Mou Mount nt_Everes

Here is some test text Here is some test text Here is some test text By Mou Mount nt_Everes

Here is some test text Here is some test text Here is some test text By Mou Mount nt_Everes erest_as_see een_ n_fro rom_ m_Dru rukai air2. r2.jp jpg: g: shri rimpo mpo196 1967de 7deri rivat ative e wor work: : Papa pa Li

370 views • 32 slides
Compression Test Dr. Karim Helmy Compression Test Tension test is normally conducted to

Compression Test Dr. Karim Helmy Compression Test Tension test is normally conducted to

10/5/15 CB251 Testing of materials Compression Test Dr. Karim Helmy Compression Test Tension test is normally conducted to obtain the mechanical properties of Metals. It is the primary test used for quality control and the basis for

573 views • 7 slides
TEST AUTOMATION AT BMAR BMAR TEST TEAM Test Automation Planning 1. Selection Of Test

TEST AUTOMATION AT BMAR BMAR TEST TEAM Test Automation Planning 1. Selection Of Test

TEST AUTOMATION AT BMAR BMAR TEST TEAM Test Automation Planning 1. Selection Of Test Automation Tool Telerik Test Studio tool was selected. 2. Automation Projects - Agency Project- Yna - 26 developer, 5 tester, 12 years, 3.568.168 rows

591 views • 22 slides
TEST ANXIETY Strategies to Handle Test Anxiety OVERVIEW What is test anxiety? Positive verses

TEST ANXIETY Strategies to Handle Test Anxiety OVERVIEW What is test anxiety? Positive verses

TEST ANXIETY Strategies to Handle Test Anxiety OVERVIEW What is test anxiety? Positive verses negative thoughts Three stages of test anxiety Exercise and test anxiety Balanced diet with test anxiety POP procedure Myth verses Reality

379 views • 20 slides
The Handwriting of God Daniel 5 Here is some test text Here is some test text Here is some test

The Handwriting of God Daniel 5 Here is some test text Here is some test text Here is some test

Here is some test text Here is some test text Here is some test text The Handwriting of God Daniel 5 Here is some test text Here is some test text Here is some test text 1. God warns us not to trust the security of earthly kingdoms Here is

707 views • 39 slides
Model-Based Testing (ISTQB Chapter 4) Arie van Deursen 1 4.1 ISTQB Test Design Test Scripts

Model-Based Testing (ISTQB Chapter 4) Arie van Deursen 1 4.1 ISTQB Test Design Test Scripts

Model-Based Testing (ISTQB Chapter 4) Arie van Deursen 1 4.1 ISTQB Test Design Test Scripts Test Basis 4.1.2: Test Analysis 4.1.4: Test Implementation Test Selected Test Cases Test Conditions Conditions 4.1.3: Test Design 2 Test

1.18k views • 38 slides
Quality Assurance: Test Development & Execution Developing Test Strategy Ian S. King Test

Quality Assurance: Test Development & Execution Developing Test Strategy Ian S. King Test

Quality Assurance: Test Development & Execution Developing Test Strategy Ian S. King Test Development Lead Windows CE Base OS Team Microsoft Corporation Elements of Test Strategy Where is your focus? Test specification The

427 views • 5 slides
The Son of God is Tempted Matthew 4:1-11 Here is some test text Here is some test text Here is

The Son of God is Tempted Matthew 4:1-11 Here is some test text Here is some test text Here is

Here is some test text Here is some test text Here is some test text The Son of God is Tempted Matthew 4:1-11 Here is some test text Here is some test text Here is some test text 1. Jesus is temped to gratify His desires apart from Gods

418 views • 15 slides
EMC TEST REPORT DIRECTORY A) Documentation Directory 2 Test Standards 3 Address of the test

EMC TEST REPORT DIRECTORY A) Documentation Directory 2 Test Standards 3 Address of the test

EMC TEST REPORT CE TEST REPORT Report Number : ETLE080619.495 Report issue date : July 21, 2008 Model / Serial No. : HWC-640 / NONE Multiple Model Name : HWC-630, HWC-650, HWC-660, HWC-680 Product Type : Hot & Cold Water Purifier

522 views • 35 slides
Innovative Test Technology and Test Procedures for Components of Railway Chassis Agenda (1)

Innovative Test Technology and Test Procedures for Components of Railway Chassis Agenda (1)

Innovative Test Technology and Test Procedures for Components of Railway Chassis Agenda (1) Introduction - Accidents, developments and current status (2) Testing and state-of-the-art test systems in 2019 (3) Perspective test systems (4) Test

552 views • 53 slides
EMC TEST REPORT DIRECTORY A) Documentation Directory 2 Test Standards 3 Address of the test

EMC TEST REPORT DIRECTORY A) Documentation Directory 2 Test Standards 3 Address of the test

EMC TEST REPORT CE TEST REPORT Report Number : ETLE070516.328 Report issue date : June 27, 2007 Model / Serial No. : ROMEO III / NONE Multiple Model Name : W2-360H, W2-340H, W2-300H, W2-310H Product Type : POU Water Cooler Applicant

612 views • 36 slides
Huamei Dong 04/12/2016 1. Z test or T test for one mean (one sample) or two means (two samples)

Huamei Dong 04/12/2016 1. Z test or T test for one mean (one sample) or two means (two samples)

Lab Huamei Dong 04/12/2016 1. Z test or T test for one mean (one sample) or two means (two samples) 2. Chi square test for two categorical data 3. ANOVA F test for comparing two means or more than two means 4. T test for simple linear

552 views • 18 slides
200511316 200511316 Test plan Test design specification g p

200511316 200511316 Test plan Test design specification g p

200511316 200511316 Test plan Test design specification g p Test case specification Test procedure specification Test procedure specification Test item transmittal report Test log l Test

493 views • 38 slides
God Pursues Us with NEW LIFE Ezekiel 37:1-14 Here is some test text Here is some test text Here

God Pursues Us with NEW LIFE Ezekiel 37:1-14 Here is some test text Here is some test text Here

Here is some test text Here is some test text Here is some test text God Pursues Us with NEW LIFE Ezekiel 37:1-14 Here is some test text Here is some test text Here is some test text 1. Gods people are spiritually dead and scattered in

364 views • 25 slides
Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 , Eugen Staab 3 , Volker Fusenig 3 , Michal Pechoucek 1,2 , Martin Grill 1 , Jan Stiborek 1 , and Karel Bartos 1 ( 1 ) Czech Technical University in

419 views • 24 slides
Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991

Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991

Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991 Cyber Security Prac6ce 1 Firewall & IDS Firewall A device or applica6on that analyzes packet headers and enforces policy based on

365 views • 20 slides
Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer Security Announcements intermission Day 22: Malware and Denial of Service Stephen McCamant Denial of service and the network University of

684 views • 10 slides
Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks Suggests need to learn/adapt to new attacks or changes in behavior Detect intrusions in timely fashion May need to be be real-time,

638 views • 29 slides
Network Intrusion Detection: Capabilities & Limitations Vern Paxson International Computer

Network Intrusion Detection: Capabilities & Limitations Vern Paxson International Computer

Network Intrusion Detection: Capabilities & Limitations Vern Paxson International Computer Science Institute Lawrence Berkeley National Laboratory vern@icsi.berkeley.edu November 16, 2005 Outline ! What problem are we trying to solve? !

566 views • 40 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some Definition Intrusion A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and

814 views • 29 slides
Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Countermeasures II Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands June 21, 2018 Outline 1 Masking Countermeasure 2 Control Flow Integrity 3 Intrusion Detection 2 / 22 Rotating S-box Masking

540 views • 22 slides

More recommend