IDS mailing list archives
Re: interesting paper on testing sig-based IDS
From: Giovanni Vigna <vigna () cs ucsb edu>
Date: Mon, 28 Feb 2005 15:45:01 -0800
Well, We sort of suck in terms of publicizing our research.Our tool, which is called 'Sploit', is more similar to CANVAS than to any other.
I haven't seen/tried CANVAS so I am not sure, but the basic ideas seem similar. You can get the details from the paper, but the idea is to compose exploit templates and mutant operators. The mutation engine applies one or more mutant operators to an exploit template to obtain a mutant exploit. Then the exploit is run against a vulnerable application and an oracle determines if the attack was successful (this is necessary because even though the mutant operator are supposed to preserve the semantics of the exploit, things can actually go wrong in unexpected ways). The outcome of the oracle is automatically cross-correlated with the outputs of one or more intrusion detection systems. By "exploring" the mutation space it is possible to find the right composition of mutant operators to evade an IDS. In out paper we show that using our tool we were able to evade 9 out of 10 attacks, in the case of ISS RealSecure. We are not distributing our code at the moment. Best regards, Giovanni On Feb 25, 2005, at 9:01 PM, Kohlenberg, Toby wrote:
http://www.cs.ucsb.edu/~vigna/pub/ 2004_vigna_robertson_balzarotti_CCS04.pdf It seems very similar (at least at first glance) what what's been implemented byRFP in Whisker (the anti-IDS techniques) or in Metasploit (IDS confusiontechniques). Have any/many of you seen this before? It seems like it's something we would have seen cross this list but I don't remember it doing so. t Toby Kohlenberg, CISSP, GCIH, GCIA Senior Information Security Analyst Applied Security Technology Team Intel Corporate Information Security 503-712-8588 Office & Voicemail 877-497-1696 Pager "Just because you're paranoid, doesn't mean they're not after you." PGP Fingerprint: 92E2 E2FC BB8B 98CD 88FA 01A1 6E09 B5BA 9E84 9E70----------------------------------------------------------------------- ---Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.----------------------------------------------------------------------- ---
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- interesting paper on testing sig-based IDS Kohlenberg, Toby (Feb 28)
- Re: interesting paper on testing sig-based IDS Jonathon Giffin (Mar 01)
- Re: interesting paper on testing sig-based IDS buineach (Mar 02)
- Re: interesting paper on testing sig-based IDS Shai Rubin (Mar 02)
- Re: interesting paper on testing sig-based IDS buineach (Mar 02)
- Re: interesting paper on testing sig-based IDS Giovanni Vigna (Mar 02)
- Re: interesting paper on testing sig-based IDS Stefano Zanero (Mar 04)
- Re: interesting paper on testing sig-based IDS Richard Bejtlich (Mar 02)
- <Possible follow-ups>
- RE: interesting paper on testing sig-based IDS Kyle Quest (Mar 04)
- RE: interesting paper on testing sig-based IDS Jose Maria Lopez Hernandez (Mar 06)
- RE: interesting paper on testing sig-based IDS Kyle Quest (Mar 06)
- RE: interesting paper on testing sig-based IDS Brian Smith (Mar 06)
- RE: interesting paper on testing sig-based IDS Micheal Reynolds (Mar 06)
- Re: interesting paper on testing sig-based IDS Jonathon Giffin (Mar 01)