Characterization and Solution to a Stateful IDS Evasion

Date Added: Jul 2009
Format: PDF

Stateful Intrusion Detection Systems (IDSs) use stateful signatures to simulate the behavior of the application protocol they are protecting and to identify malicious behavior. However, due to complexity and overhead reasons, it is difficult to fully simulate every session state in an IDS. The authors identify a new type of stateful IDS evasion, named signature evasion. They formalize the signature evasion on those Stateful IDSs whose state can be modeled using Deterministic Finite State Automata (DFAs). They develop an efficient algorithm which operates on rule set DFAs and derives a minimal rectification of evasive paths. Finally, they evaluate their solution on Snort signatures, identify and rectify existing vulnerable flowbit rule sets.