Talk:Intrusion detection system evasion techniques

This article is rated Start-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computer Security: Computing Low‑importance This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. Low This article has been rated as Low-importance on the project's importance scale. This article is supported by WikiProject Computing. Things you can help WikiProject Computer Security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here. Computing Low‑importance This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. Low This article has been rated as Low-importance on the project's importance scale.

Untitled

Latest comment: 17 years ago3 comments2 people in discussion

My first wiki page - so I'm sure it will need some editing to comply with wiki standards. This page takes content from the Intrusion detection system entry and fleshes it out, and also fills in the missing Tiny Fragment Attack and Overlapping Fragment Attack entries requested on Wikipedia:Requested articles/Applied_arts_and_sciences/Computer_science,_computing,_and_Internet --Sgorton 21:08, 5 February 2007 (UTC)Reply

this article needs some serious additions, there should be discussion of Dan Kaminsky's temporal ip fraging attacks, there should be mention of different web encodings, like chuncked encodings to evade, use of uuencoding in email, url encoding in uri's, double and tripple url encodings, gziping web pages, msrpc fragmentation, many IPSs simply look for jmp esp offsets, so changing the defaults on an exploit often works, playing games with TCP segmentation rules for accept first vs accept last can be used, mislabling file types, embedding one type in another (as seen on some of Alex Wheeler's AV bugs), unicode in url's, tunneling traffic using something like ip in ip often works (when applicable), encrypting connections to target hosts (e.g. attacking apache over ssl so the IPS cant see it), encoding a web page with java script and assembling offending content client side, double/tripple/etc encoding with java script...those are just a few off the top of my head, some of that is covered a little bit but it would be nice some of this added...I can try to add some of that as time permits --Michael Lynn 01:03, 21 March 2007 (UTC)Reply

Sure, those would be good things to add in. Do you think that 'encoding' is part of 'obfuscation', or is its own top-level evasion category? I'm leaning toward the latter, particularly after your list of encoding-related techniques. I can try to add some when I have time, or you can, either way. --Sgorton 17:48, 22 March 2007 (UTC)Reply

Wiki Education Foundation-supported course assignment

Latest comment: 2 years ago1 comment1 person in discussion

  This article is or was the subject of a Wiki Education Foundation-supported course assignment. Further details are available on the course page. Student editor(s): Pickyt.

Above undated message substituted from Template:Dashboard.wikiedu.org assignment by PrimeBOT (talk) 00:45, 17 January 2022 (UTC)Reply

Plans for additions

Latest comment: 8 years ago1 comment1 person in discussion

Hi, I wanted to get some feedback on the edits I'm planning on making to this article (sometime between April 5th & 8th).

I'm planning to group techniques into 3 sections with subsections:

1. Insertion and Evasion: Fragmentation & Small packets, Overlapping fragments and TCP segments, Protocol ambiguities, Low-bandwidth attacks
2. Payload obfuscation: Encodings and Encryption, Polymorphism
3. Denial of Service: CPU Exhaustion, Memory Exhaustion, Operator Fatigue

I'm also adding citations. Here's what I have so far:

• Ptacek, Thomas H.; Newsham, Timothy N. (1998-01-01). "Insertion, evasion, and denial of service: Eluding network intrusion detection".
• Cheng, Tsung-Huan; Lin, Ying-Dar; Lai, Yuan-Cheng; Lin, Po-Ching. "Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems". IEEE Communications Surveys & Tutorials 14 (4): 1011–1020. doi:10.1109/surv.2011.092311.00082.
• Corona, Igino; Giacinto, Giorgio; Roli, Fabio. "Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues". Information Sciences 239: 201–225. doi:10.1016/j.ins.2013.03.022.
• Chaboya, D. J.; Raines, R. A.; Baldwin, R. O.; Mullins, B. E. (2006-11-01). "Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion". IEEE Security Privacy 4 (6): 36–43. doi:10.1109/MSP.2006.159. ISSN 1540-7993.

If anyone has any pointers for papers to look at, I'd really appreciate it.

Let me know what you think, and thanks for your help! Pickyt (talk) 16:13, 1 April 2016 (UTC)Reply

External links modified

Latest comment: 6 years ago1 comment1 person in discussion

Hello fellow Wikipedians,

I have just modified one external link on Intrusion detection system evasion techniques. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20070203195859/http://www.cirt.net/code/nikto.shtml to http://www.cirt.net/code/nikto.shtml

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 21:07, 15 November 2017 (UTC)Reply