Efficiency Over IPS&IDS
Efficiency Over IPS&IDS
Efficiency Over IPS&IDS
Technology
Abstract— Intrusion Prevention Systems (IPS) and released [5]. To defend a vulnerable system, IPS/IDS
Intrusion Detection Systems (IDS) are the first line of the systems are indispensable.
defense of cyber-environment. This technology is made for
capturing and preventing breaches and attacks. Evading of an
There are two different types of IPS/IDS systems:
IPS/IDS system creates a large gap in cyber-security. This
research examines seven common evasion techniques and signature-based and anomaly-based. Anomaly-based
success rates of these over the IPS/IDS system. These techniques IPS/IDS systems are rarely used in practice due to their high
are TTL evasion, fragmentation with MTU modification false positive rates. A signature-based system uses
evasion, tampering time – agent name and port name evasion, signatures that are defined from logs of past attacks. It
encoding and obfuscation evasion, bad checksum evasion, file checks new packets against its signature database to detect
header manipulation evasion, file and path change evasion. The attacks [6]. In case of a match, the IPS/IDS generates an
last version of Snort IPS/IDS system was used to test attacks and alert about it.
evasion techniques. The whole attack and evasion dataset
created by contemporary attack techniques during the research.
Even though an IPS/IDS system is mostly reliable,
Test results demonstrate that the IPS/IDS system can be
bypassed with evasion techniques. there is a possibility that an attacker can evade it and breach
the end system [21]. If the IPS/IDS system can be bypassed,
an attacker can easily reach the target. Although IPS/IDS
Keywords— Intrusion Prevention Systems (IPS), Intrusion systems are constantly improved against such attacks
Detection Systems (IDS), evasion attacks-technique
everyday, there are still evasion techniques that can bypass
I. INTRODUCTION an IPS/IDS system.
There is always a challenge between attackers and
In this study, we tested seven common techniques to
system defenderrs. Attackers continually aim to breach the
evade an IPS/IDS system: TTL evasion technique,
system for some political and financial reasons or just for
fragmentation by MTU modification, tampering time agent
making a point to become famous[1][2]. For these reasons,
name and port, encoding and obfuscation, bad checksum,
a cyber system has to be protected against the cyber attacks
file header manipulation, and file and path change
and cyber breaches. To protect these systems, intrusion
techniques. The success of each evasion technique is
prevention and intrusion detection system was found.
measured by the proportion of the alarms it silenced. In this
IPS/IDS technology focuses on detecting, preventing and
study, OSSTMM penetration testing methodology is used
reporting the cyber-attacks on network or
to attack the target machines. Then every single attack is
telecommunication infrastructure. It is accomplished by
sent to the IDS system to test the alarm it generates.[24] We
looking at the whole network traffic and content. It creates
used the open-source Snort IPS/IDS system with Kali
an advantage of controlling and defending the network
Linux attacker machines. Snort was loaded with the latest
against attackers on a single point [1][4].
signatures which are the community rules and v.2.9.13.0
registered rules dated 11 April 2019.
For effective security reasons, IPS/IDS system becomes
a crucial part of network security. The reason for this,
Note that in this research, the attack scenarios are
IPS/IDS system provides perimeter security and has a
limited only to the IPS/IDS related attacks. Every single
capability to prevent and report an attack in single point [3].
attack has a signature and is recognizable by IPS/IDS
Moreover, IPS/IDS system not only creates time for
systems because some of the attack techniques and tactics
unpatched vulnerabilities but also defends misconfigured
are beyond the IPS/IDS limits. For that reason, there are
systems. IPS/IDS system fills the time gap between a
other cyber security devices that should protect the cyber
vulnerability is found and the vulnerability’s patch is
environment. For this purpose, this research is done
conducted within the IPS/IDS boundaries.
ϵϳϴͲϭͲϳϮϴϭͲϯϵϲϰͲϳͬϭϵͬΨϯϭ͘ϬϬΞϮϬϭϵ/