Abstract
Network evasions can bypass network intrusion detection/prevention systems to deliver exploits, attacks, or malware to victims without being detected. This paper presents a novel method for the detection and recognition of atomic network evasions by the classification of a transmission control protocol (TCP) stream's packet behavior. The syntax for the conversion of TCP streams to codeword streams is proposed to facilitate the extraction of statistical features while preserving the evasion behavior attributes of original network flows. We developed a feature extraction method of employing the normalized term frequencies of codewords to characterize intra and inter packet attribute patterns hidden in actual TCP streams. A TCP stream is then transformed to a fixed length numeric feature vector. Supervised multi-class classifiers are built on the extracted feature vectors to differentiate different types of evasions from normal streams. The quantitative evaluations on an evasion dataset consisting of normal network flows and eight types of atomic evasion flows demonstrated that the proposed approach achieved an encouraging performance with an accuracy of 98.95%.
Highlights
Network Intrusion Detection/Prevention Systems are widely used to improve the security of networks run by providers, enterprises and even home users
DATASET We evaluated our model on a dataset consisting of 280,217 samples generated from normal transmission control protocol (TCP) streams and 8 types of atomic network evasion streams
Every evasion sample was obtained by applying an evasion technique to the original TCP stream with specific option values
Summary
Network Intrusion Detection/Prevention Systems (further NIDS/NIPS) are widely used to improve the security of networks run by providers, enterprises and even home users. Due to the robustness principle [2] in an internet protocol design, which means that an implementation of a protocol should be careful to send well-formed datagrams, but should accept any datagrams that it can interpret, there are various interpretations in different protocol implementations Attackers can use these ambiguities to deliberately craft network traffic so that an NIDS/NIPS and endpoint systems process packets in different ways. Cheng et al [11] assessed the effectiveness of evasion techniques for FortiGate, Snort and ZyXEL These three signature-based NIDS all operated with up-to-date firmware/code and rules. Specific evasion techniques modify traffic streams in their unique ways This leads to value deviation of the related fields in a packet’s header, or deviation of the affected fields’ relative value between neighboring packets in the receiving order.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
