| With the rapid development of Internet, there have been an increasing number of computer security incidents every year. More attention has been paid on network security. As an indispensable instrument of computer security, intrusion detection systems (IDS) have been applied broadly. There is an urgent need to test and evaluate IDSs. Developers hope to find flaws by testing and evaluating IDSs, and consumers expect that testing and evaluating IDSs will contribute to select proper products.At present, limited progress has been made in testing IDSs, and we have made some preliminary efforts. We wrote test programs by Custom Audit Scripting Language to simulate real network attacks (intrusions). Intrusion signature identification tests were performed upon currently typical intrusion detection systems to validate their functional characteristics under representative network environment. A summary evaluation on general intrusion detection technique is presented after analyzing the test results. Meanwhile, we took a deep research in the methodology of Denial-of-Service (DoS) attacks, and simulated four typical DoS attacks in CASL.We can go on further research due to Custom Audit Scripting Language (CASL), a powerful security tool. CASL is a high-level programming language that provides various packet templates and powerful network programming functionality, and can be easily used to write programs that simulate low-level attacks or information gathering checks on networks. CASL is similar to C in syntax, and easy to learn and used as shell-script languages. CASL programs are executed through interpretation and don't consume the large amounts of memory and CPUTwenty-five test programs were written to simulate "PHF" WEB server attack. The reason why we choose this attack lies in: all IDSs can detect it and it is easy to simulate with the attack signature of a specific string ("GET /cgi-bin/-phf?"). What's more, the victim host will not be compromised because there are no security vulnerabilities on it. Insertion and evasion attack methods used to disturb IDSs are exploited by these test programs in order to validate the functionality of IDSs.All tests are conducted in a 10BaseT Ethernet, which connects the Internet through a router. The hosts we need include the test host, the victim host and the monitor host. All IDSs are installed and configured on the victim host in turn and port 80 is opened as the victim port. The monitor host is to log network traffic, which can be used to replay later. Then we execute all test programs, record the output of IDSs and get the test results.Our test results indicate: all intrusion detection systems that rely upon passive protocol analysis to collect data are fundamentally flawed. Attackers may exploit various methods to deceive and confuse IDSs and evade detection by IDSs. Vendors make many exaggerated claims for their products due to various reasons. New technique (as intrusion prevention) may be an optional approach in future.Since the first denial of Service (DoS) attack appears, DoS attacks cause significant financial damage every year. With the development of automated DoS attack tools; DoS attacks make a greater threat against network security. At present, the majority researchers focus on attack detection and respond mechanism, yet limited progress has been made in the details of DoS attacks. We collect large amount of related information, and take a deep research in the methodology of DoS attacks. Four typical DoS attacks, including Land, WinNuke, Smurf and chargen-echo loop, are simulated in CASL. Land and WinNuke belong to resource starvation DoS attacks, and Smurf as well as chargen-echo loop belong to bandwidth consumption DoS attacks.The problem of DoS attacks hasn't significantly changed in recent years. Resources (as bandwidth and memory) remain limited and susceptible to consumption attacks. There are still great deals of weak or improperly secured systems that attackers can use to launch DoS attacks. The programs that simulate DoS attacks by us...
|
PDF Full Text Request