Research Of IDS Attack Resistance Test

Nowadays, the Intrusion Detection System (IDS) becomes an essential component of security to ensure the safety of network. As an active security technology, IDS can response and interception the invasion before it getting the target system. It provides internal and external real-time attack detection and protection. However, with a increasing number of vulnerability in system software and application software have been found out (disclosed), and the hacking skills are improving, the intrusion detection products meets much more challenge than it ever be. Since most users does not have the accurate knowledge to configure the IDS, which makes the possibility of the IDS destruction, resulting in serious safety problems. If the IDS can not function well, the results from it will be questionable, and the significance of IDS will lost. This calls for the establishment of a objective, complete, and accurate tests to assess the ability of IDS about Attack Resistance.As a branch of IDS assessment, Attack Resistance Test is a kind a Reverse Security Test in terms of simulating attack. Reverse Security Test is to test important host and security equipment by means of attacking. The main feature of this kind of test is assessing the system security from the view of hacking. Attack Resistance Test evaluates system's ability to resist attacks from network by attacking designated target. The idea of Attack Resistance Test is to assess the target system's attack resistance ability according to the attacking consequences. Compared with the security test which is highly professional and whose standard could not easily be practiced. Attack Resistance Test is more intuitive, convincing and targeted. What's more, because of the simulated hacking method, the testing procedure is more intuitive, assessment results are easier to be understood and more convincing.There're many kinds of attacks against IDS. This paper lists the attack's categories against IDS based on existing research, and divides them into three types according to the purpose and effect of those attacks. The three types are: overload attacks, crash attacks and spoofing attacks. Overload attacks and crash attacks are those attacks against IDS's data flow affordability. These attacks make IDS fail dealing with the data it receives in time, ignore the attack information, and miss the correspondent detection. According to different attack methods, overload attacks can be broken down into the attack against IDS data reception capability and smoke-bomb attack. Crash attack meets its purpose of paralyzing IDS completely by making IDS broke down or use up all its available resources. According to the different methods, crash attacks can be divided into attacks against IDS's own vulnerabilities and attacks depleting IDS of resources. Spoofing attack takes advantage of information asymmetry between IDS and target machine and the different explanation to received information to take action of attack.The simulation of attack stream is one of the most important facts in Attack Resistance Test. Based on the research on attack simulation in past IDS assessment systems, this paper cites some problems: 1 Attack content is not sufficient, and there's no proof of attack stream's efficiency. 2 Attack types are too old, and lose their representativeness. The research shows that at present, the majority of attacks take advantage of the weaknesses released lately; the test can't catch up with the pace of the discovery and fix of those weaknesses. 3 It is passive that Attack Resistance Test can't response flexibly against specific changes of attack types. During the procedure of the overload test and crash test, individual attack behavior to be test can be ignored. And the important thing is to consider the combined effect brought by different attack scale. Therefore, this paper completes a program to generate attack streams based on Stick theory. This program analyze Snort rule set to get the string of attack signature, and forge the package with other options in the rule set, to generate highly simulated string. This program does the identification analysis on the key words in Snort rule set with Lex lexical analyzer, and forges the attack package with RAW Socket. This attack package is forge attack data other than real attack behavior. It has strong attacking characteristic to trigger IDS's alarm behavior.The targets of this program: 1.Sending controlled forge attack stream 2.Sending controlled pressure data 3.Logging attack details. This paper built a platform for IDS Attack Resistance Test based on this program. The test procedure is more intuitive and the assessment result is easier to understand with the black - box method. Here the assumption 4 is that individual attack behavior can be ignored under the basis of crash test and overload test. Considering the combined effect brought by different attack scale is more important. This paper focuses on testing IDS's capability against overload attack and crash attack, and launch attack targeting Snort Intrusion Detection System. The items tested are expressed as {stream speed, stream component, package length} in terms of triples. The testing was taken out under different combinations of the triples, separately on the indexes of IDS CPU utilization, IDS memory utilization, IDS reception capacity and IDS processor capacity.This test proves the effectiveness of the instrument and the existence of defects.Basically, the forge attack generated by the program meets expected effect, which reaches more than 70% of its forge capability. The trigger alarm rate of forged attack is not that high, which questions the test's accuracy. The main possible reason is that the TCP situation of some attacks is confirmed during the Snort detection. This kind of function hasn't been implemented in the procedure. Since the test is taken out when Stream5 plug-in was shut, it doesn't work for testing TCP connection situation. So, above is also a subject that needs to work on in the future.