Intrusion Detection Subversion: A Survey Mark Deckert June 5, 2005 Abstract Techniques for subverting intrusion detection systems during an attack exist in many forms, spanning from insertion, to evasion, to denial of service and occurring on several different layers including the network layer, application layer and exploit code layer. Though they are improving, modern intrusion detection systems can be blinded by many of these techniques. Various solutions have been suggested ranging from traffic normalization to network topology awareness to one-way cables and sensors without IP addresses. 1 Introduction This paper represents a survey of recent work done on the topic of intrusion detection subversion techniques. As done by Ptacek, we break the subject into 3 types of subversion techniques: Insertion, Evasion, and Denial of Service. Insertion works by putting data on the wire which the Network Intrusion Detection System (NIDS) will see but the end system will not. In this way the attacker inserts packets into the datastream which are not part of the attack so that what the NIDS sees does not match the NIDS’s signature for the attack taking place. Evasion works in the opposite manner, getting packets which are part of an attack through to end system while somehow tricking the NIDS into ignoring them. Denial of Service seeks to interrupt the NIDS’s normal operation through whatever means are available ranging from flooding the NIDS with fake attacks to hide the real one, to attacking the NIDS itself and halting alerting. [1] The paper will be structured as follows. First we provide a brief background into general intrusion detection and narrow our focus to a specific type of intrusion detection. Next we discuss the various types of detection subversion methods, organized into insertion, evasion and denial of service techniques. Following the discussion of techniques, we review the testing of these techniques on actual intrusion detection systems. Finally, we discuss various solutions to the problem presented by detection subversion. 1