Reliably determining the outcome of computer network attacks

Organizations frequently rely on the use of Network Intrusion Detection Systems (NIDSs) to identify and prevent intrusions into their computer networks. While NIDSs have proven reasonably successful at detecting attacks, they have fallen short in determining if attacks succeed or fail. This determination is often left to the security analyst or system administrator. Large-scale networks pose a particular challenge for IDS analysts. The process of manually checking systems to determine if an attack is successful becomes burdensome as the size and geographic location of the network increases. Many analysts use network data alone, in particular the server response, to determine the outcome of the attack. Intuitively, the server response is the packet or packets the target computer returns after an attack. However, in the case of buffer overflows, the attacker has the ability to forge or modify this response.

This paper examines two key aspects of network defense: the ability to circumvent detection devices and how network analysts respond to evasion techniques. We examine how social engineering can be used to influence an analyst's decisions and we recommend ways to counter this threat. The intended audience will be responsible for either developing IDS signatures, or analyzing network IDS results. The technical detail is moderate, but does assume some exposure to network traffic analysis, intrusion detection, and exploits in general.