Content deleted Content added
Line 6:
An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. In this way, an attacker can exploit the end host without alerting the IDS.
=== Encoding
Application layer protocols like [[Hypertext Transfer Protocol|HTTP]] allow for multiple encodings of data which are interpreted as the same value. For example, the string "cgi-bin" in a [[Uniform Resource Locator|URL]] can be encoded as "%63%67%69%2d%62%69%6e" (i.e., in hexadecimal).<ref name=":12">{{Cite journal|last=Cheng|first=Tsung-Huan|last2=Lin|first2=Ying-Dar|last3=Lai|first3=Yuan-Cheng|last4=Lin|first4=Po-Ching|title=Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems|journal=IEEE Communications Surveys & Tutorials|volume=14|issue=4|pages=1011–1020|doi=10.1109/surv.2011.092311.00082|year=2012|citeseerx=10.1.1.299.5703}}</ref> A web server will view these as the same string and act on them accordingly. An IDS must be aware of all of the possible encodings that its end hosts accept in order to match network traffic to known-malicious signatures.<ref name=":12" /><ref name=":22">{{Cite journal|last=Corona|first=Igino|last2=Giacinto|first2=Giorgio|last3=Roli|first3=Fabio|title=Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues|journal=Information Sciences|volume=239|pages=201–225|doi=10.1016/j.ins.2013.03.022|year=2013}}</ref>
| |||