Active mapping: resisting NIDS evasion without altering traffic

Abstract

A critical problem faced by a Network Intrusion DetectionSystem (NIDS) is that of ambiguity.TheNIDScannot always determine what traffic reaches a givenhost nor how that host will interpret the traffic, and attackersmay exploit this ambiguity to avoid detection orcause misleading alarms. We present a lightweight solution,Active Mapping, which eliminates TCP/IP-basedambiguity in a NIDS' analysis with minimal runtimecost. Active Mapping efficiently builds profiles of thenetwork topology and the TCP/IP policies of hosts onthe network; a NIDS may then use the host profiles todisambiguate the interpretation of the network traffic ona per-host basis. Active Mapping avoids the semanticand performance problems of traffic normalization,inwhich traffic streams are modified to remove ambiguities.We have developed a prototype implementation ofActive Mapping and modified a NIDS to use the ActiveMapping-generated profile database in our tests. Wefound wide variation across operating systems' TCP/IPstack policies in real-world tests (about 6,700 hosts), underscoringthe need for this sort of disambiguation.