Network security applications include techniques for attempting to detect, halt, or prevent attacks borne upon network assets (e.g., computers, servers, databases, etc.). While intrusion detection systems (IDS) attempt to observe data traffic as viewed at a monitoring point remote from a host that may be the target of an attack, such as at a firewall, the data traffic actually received by the target host may be different than the traffic as viewed at the monitoring point. Due to the different perspectives between an IDS and a host, an attacker may be able to send diversionary packets that enables a data flow or data stream to carry an attack to a victim host, without alerting an IDS, or conversely to deceive an IDS into believing that a particular attack is being attempted when in fact it is not. Attack signatures and known threat patterns can be obfuscated using evasive data flow techniques.
Protocols such as TCP/IP and others can be exploited by attackers by altering the method in which data traffic is sent between a source and a host or by modifying the actual data stream and individual packets. Protocol exploitation may be used to add packets to a particular data stream to confuse an IDS or mask and obfuscate an attack. By modifying a data flow or stream, for example, by adding additional packets that would prevent an IDS from pattern matching or recognizing an attack, an attacker can evade detection and perform a successful attack, hack, or compromise of an asset. Further, data communication protocols provide a specific standardized set of algorithms for handling data traffic and, in so doing, provide the ability for an attacker to recognize and exploit a weakness in the protocol, particularly for destination hosts reassembling transmitted data packets, frames, segments, etc.
Thus, what is needed is a solution for detecting an evasive attack. Further, a solution for detecting evasive attacks exploiting data communication protocols is also desirable.