Administrators rely on systems such as network intrusion detection systems (IDS), network intrusion prevention systems (IPS), and other devices such as firewalls to provide timely and accurate information about threats to their network assets.
Central detection nodes generally monitor traffic for all hosts that they protect and attempt to predict the impact of any activity seen on a destination host. Due to the numerous ways in which destination hosts can vary (e.g., operating system, patch level, applications, configurations, etc.) an attacker may be able to send diversionary packets (such as by obfuscating attack signatures and known threat patterns) that enable a data stream to carry an attack to a victim host without alerting an IDS (e.g., because the packets sent are reconstructed on the IDS in a way that is different than on the victim host), or conversely, to deceive an IDS into believing that a particular attack is being attempted when it is not.
Additionally, even if the central node is aware of the entire end host context, a considerable amount of resources such as processing power and storage is required to evaluate all traffic in the context of each destination host, and considerable work would be required to ensure the context information at the security system was accurate and up to date.
Therefore, it would be desirable to have a better way to detect/prevent evasive attacks.