1. Attackers may be actively attempting to evade a detection system. We assume that an employee has developed a webserver that listens on TCP port 80. However, this webserver is vulnerable to an attack. If an HTTP request contains a string of “ATTACK” (case sensitive), the webserver will be exploited. An example is illustrated as follows:
IP Header TCP Header GET ATTACK [login to view URL]
You have designed a signature-based (a.k.a., misuse) intrusion detection system, which will raise an alert if it finds “ATTACK” in one TCP packet.
a. How can an attacker successfully launch attacks while evading your detection system? (5 Points)
b. How can you modify your detection algorithm to counteract?
2. Collecting benign samples to train a model for anomaly detection is usually very expensive. Let us assume Alice and Bob achieve the identical detection rates and false positive rates. The following figure plots how the size (e.g., memory consumption) of the model (y-axis, used to profile the benign behaviors) grows as we use more benign samples (x-axis) to train the model. Which system do you prefer according to the figure? Give two reasons. (dotted-Alice, line-Bob)