An Investigation of Slow HTTP DoS attacks on Intrusion Detection Systems

Sammanfattning: Network Security Monitoring (NSM) is one of the standard methods used for protecting networks from attackers, and it has four phases: Monitoring, Detection, Forensics/Diagnosis, and Response/Recovery. One of the technologies frequently used for monitoring and detecting malicious traffic in the network is Intrusion Detection Systems (IDS). Each IDS employs a unique monitoring and detection strategy. SomeIDS utilize rule sets to detect malicious traffic. Therefore, these rule sets ought to be tested to ascertain if they can be able to recognize attacks. The main objective of this research thesis is to analyse the rule sets that are responsible for the detection of malicious traffic in an IDS, explore extensive literature on IDS and Slow hyper text transfer protocol (HTTP) Denial-of-service (DoS) attacks, and design and develop a testbed to conduct this evaluation. The problem being addressed in this thesis is that there exists limited research that has a focus on the effects of Slow HTTP attacks on IDS, and as a result, the authors of this thesis explore this gap. In this study, the authors have proposed an approach to assessing and evaluating the effect that a DOS attack may have on IDS. The experiments that have been conducted have shown significant approaches where Slow HTTP DoS attacks are conducted on an IDS using different rule sets. These experiments were conducted in a virtualized environment, and the preferred IDS was Snort and Suricata. This is owing to the fact that IDS use different detection techniques to analyse malicious traffic and generate alerts using rule sets. Based on this, it is possible to evaluate the detection of attacks by a signature-based IDS based on the alerts being generated in real-time. The experiments that have been conducted in this thesis show that Snort and Suricata’s standard solutions are effective. The registered rule set generated alerts for different attacks than the community rule set in snort. The emerging threats rule set in Suricata was able to detect two of three attacks that were conducted, which has shown that the choice of our approach provides significant outcomes when exploringDOS attacks on IDS.