Evasion techniques: Sneaking through your intrusion detection/prevention systems

Tsung Huan Cheng, Ying-Dar Lin, Yuan Cheng Lai, Po Ching Lin

Research output: Contribution to journalArticlepeer-review

36 Scopus citations


Detecting attacks disguised by evasion techniques is a challenge for signature-based Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs). This study examines five common evasion techniques to determine their ability to evade recent systems. The denial-of-service (DoS) attack attempts to disable a system by exhausting its resources. Packet splitting tries to chop data into small packets, so that a system may not completely reassemble the packets for signature matching. Duplicate insertion can mislead a system if the system and the target host discard different TCP/IP packets with a duplicate offset or sequence. Payload mutation fools a system with a mutative payload. Shellcode mutation transforms an attacker's shellcode to escape signature detection. This study assesses the effectiveness of these techniques on three recent signature-based systems, and among them, explains why Snort can be evaded. The results indicate that duplicate insertion becomes less effective on recent systems, but packet splitting, payload mutation and shellcode mutation can be still effective against them.

Original languageEnglish
Article number6042389
Pages (from-to)1011-1020
Number of pages10
JournalIEEE Communications Surveys and Tutorials
Issue number4
StatePublished - 1 Jan 2012


  • Attacks
  • Evasion
  • Signature

Fingerprint Dive into the research topics of 'Evasion techniques: Sneaking through your intrusion detection/prevention systems'. Together they form a unique fingerprint.

Cite this