Mucus

Description

Signature-based intrusion detection systems use a set of attack descriptions to analyze event streams, looking for evidence of malicious behavior. If the signatures are expressed in a well-defined language, it is possible to analyze the attack signatures and automatically generate events or series of events that conform to the attack descriptions. This approach has been used in tools whose goal is to force intrusion detection systems to generate a large number of detection alerts. The resulting "alert storm" is used to desensitize intrusion detection system administrators and hide attacks in the event stream. We apply a similar technique to perform testing of intrusion detection systems. Signatures from one intrusion detection system are used as input to an event stream generator that produces randomized synthetic events that match the input signatures. The resulting event stream is then fed to a number of different intrusion detection systems and the results are analyzed.

Mucus-1 is our first Mucus prototype traffic generation tool, designed to test network IDSs against traffic corresponding to Snort rules. Below, source code and Linux binary versions of Mucus-1 are available for download.

Mucus 1.1
- mucus-1.1.tar.gz, source code.
Older Releases
- mucus-1.0.tar.gz, source code.
- mucus-1.0-x86-bin.tar.gz, Linux binary and source.

Publications

D. Mutz, G. Vigna, R. Kemmerer, "An Experience Developing an IDS Stimulator for the Black-Box Testing of Network Intrusion Detection Systems", In proceedings of ACSAC '03, Las Vegas, NV, December 2003. [PDF, BibTeX]

People

Darren Mutz, Ph.D.
Giovanni Vigna, Associate Professor.
Richard Kemmerer, Professor

Acknowledgments

This research was supported by the State of California, the Army Research Office, under agreement DAAD19-01-1-0484 and by the Defense Advanced Research Projects Agency (DARPA), and Rome Laboratory, Air Force Material Command, USAF, under agreement number F30602-97-1-0207.