Before the advent of intrusion detection systems (IDS) and intrusion prevention systems (IPS), firewalls served as the primary technology to help organizations block unwanted traffic. With application-layer protocols lacking detection, attackers were able to disguise malicious traffic and remotely exploit applications. To stop these kinds of attacks, the security industry created IPS\/IDS technologies to detect these attacks and block connections before any exploitation could occur.<\/p>\n
Since the introduction of IPS, attackers have tried to find new ways to evade detections by these systems. One technique is fragmentation: The data that is normally sent in the channel is fragmented and is reconstructed only at the receiver’s end. It is possible to add the malicious traffic as part of the data that gets fragmented. When the data is reconstructed at the receiver, it can exploit the targeted application. Such fragmentation techniques could be applied in various protocols of the application layer.<\/p>\n
The focus of IPS vendors recently is to address these issues and also stay ahead of attackers in spite of their obfuscation techniques. These evasions continued to evolve as attackers attacked application-layer protocols. By parsing client application-layer data, IPS can identify any payload that is injected and reduce the number of attacks.<\/p>\n
The high number of attacks that the security industry has witnessed in the last few years shows the sophistication involved in writing the exploit code (malware, malicious scripts). Attackers reverse-engineer the workings of IPS detection mechanisms and develop attacks that fully understand the security application, and that take advantage of its features. Evasion has become a key strategy for attackers to avoid detection.<\/p>\n