nerdexam
EC-Council

312-50V10 · Question #121

Sam is working as s pen-tester in an organization in Houston. He performs penetration testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends a large amount of

The correct answer is B. False Positive Generation. Sam is flooding the IDS with fake alert-generating traffic to bury real attack traffic in noise, a technique called False Positive Generation.

Evading IDS, Firewalls, and Honeypots

Question

Sam is working as s pen-tester in an organization in Houston. He performs penetration testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends a large amount of packets to the target IDS that generates alerts, which enable Sam to hide the real traffic. What type of method is Sam using to evade IDS?

Options

  • ADenial-of-Service
  • BFalse Positive Generation
  • CInsertion Attack
  • DObfuscating

How the community answered

(28 responses)
  • A
    11% (3)
  • B
    75% (21)
  • C
    4% (1)
  • D
    11% (3)

Why each option

Sam is flooding the IDS with fake alert-generating traffic to bury real attack traffic in noise, a technique called False Positive Generation.

ADenial-of-Service

Denial-of-Service aims to exhaust resources and make a service unavailable to legitimate users, not to camouflage attack traffic inside a flood of IDS alerts.

BFalse Positive GenerationCorrect

False Positive Generation is the deliberate flooding of an IDS with high volumes of traffic engineered to trigger numerous alerts, creating so much noise that analysts cannot distinguish genuine malicious activity from the fake alerts. By overwhelming the IDS alert queue, the attacker effectively hides real intrusion traffic within the flood. This technique exploits analyst alert fatigue and IDS throughput limits rather than bypassing detection logic directly.

CInsertion Attack

An Insertion Attack crafts packets that the IDS accepts and reassembles into a stream, but the target host rejects, causing the IDS to analyze different data than the host actually processes.

DObfuscating

Obfuscation involves encoding, encrypting, or fragmenting payload content so the IDS cannot match known malicious signatures, rather than hiding traffic inside a volume of alerts.

Concept tested: IDS evasion via false positive generation flooding

Source: https://www.nist.gov/publications/intrusion-detection-systems

Topics

#IDS evasion#false positive generation#packet flooding#traffic obfuscation

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice