312-50V11 · Question #121
Sam is working as s pen-tester in an organization in Houston. He performs penetration testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends a large amount of
The correct answer is B. False Positive Generation. False positive generation is an IDS evasion technique where an attacker floods the IDS with large volumes of benign or crafted packets to trigger numerous alerts, burying the real malicious traffic in noise.
Question
Sam is working as s pen-tester in an organization in Houston. He performs penetration testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends a large amount of packets to the target IDS that generates alerts, which enable Sam to hide the real traffic. What type of method is Sam using to evade IDS?
Options
- ADenial-of-Service
- BFalse Positive Generation
- CInsertion Attack
- DObfuscating
How the community answered
(19 responses)- A5% (1)
- B68% (13)
- C21% (4)
- D5% (1)
Why each option
False positive generation is an IDS evasion technique where an attacker floods the IDS with large volumes of benign or crafted packets to trigger numerous alerts, burying the real malicious traffic in noise.
A Denial-of-Service attack is aimed at making a target service unavailable to legitimate users, not at concealing traffic from an IDS through alert flooding.
By deliberately generating a high volume of packets that trigger IDS alerts, Sam overwhelms security analysts and automated systems with false alarms. This alert fatigue or noise flood effectively masks the real attack traffic, as the genuine malicious packets are hidden among hundreds or thousands of false positive events that analysts cannot realistically triage in real time.
An insertion attack exploits a discrepancy between packets the IDS accepts and packets the end host accepts, confusing the IDS about the actual byte stream rather than burying it in alerts.
Obfuscation involves encoding, encrypting, or transforming malicious payloads so the IDS signature engine cannot recognize them, which is distinct from flooding the IDS with alert-generating traffic.
Concept tested: IDS evasion via false positive alert flooding
Source: https://www.sans.org/white-papers/337/
Topics
Community Discussion
No community discussion yet for this question.