- Training
- Training Live Events
- Training Without Travel
- SANS Courses
- Certified Instructors
- Career Roadmap
- Training Calendars
- SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- SANS Onsite
- SANS SelfStudy
- SANS Partnership Series
- SANS Workshop Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
the most trusted source for computer security training, certification and research
Assumptions in Intrusion Detection - Blind Spots in Analysis
- Abstract
- This paper examines one of the common assumptions made as an intrusion analyst looking at network packet captures and explores the possible avenues which could determine that the assumption may not be as trustworthy as has been previously assumed. This paper attempts to guide the analyst by providing a detailed analysis of the TCP/IP standards stack with particular focus on the communication that exists between layers of the stack. As will be shown in this paper, the communication, or lack of communication, provide the possibility of exploitation at various levels as data passes between layers in the standards stack