SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsOverlapping IP fragments can be used by attackers to hide nefarious intentions from intrusion detection system and analysts. Operating systems give preference to overlapping fragments based upon either the position in the packet or the time of arrival. As a result fragmented packets might be reassembled in one of five different ways. If the IDS or the analyst do not reassemble the packets the same way as the target host, an attack may succeed and go undetected. While some intrusion detection systems have techniques for dealing with these attacks there are few tools available to the analyst to look inside the reassembly process and try to understand the attacker's intent. This paper will explore how an analyst can use scrapy to reassemble the fragmented attack packets in a similar manner to Linux, Windows, Macintosh, Cisco routers and other operating systems to see how each operating system would interpret the fragmented packets.
Mark Baggett has revolutionized cybersecurity through his leadership at SANS. His development of tools like Freq Server has strengthened threat detection, while his work in automation has empowered professionals to defend against evolving threats.
Read more about Mark Baggett