Abstract
This paper describes a testing environment for commercial intrusion-detection systems, shows results of an actual test run and presents a number of conclusions drawn from the tests. Our test environment currently focuses on IP denial-of-service attacks, Trojan horse traffic and HTTP traffic. The paper focuses on the point of view of an analyst receiving alerts sent by intrusion-detection systems and the quality of the diagnostic provided. While the analysis of test results does not solely targets this point of view, we feel that the diagnostic accuracy issue is extremely relevant for the actual success and usability of intrusion-detection technology. The tests show that the diagnostic proposed by commercial intrusion-detection systems sorely lack in precision and accuracy, lacking the capability to diagnose the multiple facets of the security issues occurring on the test network. In particular, while they are sometimes able to extract multiple pieces of information from a single malicious event, the alerts reported are not related to one another in any way, thus loosing significant background information for an analyst. The paper therefore proposes a solution for improving current intrusion-detection probes to enhance the diagnostic provided in the case of an alert, and qualifying alerts in relation to the intent of the attacker as perceived from the information acquired during analysis.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Browne, H. Arbaugh, W. A., Hugh, J. M., AND Fithen, W. L. A trend analysis of exploitations. In Proceedings of the 2001 IEEE Symposium on Security and Privacy (Oakland, CA, May 2001).
Cert Coordination Center. Multiple intrusion detection systems may be circumvented via %u encoding. Cert-CC Vulnerability Note VU#548515, July 2001.
Curry, D., AND Debar, H. Intrusion detection message exchange format data model and extensible markup language (xml) document type definition. Internet Draft (work in progress), December 2001.
Debar, H., Dacier, M., AND Wespi, A. Reference Audit Information Generation for Intrusion Detection Systems. In Proceedings of IFIPSEC’98 (Vienna, Austria and Budapest, Hungaria, August 31-September 4 1998), pp. 405–417.
Debar, H., AND Wespi, A. Aggregation and correlation of intrusion-detection alerts. In Proceedings of RAID 2001 (Davis, CA, USA, October 2001), pp. 85–103.
Handley, M., Kreibich, C., AND Paxson, V. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of the 10th USENIX Security Symposium (Washington, DC, August 13-17 2001).
Lippman, R., Haines, J. W., Fried, D. J., Korba, J., AND Das, K. Analysis and results of the 1999 darpa off-line intrusion detection evaluation. In Proceedings of RAID 2000 (October 2000), pp. 162–182.
Mchugh, J. The 1998 lincoln laboratory ids evaluation, a critique. In Proceedings of RAID 2000 (Toulouse, France, October 2000), pp. 145–161.
Mueller, P., AND Shipley, G. To catch a thief. Network Computing (August 2001). http://www.nwc.com/1217/1217f1.html.
Ptacek, T. H., AND Newsham, T. N. Insertion, evasion, and denial of service: Eluding network intrusion detection. Tech. rep., Secure Networks, January 1998.
Puketza, N. J., Chung, M., Olsson, R. A., AND Mukherjee, B. A software platform for testing intrusion detection systems. IEEE Software 14,5 (September–October 1997), 43–51.
Puketza, N. J., Zhang, K., Chung, M., Mukherjee, B. AND Olsson, R. A. A methodology for testing intrusion detection systems. IEEE Trans. Softw. Eng. 22,10 (October 1996), 719–729.
Rain Forest Puppy. A look at whisker’s anti-ids tactics. http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html, 1999.
Roesch, M. Snort-lightweight intrusion detection for networks. In Proceedings of LIS A’99 (Seattle, Washington, USA, November 7-12 1999).
Wood, M., AND Erlinger, M. Intrusion detection message exchange requirements. Internet draft (work in progress), June 2002.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Debar, H., Morin, B. (2002). Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_10
Download citation
DOI: https://doi.org/10.1007/3-540-36084-0_10
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00020-4
Online ISBN: 978-3-540-36084-1
eBook Packages: Springer Book Archive