Using Rule-Based Activity Descriptions to Evaluate Intrusion-Detection Systems

After more than a decade of development, there are now many commercial and non-commercial intrusion-detection systems (IDSes) available. However, they tend to generate false alarms at high rates while overlooking real threats. The results described in this paper have been obtained in the context of work that aims to identify means for supporting the analysis, evaluation, and design of large-scale intrusion-detection architectures. We propose a practical method for evaluating IDSes and identifying their strengths and weaknesses. Our approach shall allow us to evaluate IDSes for their capabilities, unlike existing approaches that evaluate their implementation. It is furthermore shown how the obtained knowledge can be used to analyze and evaluate an IDS.

[1]  Andrew Harrison Gross,et al.  Analyzing computer intrusions , 1998 .

[2]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[3]  Peter G. Neumann Illustrative risks to the public in the use of computer systems and related technology , 1992, SOEN.

[4]  Hermann Kopetz,et al.  Dependability: Basic Concepts and Terminology , 1992 .

[5]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[6]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[7]  David Powell Failure mode assumptions and assumption coverage , 1992 .

[8]  Aurobindo Sundaram,et al.  An introduction to intrusion detection , 1996, CROS.

[9]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[10]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[11]  Michael Sobirey Audit und Intrusion Detection , 1999 .

[12]  Brian Randell,et al.  Protecting IT Systems from Cyber Crime , 1998, Comput. J..

[13]  Eric Miller,et al.  Testing and evaluating computer intrusion detection systems , 1999, CACM.

[14]  Sandeep Kumar,et al.  Classification and detection of computer intrusions , 1996 .

[15]  Stephen Smalley,et al.  The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments , 2000 .