One Size Fits None: The Importance of Detector Parameterization

The parameterization of an administrator's intrusion detection system (IDS) is as crucial as the IDS itself. The difference between sufficient and insufficient parameterization can be the difference between a detected and undetected attack. This work focuses on identifying a methodical process for IDS parameterization. Such a process provides administrators of intrusion detection systems with the knowhow of selecting suitable parameters for the effective operation of their detector. The process stresses the importance of altering parameters for individual applications. Parameterization experiments are employed on two different open source IDSs, namely Stide and pH, and tested against three real world vulnerabilities. The results show the interesting trends that are observed during the experiments.

[1]  Carla Marceau,et al.  Intrusion detection for distributed applications , 1999, CACM.

[2]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3]  A. Nur Zincir-Heywood,et al.  Mimicry Attacks Demystified: What Can Attackers Do to Evade Detection? , 2008, 2008 Sixth Annual Conference on Privacy, Security and Trust.

[4]  Malcolm I. Heywood,et al.  On evolving buffer overflow attacks using genetic programming , 2006, GECCO '06.

[5]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[6]  Giovanni Vigna,et al.  An experience developing an IDS stimulator for the black-box testing of network intrusion detection systems , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[7]  Giovanni Vigna,et al.  Testing network-based intrusion detection signatures using mutant exploits , 2004, CCS '04.

[8]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[9]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[10]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[11]  Stephanie Forrest,et al.  Operating system stability and security through process homeostasis , 2002 .

[12]  Kymie M. C. Tan,et al.  "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[13]  Malcolm I. Heywood,et al.  Optimizing anomaly detector deployment under evolutionary black-box vulnerability testing , 2009, 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications.