An overview of issues in testing intrusion detection systems

Mell, Peter; Lippmann, Richard P.; Hu, Chung Tong; Haines, J.W.; Zissman, Marc A.

doi:10.6028/nist.ir.7007

Cited by 111 publications

(81 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The rule set used for the experiments consisted of only the TCP rules among the VRT Certified Rules for Snort version 2.7. As Allen points out in [14] and Mell states in [15], successful development and testing of IDSes' performance requires robust and accurate training data.…”

Section: Methodsmentioning

confidence: 99%

Reducing Payload Inspection Cost Using Rule Classification for Fast Attack Signature Matching

Kim¹,

Lee²

2009

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYNetwork intrusion detection systems rely on a signaturebased detection engine. When under attack or during heavy traffic, the detection engines need to make a fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header, before executing their heavy operations of payload inspection. When payload inspection is necessary, it is better to compare a minimum number of attack patterns. In this paper, we propose new methods to classify attack signatures and make pre-computed multipattern groups. Based on IDS rule analysis, we grouped the signatures of attack rules by a multi-dimensional classification method adapted to a simplified address flow. The proposed methods reduce unnecessary payload scans and make light pattern groups to be checked. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set and university traffic show that the proposed methods outperform the most recent Snort by up to 33%.

show abstract

Section: Methodsmentioning

confidence: 99%

Reducing Payload Inspection Cost Using Rule Classification for Fast Attack Signature Matching

Kim¹,

Lee²

2009

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

“…We made use of a publicly available labelled dataset simply to avoid the problems described in [47] with recorded traffic from the real environment. Both datasets are available online and have been comprehensively used as a standard benchmark by many researchers in this field, for example, by [6,15,16,48].…”

Section: Dataset Descriptionmentioning

confidence: 99%

A New Unified Intrusion Anomaly Detection in Identifying Unseen Web Attacks

Kamarudin

Maple

Watson

et al. 2017

Security and Communication Networks

View full text Add to dashboard Cite

The global usage of more sophisticated web-based application systems is obviously growing very rapidly. Major usage includes the storing and transporting of sensitive data over the Internet. The growth has consequently opened up a serious need for more secured network and application security protection devices. Security experts normally equip their databases with a large number of signatures to help in the detection of known web-based threats. In reality, it is almost impossible to keep updating the database with the newly identified web vulnerabilities. As such, new attacks are invisible. This research presents a novel approach of Intrusion Detection System (IDS) in detecting unknown attacks on web servers using the Unified Intrusion Anomaly Detection (UIAD) approach. The unified approach consists of three components (preprocessing, statistical analysis, and classification). Initially, the process starts with the removal of irrelevant and redundant features using a novel hybrid feature selection method. Thereafter, the process continues with the application of a statistical approach to identifying traffic abnormality. We performed Relative Percentage Ratio (RPR) coupled with Euclidean Distance Analysis (EDA) and the Chebyshev Inequality Theorem (CIT) to calculate the normality score and generate a finest threshold. Finally, Logitboost (LB) is employed alongside Random Forest (RF) as a weak classifier, with the aim of minimising the final false alarm rate. The experiment has demonstrated that our approach has successfully identified unknown attacks with greater than a 95% detection rate and less than a 1% false alarm rate for both the DARPA 1999 and the ISCX 2012 datasets.

show abstract

“…Mell et al [17] studied past evaluation efforts and listed a number of problems related to nIDS evaluation. The use of sanitized traffic, the effect of background traffic and the difficulties in generating traffic on a testbed network are some of the problems spotted.…”

Section: Previous Work In Nids Evaluationmentioning

confidence: 99%

Generating realistic workloads for network intrusion detection systems

Antonatos

Anagnostakis

Markatos

2004

Proceedings of the 4th International Workshop on Software and Performance

View full text Add to dashboard Cite

While the use of network intrusion detection systems (nIDS) is becoming pervasive, evaluating nIDS performance has been found to be challenging. The goal of this study is to determine how to generate realistic workloads for nIDS performance evaluation. We develop a workload model that appears to provide reasonably accurate estimates compared to real workloads. The model attempts to emulate a traffic mix of different applications, reflecting characteristics of each application and the way these interact with the system. We have implemented this model as part of a traffic generator that can be extended and tuned to reflect the needs of different scenarios. We also present an approach to measuring the capacity of a nIDS that does not require the setup of a full network testbed.

show abstract

An overview of issues in testing intrusion detection systems

Cited by 111 publications

References 15 publications

Reducing Payload Inspection Cost Using Rule Classification for Fast Attack Signature Matching

Reducing Payload Inspection Cost Using Rule Classification for Fast Attack Signature Matching

A New Unified Intrusion Anomaly Detection in Identifying Unseen Web Attacks

Generating realistic workloads for network intrusion detection systems

Contact Info

Product

Resources

About