2002
DOI: 10.1007/3-540-36084-0_10
|View full text |Cite
|
Sign up to set email alerts
|

Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems

Abstract: This paper describes a testing environment for commercial intrusion-detection systems, shows results of an actual test run and presents a number of conclusions drawn from the tests. Our test environment currently focuses on IP denial-of-service attacks, Trojan horse traffic and HTTP traffic. The paper focuses on the point of view of an analyst receiving alerts sent by intrusion-detection systems and the quality of the diagnostic provided. While the analysis of test results does not solely targets this point of… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

1
16
1

Year Published

2003
2003
2021
2021

Publication Types

Select...
5
1
1

Relationship

0
7

Authors

Journals

citations
Cited by 22 publications
(18 citation statements)
references
References 6 publications
1
16
1
Order By: Relevance
“…[3] reports about 10.000 false alarms per month for the use of commercial intrusion detection systems. Other evaluations [2], [5], confirm this experience. Small false positive rates are an important presumption for the acceptance of misuse detection systems in practice.…”
Section: On the Derivation Of Signaturessupporting
confidence: 73%
See 1 more Smart Citation
“…[3] reports about 10.000 false alarms per month for the use of commercial intrusion detection systems. Other evaluations [2], [5], confirm this experience. Small false positive rates are an important presumption for the acceptance of misuse detection systems in practice.…”
Section: On the Derivation Of Signaturessupporting
confidence: 73%
“…(1) to transfer the attacked system in a vulnerable state, (2) to exploit the vulnerability to intrude the system, and (3) to access to the compromised system and/or to change its system data. (This is the proper objective of the attack.…”
Section: On the Derivation Of Signaturesmentioning
confidence: 99%
“…By design, Bro reports all matching signatures, but each one only once per connection. This is similar to the approach suggested in [10]. Snort, on the other hand, reports the first matching signature for each packet, independently of the connection it belongs to.…”
Section: Performance Evaluationmentioning
confidence: 88%
“…[14] further extends the evaluation method by providing a user-friendly environment on the one hand, and new characterizations of attack traffic on the other hand. More recently, [10] evaluates several commercial systems, emphasizing the view of an analyst who receives the alerts, finding that these systems ignore relevant information about the context of the alerts. [15] discusses developing a benchmark for NIDSs, measuring their capacity with a representative traffic mix.…”
Section: Related Workmentioning
confidence: 99%
“…Apart from testing data sets, some methodologies [4,43], frameworks [23,24] and tools [34,42] for assessing IDSs have also been proposed up to now. Additionally, comparative studies on commercial IDSs have been presented, mainly in network journals.…”
Section: Introductionmentioning
confidence: 99%