Intrusion detection

This paper describes a testing environment for commercial intrusiondetection systems,shows results of an actual test run and presents a number of conclusions drawn from the tests. Our test environment currently focuses on IP denial-of-service attacks, Trojan horse traffic and HTTP traffic. The paper focuses on the point of view of an analyst receiving alerts sent by intrusion-detection systems. While the analysis of test results does not solely targets this point of view, we feel that the diagnostic accuracy issue is extremely relevant for the actual success and usability of intrusion-detection technology. The tests show that the diagnostic proposed by commercial intrusion-detection systems sorely lack in precision and accuracy, lacking the capability to diagnose the multiple facets of the security issues occuring on the test network. In particular, while they are sometimes able to extract multiple informations from a single malicious activity, the alerts reported are not related to one another in any way, thus loosing signicant background information for an analyst. The paper therefore proposes a solution for improving current intrusiondetection probes to enhance the diagnostic provided in the case of an alert, and qualifying alerts in relation to the intent of the attacker as percieved from the information acquired during analysis. Introduction Since the seminal work by Denning in 1987 [7], many intrusion-detection prototypes have been created. Intrusion-detection systems have emerged in the computer security area because of the difficulty of ensuring that an information system will be free of security aws. Commercial intrusion-detection systems have been available since 1995; however, their performance has not been scientically studied. In early 2001, we decided to create a testing environment for commercial intrusion-detection systems, following a three phase approach. After a litterature survey getting information from vendors and the community about multiple intrusion-detection products, we selected a small number of them for internal testing and comparative evaluation. Early on, it became clear that the study should be restricted in scope in order to provide on network-based intrusion-detection commercial products, with probe components available worldwide as a remotely manageable appliance. We finally deployed four commercial intrusion-detection systems on a testbed and carried out a comparative evaluation. Partial results from this evaluation are presented in the paper. The emphasis of this work is on ensuring that the benefit of deploying intrusion-detection technology is maximized by providing a detailed and accurate diagnostic of the malicious activity occuring on our networks. The objective is to ensure that operators with a good knowledge of their networks but little in-depth knowledge of vulnerabilities and intrusions can operate the probes, leaving only serious security breaches to trained analysts. Operational issues such as management of the probes, updates to software, signature and conguration, performance, are recognized as extremely important, but were given second priority to the diagnosis accuracy issue. Description of a test bed for comparative evaluation of intrusion-detection systems. It is shown that the benefit of the system is maximized when an accurate diagnostic of the malicious activity is provided. This leads to the proposal of an enhanced