【 Weak current College 】 intrusion detection system for test and evaluation (3)

6 assessment of the environmental profile IDS and framework
IDS in testing and evaluation, are less likely to run the actual IDS network, because the actual network environment is not charged, and the actual network environment of specificity is too strong, it is difficult to perform accurate system IDS. So generally you want to build a dedicated network environment. Affected by the security system simulation host uptime status, network load generator simulates the intranet as well as intranets and extranets network communication between. Attack simulation used to simulate an intruder attacks. IDS is a system for testing. Because sometimes the actual network environment is very large, there are many different kinds of operating systems, use of installed software host servers that require a test environment in full accordance with the actual network configuration is not very practical, so in tests generally use virtual hosts. Usually use some software tools or write to automatically run a script to simulate various hosts a variety of behaviors, the equivalent on a single physical host running multiple virtual hosts, each virtual host simulation running on different hardware, different operating systems, different application programs. Generally speaking, the defence of the host running common operating system you want to include (such as Windows, Linux, SunOS) hosts. Intranet network load generator to simulate a internal network traffic as well as internal attacks and external network load generator to simulate the external network traffic (such as access to the Web page, download the file), as well as external attacks. The actual process of establishing a test environment is a complex process, which is directly linked to the evaluation of success.
The present situation as well as testing and evaluation 7IDS exist doubts
Although the IDS and the skills acquired considerable progress, but on the IDS of performance measurement and the evaluation tools, standards and test environment is still a lack of research work. Puketza et al. in 1994 a study on the evaluating system IDS precedent, they developed software platform can implement automated attack simulation. 1998 Debar, etc in the experimental test system IDS research, pointed out that in assessing the environment simulation is often network traffic is a very complex and time-consuming. Lincoln Lab in 1998, 1999, the implementation of two IDS offline evaluation, is by far the most authoritative assessment of IDS. In a well-designed test network, they performed a normal network traffic simulation, implemented a large number of attacks will record traffic system log and the host file system images, and other data, by attend assessment of IDS do offline analysis. Last submitted in accordance with the IDS of test results to make the assessment report. Current United States Air Force Rome laboratory to perform real-time IDS. evaluation Rome laboratory of real-time assessment is Lincoln Laboratory offline evaluation, it is mainly on as part of the existing network of complete system, with the aim of testing IDS in existing normal machine and network activity detection intrusion and response capabilities IDS and its impact on the normal user. IBM Zurich research laboratory has developed a suite of assessment tools IDS. In addition, some hacker tools software can also be used to perform the evaluation on IDS.
At present, the market and the ongoing research and development of IDS, each system has its own unique detection essentials. Attack description form and attack knowledge base, yet a unified standard. This greatly increases the difficulty of testing and evaluation IDS because it is difficult to establish a uniform basis, it is difficult to establish a unified test points.
Test evaluation of IDS in the biggest question is the only test known attacks. In the test assessment process, the use of simulation of essentials to generate test data and simulation of intruders attack difficulties can only grasp the published attack, while for new attack points will not be known. Such a consequence is that even if the test did not find that the potential weaknesses of IDS, also does not explain the IDS is a complete system. However, you can select by category, so that the test example as far as possible, covering many different kinds of attacks, while constantly updated intrusion knowledge base in order to adapt to new situations.
And, as a test to assess the IDS data are public, if you design for test data for testing IDS, the IDS of the test result is definitely better, but this does not indicate its actual status of the operation.
In addition, the evaluation results of the analysis of the use of a lot of questions. The ideal situation is to automatically perform analysis on evaluation results, but in fact it is very difficult to do this. The actual assessment of the IDS typically contain both subjective and objective also contains, and IDS of the original detection capability and it in the form of a report. Analysts to analyze the IDS of false positives is what has caused this false positive, in a given test network conditions, this false positives can be reasonable doubt. Evaluation results of scoring form are also crucial, if the score is not reasonable to conclude that the credibility of evaluation results is not likely to be high. For example, if an IDS detection is not an attack or on a normal behavior produces false alarm, the same behavior would produce the same result, correct handling essentials should only once, but it is difficult to grasp, once this effect was repeated consideration, the IDS of the evaluation results would certainly not be ideal, but in fact the penetration testing overall test results may very well.
8 Summary
Intrusion detection as a thriving skills, there is not a long time; accordingly IDS performs the evaluation appears too late. It certainly has a lot of incomplete and needs to be improved, this requires further research. More than one of the key questions are compared: network flow simulation, user behavior simulation, attack signatures library construction, implementation and assessment of the environmental evaluation of the results of the analysis. In recent years, instrusion detection aspects of research and product development also has a great development. But on intrusion detection evaluation test work are not a lot. The intrusion detection product manufacturers based on various reasons, often in publicity and IDS of exaggeration and users on this often is not very clear, soThere is an urgent need to establish a credible test evaluation criteria. The developers and users have advantages.