College】 【weak intrusion detection system test and evaluation (1).

<br> <BR> This paper introduces the IDS performance testing and evaluation criteria, and then introduces the essentials of testing and evaluation procedures, and describes testing and evaluation of specific indicators, the required data sources, testing and evaluation environment configuration and framework, and finally introduced .test assesses the current situation and the existence of which some doubt. .With the extensive use of intrusion detection systems, intrusion detection system to perform testing and evaluation requirements are more urgent. .Developers hope to find the product testing and evaluation of deficiencies, users want to test and evaluation to help you choose the right intrusion detection products. .Based on current research, describes the intrusion detection system testing and evaluation criteria, indicators, essentials steps, data sources, environment configuration, testing and evaluation of the status and the existence of which some doubt. .<BR> 1 Introduction <BR> With the gradual increase security awareness, intrusion detection systems (IDS) use range more widely, a variety of IDS is also increasing. .Then the IDS intrusion can find it? .IDS can not achieve the design goals of the developers? .What kind of IDS is the excellent performance of the user IDS need it? .To answer these questions, we must test and evaluate the implementation of IDS. .<BR> And other products, when the IDS development and application to a certain extent after the implementation of IDS testing and assessment requirements will put on the schedule. .All parties hope to have a convenient tool for the implementation of reasonable scientific essentials of IDS. .Impartial and credible test and evaluation. .For the IDS research and development are concerned, all kinds of IDS, regular assessment, you can keep abreast of the status of skills development and system deficiencies, which will focus on those who pay attention to the skills of critical questions, and reduce the system's deficiencies .to improve system performance; and for the use of IDS who, because they are increasingly dependent on the IDS, it also hopes to assess the need to choose their own products, to prevent misleading propaganda of the IDS products. .IDS user requirements for testing and evaluation is particularly urgent, because most users have IDS itself may not be very in-depth understanding, they want experts IDS evaluation results as the basis for their choice. .<BR> In general, the implementation of IDS testing and evaluation, have the following effects: <BR> · help to better characterize the features of IDS. .Through the testing and evaluation, can be understood better understanding of the handling IDS essentials, resources and environment; establish a more IDS baseline; understand the link between the detection of essentials. .<BR> · The performance of IDS implementation assessment to determine the performance level of IDS and its operating environment. .<BR> · The use of test and evaluation results, and make some predictions, the trend inferred IDS, it is estimated the crisis, the development of the IDS can achieve quality objectives (eg, reliability, availability, speed, accuracy), cost and development schedule .. .<BR> · Under test and assessment results to improve the implementation of IDS. .Is found that the questions exist in the system and implement improvements to enhance system performance indicators. .This paper introduces the IDS performance testing and evaluation criteria, and then introduces the testing and evaluation of essentials steps and introduced specific targets for testing and evaluation, the required data sources, testing and evaluation environment configuration and the framework, the final testing and evaluation described the current situation and the existence of which .some of the questions. .<BR> 2 IDS performance testing and evaluation criteria such as research <BR> according Porras, IDS performance evaluation is given three factors: <BR> · accuracy (Accuracy): refers to the IDS from a variety of behaviors correctly identified .the ability of the invasion, when an IDS's detection is not accurate, it is possible to legitimate activities as system intrusions, and identified as abnormal (false alarm phenomenon). .<BR> · Processing performance (Performance): refers to an IDS data source data processing speed. .Obviously, when the IDS processing performance is poor, it can not achieve real-time IDS, and may become the bottleneck of the whole system, thus seriously affect the overall system performance. .<BR> · Completeness (Completeness): refers to the IDS can detect the capacity of all attacks. .If there is an attack can not be detected by IDS, it is not a test of the completeness of JDS. .In other words, it is the invasion of the activities of the system as a normal behavior (omission of the phenomenon). .Because under normal circumstances, attack type, attack means changing rapidly, it is difficult to get all the knowledge about the attacks, so the IDS detection on the assessment of completeness of comparison more difficult. .On this basis, Debar and so added another measure to evaluate the two personalities: <BR> · fault tolerance (FaultTolerance): IDS is the primary means of intrusion detection / so it has become a prime target for a lot of intruders. .IDS must be able to withstand its own self-attacks, especially denial of service (Denial-of-Service) attacks. .Since most of the IDS is running on the operating system vulnerable to attacks and hardware platforms, which makes the system fault tolerance becomes especially key in the IDS testing and evaluation must take this into account. .<BR> · Timeliness (Timeliness): IDS requirements in time to analyze the data as quickly as possible and to spread the results, so that security managers can not cause more harm invasion attack before responding to further prevent intruders .sabotage, and the above factors in the processing performance compared to more demanding timeliness. .It requires not only the processing speed of IDS to be as fast as possible, but also for communication, the reaction time test result information as little as possible. .<BR> 3IDS testing and evaluation of essentials of the steps we have discussed earlier IDS testing and evaluation of performance indicators, specific testing is mainly performed on these indicators. .Most of the testing process is to follow the following basic test steps: <BR> · create, select some test tool or test scripts. .These scripts and tools are mainly used to generate simulated normal behavior and intrusion, that is, the actual simulation run IDS environment. .<BR> · Computing environment to determine the required conditions, such as the background level of computer activity. .* Configured to run IDS. .<BR> · Run the test tool or test script. .<BR> · Of IDS's test results. .<BR> University of California NicholasJ. .Puketza and others to test is divided into three categories, respectively, and correspond to the previous performance, that intrusion recognition test (IDS can also be said that the effectiveness of the test). .Resource consumption tests, strength tests. .IDS intrusion recognition test and measurement between normal behavior and the ability of the invasion, the main indicator to measure the detection rate and false alarm rate. .Resource consumption test (ResourceUsageTests) measuring the status of IDS system resources, the main factor to consider is the hard disk space, memory consumption. .IDS strength testing mainly detected in the strong effect of the load test run conditions can be affected, including a large load, high-density traffic case testing the testing results..