RE: IDS Requirements

From: infor) urko zurutuza (uzurutuza_at_eps.mondragon.edu)
Date: 06/15/04

  • Next message: Devdas Bhagat: "Re: Testimonials on IDS"
    Date: Tue, 15 Jun 2004 17:42:40 +0200
    To: <m2a85@unb.ca>
    
    

    Taken from "A Revised Taxonomy for Intrusion-Detection Systems" (Hervé Debar, Marc Dacier and Andreas Wespi. IBM Research, Zurich Research Laboratory):

    Accuracy.
    Accuracy deals with the proper detection of attacks and the absence of false alarms. Inaccuracy occurs when an intrusion-detection system flags as anomalous or intrusive a legitimate action in the environment.

    Performance.
    The performance of an intrusion-detection system is the rate at which audit events are processed. If the performance of the intrusion-detection system is poor, then real-time detection is not possible.

    Completeness.
    Completeness is the property of an intrusion-detection system to detect all attacks. Incompleteness occurs when the intrusion-detection system fails to detect an attack. This measure is much more difficult to evaluate than the others because it is impossible to have a global knowledge about attacks or abuses of privileges.

    Fault tolerance.
    An intrusion-detection system should itself be resistant to attacks, especially denial-of-service attacks, and should be designed with this goal in mind. This is particularly important because most intrusion-detection systems run above commercially available operating systems or hardware, which are known to be vulnerable to attacks.

    Timeliness.
    An intrusion-detection system has to perform and propagate its analysis as quickly as possible to enable the security officer to react before much damage has been done, and also to prevent the attacker from subverting the audit source or the intrusion-detection system itself. This implies more
    than the measure of performance because it not only encompasses the intrinsic processing speed of the intrusion-detection system, but also the time required to propagate the information and react to it.

    __________________________________________________
    MONDRAGON UNIBERTSITATEA
    Urko Zurutuza
    Dpto. Informática
    Loramendi 4 - Aptdo.23
    20500 Arrasate-Modragon
    Tel. +34 943 739636 // +34 943 794700 Ext.297
    www.eps.mondragon.edu
    uzurutuza@eps.mondragon.edu

    > -----Mensaje original-----
    > De: m2a85@unb.ca [mailto:m2a85@unb.ca]
    > Enviado el: martes, 15 de junio de 2004 14:55
    > Para: focus-ids@securityfocus.com
    > Asunto: IDS Requirements
    >
    >
    >
    > Hi,
    >
    > I have begun a research project that focuses on
    > determining the essential features IDS Software must
    > implement. Primarily I am concerned with features
    > that network administrators are either currently
    > using extensively in daily operations or hope will
    > become available in the future.
    >
    > I have read many articles referring to current IDS
    > systems and their passive approach to securing
    > networks from the lateset global threats. Has their
    > been any advancements in providing network
    > administrators with the ability to impose preemptive
    > measures before network breaches occur? What tools
    > are being research by industry leaders?
    >
    > Any links, documents, or lists of core features and
    > abilities that an IDS must have would be great.
    >
    > Thank you for your time, any followups would be
    > greatly appreciated.
    >
    > --------------------------------------------------------------------------
    > -
    >
    > --------------------------------------------------------------------------
    > -

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: Devdas Bhagat: "Re: Testimonials on IDS"