Re: IDS Security Metris

On 4 Apr 2007 21:29:44 -0000, jlynnmonett@xxxxxxxxx
<jlynnmonett@xxxxxxxxx> wrote:
Could someone help me. I need to create a list of 10 security metrics for a IDS.

10 seems rather arbitrary. Is this for some useful business purpose or a class?

1. For every incident investigated due to the detection of events from
the IDS, estimate the financial impact of not detecting the issue.
Track the total gross.

10. Track false positive incidents. That is the number of times the
pager went off due to an alert on something that was not that
critical. Because new signatures are always being added, this will
probably be flat in a mature IDS program.

11. Track false negatives that generate new pager rules. That is the
number of times the analysts were reviewing the non-paging events and
found something that you should have been paged on. This justifies the
time and cost for the constant review of events.

There I gave you an extra one.

Metrics are usually based on the specific needs of the IDS processes,
how they fit into the overall Security processes, the level of risk
tolerable to the business, and the threats. Without more details on
the particular situation, one might as well assume you're using

In general if one is asking for help on a mailing list, one should
provide at least as much information as one expects back in return. I
should have replied that I am sure someone out there could help you,
but I was feeling generous.

Eric Hacker, CISSP

aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner

I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to to learn more.

Relevant Pages

  • RE: Changes in IDS Companies?
    ... It does intrusion detection with alerting and pattern matching ... IDS is down...but at least your network isn't, ... ::: mode being rolled into Snort) are both good technologies ...
  • RE: Specification-based Anomaly Detection
    ... Hi Stefano & Toby, ... I feel that the mind set of the discussion was about such applications, ... would not be much different than a network IDS. ... Does this make intrusion detection in web applications deferent? ...
  • Re: Alarming (was protocol analysis)
    ... Obviously, there are different ways to "detect" attacks, but John uses the ... no one should ever "rely" on any IDS for our ... As for Johns Metaphor of the motion sensor vs the pressure sensor, ... toward Intrusion Prevention as opposed to just Intrusion Detection. ...
  • IDS Assessment (was: Intrusion Prevention... probably something else at one point)
    ... scrutiny of all IDS features/technologies. ... Anomaly-type detection engines can ... weaknesses of each detection methodology (which is described in much ... attack d'jour with a cool sounding name and/or press ...
  • RE: Hi, I want to study IPS
    ... >>of systems to pull everything together into an IDS solution. ... you are right that some IPS products use similar techniques as ... technologies in attack detection. ... capabilities, and so have less false positives, which is not true. ...