Re: IDS Security Metris

Could you please define metrics? It's quite a wide term...

Should you look for decision making criteria (technically speaking), my list
should include:

1. false negative rate, to see how many real incidents your IDS may miss
2. false positive rate, to see how many "fake" incidents your IDS won't miss
3. security of the IDS itself (well, here come another 10 metrics but won't dig
4. handling of encypted traffic (SSL, more precisely)
5. number of supported network segments (either physically or using VLANs)
6. integration/correlation with vulnerability assessment tools (with a unified
attack description so that nobody gets confused)
7. custom signatures (e.g. snort-type) and exceptions capability (sometimes
things get really bad, so it's a very nice to have)
8. integration with log analysis/correlation systems (call them SIM/SEM, etc.)
9. integration with ticketing systems (an incident may widely affect an
10. automatic responses (or policy-based responses) - not "shunning"
11.reporting (somehow somebody must get nofitied in a language they can

Should you turn into IPS, take also into account:

x1. number of "trusted" signatures (IBM/ISS-terminology, sorry..)
x2. modes of operation (IDS only, transparent, learning mode, hybrid)
x3. average time of signature issuance (not easy to estimate)

Of course, cost, R&D, vendor stability and coverage, etc. should not be

Lately, there are a number of IDS/IPS technologies used in firewalls,content
security,SSL VPN gateways, etc.If your case is this,the lists above should look
somehow different.

Hope this helps.

Dimitrios Patsos, Ph.D.(Cand.),M.Sc.
Security Architect

Quoting jlynnmonett@xxxxxxxxx:

Could someone help me. I need to create a list of 10 security metrics for a

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.

Relevant Pages

  • RE: IDS testing...again [WAS: Re: (OpenBSD or Linux)]
    ... Subject: IDS testing...again ... How come vendor Y wasn't in there? ... I think the Mier tests left me with more questions then answers. ... This has been debated quite a bit on this (and other lists) in the past. ...
  • RE: IDS event filtering
    ... AFAIK this is the best list on securityfocus for SIM. ... and incident handling lists appear to be moribund. ... Subject: IDS event filtering ... > CORE IMPACT. ...
  • Re: VBScript Custom Action
    ... > 2.The ini file contains some device and vendor ids. ... > 11.Now I am setting those Vendor and Device lists with MsiSetproperty ... > 13.Here my program fails to retrieve those values which are already ... > set by the installscript custom action from the VB Script ...
  • [fw-wiz] Efficiently detecting obfuscated shell code
    ... Hey guys/gals, I have been sending this question around some of the lists, and have had ... Many of the ids signatures I have seen are a little loose, ... With the prevalence of such programs as ADMutate and phiral.c simplifying ... job of detecting shell code actually, ...
    ... list of AVAILABLE IDS/IPS SYSTEMS ... I want to publish a paper for my course work that lists out the feature ... of the existing feature set of the available IDS/IPS systems and find ... Test Your IDS ...