Presentation is loading. Please wait.

Presentation is loading. Please wait.

10/1/20071 Automatic Evaluation of Intrusion Detection Systems F. Massicotte, F. Gagnon, Y. Labich, L. Briand, Computer Security Applications Conference,

Published bySamson Carpenter Modified over 9 years ago

Similar presentations

Presentation on theme: "10/1/20071 Automatic Evaluation of Intrusion Detection Systems F. Massicotte, F. Gagnon, Y. Labich, L. Briand, Computer Security Applications Conference,"— Presentation transcript:

1 10/1/20071 Automatic Evaluation of Intrusion Detection Systems F. Massicotte, F. Gagnon, Y. Labich, L. Briand, Computer Security Applications Conference, ACSAC ’06, pp 361-370, 2006. Presented by: Lei WEI

2 10/1/20072 Summary 1. Proposed a strategy that is able to evaluate Intrusion Detection System (IDS) automatically and systematically 2. Evaluated two famous IDS programs, Snort 2.3.2 and Bro 0.9a9, by using this new proposed strategy. 3. Proposed a 15-class taxonomy for test results.

3 10/1/20073 Appreciative Comments: Automatization This is an automatic IDS evaluation system. Because of automation, it is possible to efficiently and systematically create a large number of sample data. “ We use 124 VEP (covering a total of 92 vulnerabilities) and 108 different target system configurations” (Automatic Evaluation of Intrusion Detection Systems) “ We use 124 VEP (covering a total of 92 vulnerabilities) and 108 different target system configurations” (Automatic Evaluation of Intrusion Detection Systems) “38 different attacks were launched against victim UNIX hosts in seven weeks of training data and two weeks of test data.” (Evaluation Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detections Evaluation) “38 different attacks were launched against victim UNIX hosts in seven weeks of training data and two weeks of test data.” (Evaluation Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detections Evaluation)

4 10/1/20074 Critical Comment: 1. Complicated classification Each of the collected traffic traces belongs to one of the type, TP, TN, FP and FN. According to types of all traces collected from IDS evaluation tests, the authors suggested a 15-class taxonomy for IDSes, such as, alarmist, quiet, quiet and complete detection, complete evasion etc. This does make the evaluation complicated and confused. This does make the evaluation complicated and confused.  Hard to remember all the class names  Is quiet and complete detection a subclass of quiet? No! I prefer a statistical way by calculating the following two ratios, I prefer a statistical way by calculating the following two ratios, (, ), from which we know the percentage of attack being detected and the percentage about wrong alarms.

5 10/1/20075 Critical Comment: 2. Confused diagrams In this paper, the two diagrams, Figure 5 and Figure 1, and relevant description used to represent the working process of the whole system are not clear enough. (a). A title should be “… an effective guide for scientists rapidly scanning lists of titles for information relevant to their interests.” (Scientific writing for graduate students: a manual on the teaching of scientific writing, edited by F. Peter Woodford. New York: Rockefeller University Press, 1968. ) However, neither the title nor the content provides clear explanation to the meaning of numbers in Figure5.

6 10/1/20076 Critical Comment: 2. Confused diagrams (Continue) (b). Although the article describes the steps listed in Figure1, the provided diagram does confused us to understand the structure and working process of the system. The title is Virtual network infrastructure,but the figure actually covers more stuff than that. It does not only represent Virtual network infrastructure, but also shows the working process of the subsystem. (b). Although the article describes the steps listed in Figure1, the provided diagram does confused us to understand the structure and working process of the system. The title is Virtual network infrastructure, but the figure actually covers more stuff than that. It does not only represent Virtual network infrastructure, but also shows the working process of the subsystem.

7 10/1/20077 Working process of Automatic IDS Evaluation system This system could be divided into two subsystems. The attack simulation and data collection system The attack simulation and data collection system The IDS Evaluation Framework The IDS Evaluation Framework

8 10/1/20078 1. Attack simulation and data collection system 1.Choose Vulnerability Exploitation Program (VEP) 2.Choose Configuration of the target System (e.g. IDS) Script Generation Set up Virtual Network Set up Attack Script Execute Attack Data Set Provide the virtual attacking machine the proper attack configuration (e.g. Whether apply IDS Evasion Tech.) 1.Capture attack traffic traces 2.Document the traffic traces Restore 1.Save the traffic traces and IDS alarms on the shared hard-drive 2.Restore the virtual attacker and target machines to their initial state

9 10/1/20079 Data Set IDS IDS Evaluator IDS Result Analyzer Report 2. IDS Evaluation Framework IDS Evaluator takes documented traffic traces from the Data Set IDS Evaluator provide traffic traces to each tested IDS Compare the two groups of data sets and determine whether the IDS detection succeed The collected IDS alarms are fetched by the IDS Results Analyser Generate the evaluation report

10 10/1/200710 Question This paper evaluated two open source IDSes by the new strategy. However, many IDSes have patent or copy right protection. Those creators would never reveal the weak points of their products. Is it ethical or illegal to publish the evaluations of IDS programs so that others can know the truth? Is it ethical or illegal to publish the evaluations of IDS programs so that others can know the truth?

11 10/1/200711 The End

12 10/1/200712 The 15-class taxonomy (Supplement)

13 10/1/200713 Document traffic traces (Supplement) Each traffic trace is documented by four characteristics: 1. Target system configuration 2. VEP configuration 3. Whether or not the VEP exploited the vulnerability of the target system 4. Whether or not the attack is successful

Download ppt "10/1/20071 Automatic Evaluation of Intrusion Detection Systems F. Massicotte, F. Gagnon, Y. Labich, L. Briand, Computer Security Applications Conference,"

Similar presentations

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
1 A Schneider Electric Software for Pre-Design of Industrial and Tertiary Building Electrical Distribution.

1 A Schneider Electric Software for Pre-Design of Industrial and Tertiary Building Electrical Distribution.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Discourse Analysis of Students’ Research Papers Roman Taraban Texas Tech University July 2010.

Discourse Analysis of Students’ Research Papers Roman Taraban Texas Tech University July 2010.
Copyright © Allyn & Bacon (2007) Final Preparations Before Data Collection Graziano and Raulin Research Methods: Chapter 14 This multimedia product and.

Copyright © Allyn & Bacon (2007) Final Preparations Before Data Collection Graziano and Raulin Research Methods: Chapter 14 This multimedia product and.
Towards A Theory Of Insider Threat Assessment Authors: Ramkumar Chinchani, Anusha Iyer Hung Q Ngo, Shambhu Upadhyaya International Conference on Dependable.

Towards A Theory Of Insider Threat Assessment Authors: Ramkumar Chinchani, Anusha Iyer Hung Q Ngo, Shambhu Upadhyaya International Conference on Dependable.
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.

Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.
Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.

Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
A Student’s Guide to Methodology Justifying Enquiry 3 rd edition P ETER C LOUGH AND C ATHY N UTBROWN.

A Student’s Guide to Methodology Justifying Enquiry 3 rd edition P ETER C LOUGH AND C ATHY N UTBROWN.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
seminar on Intrusion detection system

seminar on Intrusion detection system
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Similar presentations

Ads by Google