After more than a decade of development, there are now many commercial and non-commercial intrusion detection systems (IDSes) available. However, they tend to generate false alarms at high rates while overlooking real threats. In addition, the semantics of their alarms are often not well defined and hardly taken into account in the process of fault diagnosis in a systematic fashion. It is our intent to address these issues by developing a new paradigm to IDS evaluation that shall allow the identification of IDSes' strengths and weaknesses at a generic level. These results shall then serve themselves as the basis for improving fault diagnosis based on IDS alarms and for developing concepts supporting the design of intrusion detection architectures.
It is the goal of this work to build the foundation for said approach to IDS evaluation. This is achieved by developing pragmatic classification schemes for IDSes and input to IDSes, namely attacks. The first of the two schemes developed in this work allows the generic description of IDSes based on a set of IDS analysis capabilities relevant to the task of intrusion detection (ID). The second scheme is geared towards identifying potential input to IDSes in a systematic fashion by classifying attacks with respect to characteristics potentially observable by IDSes. This scheme is then generalized towards the concept of so-called activities which unify malicious (i.e., attacks) and benign (attack-like) input to IDSes.
By: Dominique Alessandri (editor), Christian Cachin, Marc Dacier, Oliver Deak, Klaus Julisch, Brian Randell, James Riordan, Andreas Tscharner, Andreas Wespi, Candid Wüest
Published in: RZ3366 in 2001
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .