Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IDS evaluations procedures

from [THolman] Network Security [Permanent Link]
Subject: RE: IDS evaluations procedures
Date: Tue, 12 Jul 2005 17:33:03 -0400 
Hi Dave,

That's always an interesting question - how do you evaluate detection
systems when all they respond to is known exploits?
Yes, it's easy to launch all known exploits against a detection system using
one of the many vulnerability scanners out there, but how do you test
whether or not the detection system will respond (and hopefully block)
zero-day attacks?  Especially where the attack (and associated
vulnerability) is not known yet?  Just look at the devastating impact of
recent worms that effectively bypassed all detection systems as they were
not programmed to look for the exploit that they didn't know about...
Whilst you're moving in the right direction by detecting anomalies, you have
to be very careful as to how accurate this is.  What technologies are being
used to detect the anomalies?  How many false positives do such detection
methods invoke?  What IS an anomaly?  What it such an anomaly is in fact a
surge in an increase in valid traffic due to heightened end-of-day activity
or spikes in web usage?
To specifically answer your question, look at current attack weather reports
- you'll see approximately 15-20% of perimeter traffic is in fact worms
trying to propagate.  Any evaluation should be designed with this in mind.
..but more importantly, make sure you're evaluating something that will do
the job in hand and doesn't lead you up the garden path with inaccurate
marketing collateral!  :)

Regards,

Tim


-----Original Message-----
From: david.sames@sparta.com [mailto:david.sames@sparta.com] 
Sent: 12 July 2005 03:40
To: focus-ids@securityfocus.com
Subject: IDS evaluations procedures

I'm in the process of developing test procedures for evaluating an internal
anomaly-based detection system. I'd like to construct a test set of nominal
data peppered with attack data. What is a reasonable ratio of attack data to
"normal" traffic that is representative of "real" systems.

Thanks,

Dave

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IDS evaluations procedures, Joel Esler
Next by Date:  RE: IDS evaluations procedures, THolman
Previous by Thread:  Re: IDS evaluations procedures, Whodini
Next by Thread:  RE: IDS evaluations procedures, THolman
Indexes:  [Date] [Thread] [Top] [All Lists]