State of the Practice of Intrusion Detection Technologies

The information in this appendix is taken from a paper by Edward Amoroso and Richard Kwapniewski titled "A Selection Criteria for Intrusion Detection Systems" [B57]. This paper includes a questionnaire which can be used independently or sent to vendors to determine the detection and operational capabilities of an IDS. Using this questionnaire, each area of the IDS is rated using three categories, listed below from least to most capable.

Detection Capabilities:

• Time to detected intrusions¾elapsed time between an intrusive event and its automated detection in three categories from least capable to most capable:
  

  1. eventually detect intrusions, but perhaps well after the attack has completed

  2. more timely on-the-fly network information capture for prompt reporting of intrusions (minutes to hours)

  3. specially designed functionality to minimize time of detections using, e.g., hardware-based packet capture and processing solutions
   

• Stored knowledge about intrusions¾the richness and extensibility of the intrusion knowledge base used in the product; includes the amount of work required to encode a new detection approach, implement it in a product, and integrate the new product feature into an embedded base. The three categories are
  

  1. some set of intrusion profiles and content patterns is provided by the vendor and updated periodically

  2. content patterns can be customized by the administrator

  3. provide an API or language for users to specify customized intrusion profiles for non-trivial attack patterns
   

• User and system activity profiling¾the ability to develop customer profiles of users and systems as the basis for detecting anomalous behavior. The three categories are
  

  1. no ability to develop profiles

  2. the existence of a profiling engine for specifying and capturing broad statistical information about system operation

  3. profiling granularity increased considerably to that individual user profiles can be used with administrator-tunable thresholds
     
   

• Multi-source information correlation¾the ability of an IDS to relate monitored traffic or alarms from different sources and at different times. The three categories are
  

  1. functionality must exist for multiple feeds of information to be collected in a common processing location for display and minimal response

  2. include tools to define and search for patterns of activity in the monitored traffic feeds

  3. include an automated mechanism for incorporating out-of-band sources such as detected events from other networks, information pulled from news feeds, or real time operator generated input into the¾correlation processing; also provides some sort of API for accepting alarm message from out-of-band sources
     
   

• Test and Verification The three categories from least capable to most capable are
  

  1. no test and verification

  2. vendor supplies evidence that the system has been appropriately tested and verified using a well-defined test suite

  3. vendor provides evidence of third-party testing by an independent organization that will supply documentation of test plans and results
     
   

• System Security¾the degree to which the IDS protects its resources from malicious security attack. The three categories are
  

  1. provide basic system security for its platforms including access control, some level of audit, and user authentication

  2. the presence of an encryption-based VPN capability for protecting communications

  3. the presence of a security hardened base for servers and special functionality and network configurations that are designed to enhance the stealth nature of the system
     
   

• Supported Network Media¾indicates the types of network media on which the system can be connected at the required bandwidth without dropping any packets. The three categories are
  

  1. supports low-speed LAN and WAN interfaces (up to 16 Mb/s) such as Ethernet, token Ring, NxDS0 and DS1.

  2. supports high-speed LAN and WAN interfaces (up to 100 Mb/s) such as fast Ethernet, FDDI, and DS3.

  3. supports very high-speed media (over 100 Mb/s) such as Gigabit Ethernet, ATM OC-3, and ATM OC-12.
     
   

• User Interface¾the type of interface provided to the IDS administrator for configuration and monitoring components. The three categories are
  

  1. no formal interface; relies on resources available from the native operating system on which it resides

  2. provide a dedicated command-line or GUI application which can be used to perform all necessary operations

  3. provide a centralized GUI application from which an administrator can remotely control and operate any component of the IDS
   

   

   

  ---

  [Title Page]     [Abstract]     [Figures]     [Acknowledgments]     [Executive Summary]     [Preface]     [Section 1]     [Section 2]     [Section 3]     [Section 4]     [Section 5]     [Appendix A]     [Appendix B]     [Appendix C]     [Appendix D]     [Appendix E]     [Appendix F]     [DTIC page]     [PDF file]