Evaluation of intrusion detection systems

Our research is aimed at developing systematic and rigorous evaluation approaches to assess the efficiency of computer based systems and associated protection mechanisms in coping with potential attacks. We mainly focus on the evaluation of intrusion detection systems (IDS). In this context, we have proposed a model-driven approach and a tool to run evaluations in a systematic way [Gad El Rab 2008]. This approach is based on a new classification of attack activities with respect to IDS-relevant manifestations or features that exhibits the dynamics of the attack process [Gad El Rab et al. 2005]. It results from the analysis of a large number of attack incidents and malware samples, including the data collected from our honeypots . To implement this approach, we have designed a flexible evaluation tool based on the Metasploit framework that provides attack injection as well as background traffic generation. The feasibility and the flexibility of the proposed approach for the systematic generation of evaluation test cases have been illustrated on two different IDS’s (Snort and Bro).

This evaluation framework which so far addressed network and operating system level vulnerabilities, will be extended to include vulnerabilities and attacks affecting web-based applications and services. The long-term objective is to set up standardized benchmarks for intrusion detection systems, and a flexible experimental evaluation framework that can be customized for different target systems. This work will be carried out in particular in the context of the DALI project « Dependability Assessment of application Level Intrusion detection systems » that is partially funded by the ANR french agency.

Publications

[Gad El Rab et al. 2009] M. Gad El Rab, A. Abou El Kalam, Y.Deswarte, Manipulation of network traffic traces for security evaluation, 2009 IEEE International Workshop on Quantitative Evaluation of Large-scale Systems and Technologies (IEEE QuEST-09), Bradford (UK), 26-29 Mai 2009, pp.1124-1129.

[Gad El Rab 2008] M. Gad El Rab, Evaluation of intrusion detection systems, PhD Thesis, Institut National Polytechnique de Toulouse, LAAS-Report 08776, 15 december 2008, http://tel.archives-ouvertes.fr/tel-00366690/fr/

[Gad El Rab et al. 2008] M. Gad El Rab, A. Abou El Kalam, Y.Deswarte, Execution patterns in automatic malware and human-centric attacks, Seventh IEEE International Symposium on Network Computing and Applications (NCA 2008), Cambridge (USA), 10-12 Juillet 2008, pp.29-36.

[Gad El Rab et al. 2005] M. Gad El Rab, A. Abou El Kalam, Y.Deswarte, Modélisation des processus d'attaques pour l'évaluation des IDS, 3ème Conférence sur la Sécurité des Architectures Réseaux et des Systèmes d'Information (SAR/SSI'2008), Loctudy (France), 13-17 Octobre 2008, pp.197-210.

[Gad El Rab et al. 2005] M. Gad El Rab, A. Abou El Kalam, Y.Deswarte, Defining Categories to select representative attack test-cases, 3rd Workshop on Quality of protection (QoP’07), Allessandria (USA), 29 october 2007, pp. 40-42.