Guidelines for testing intrusion detection systems in computer systems and networks | Статья в журнале «Молодой ученый»

Отправьте статью сегодня! Журнал выйдет 28 декабря, печатный экземпляр отправим 1 января.

Опубликовать статью в журнале

Автор:

Рубрика: Информационные технологии

Опубликовано в Молодой учёный №18 (122) сентябрь-2 2016 г.

Дата публикации: 14.09.2016

Статья просмотрена: 92 раза

Библиографическое описание:

Кадыров, М. М. Guidelines for testing intrusion detection systems in computer systems and networks / М. М. Кадыров. — Текст : непосредственный // Молодой ученый. — 2016. — № 18 (122). — С. 47-50. — URL: https://moluch.ru/archive/122/33606/ (дата обращения: 16.12.2024).



This article is proposed guidelines testing, allow to get the evaluation of performance/failure of Intrusion detection systems fixed set of functions defined by any settings, as well as assessing the vulnerability of these funds. Intrusion detection systems is deployed and configured to meet the requirements of operational documents and security policy of the organization operating Intrusion detection systems.

1 Introduction

Network intrusion detection systems and detect signs of attacks against information systems have long been used as one of the essential lines of defense information systems. The developer system protection information systems and consultants in this area is actively used such concepts as perimeter security, stationary and dynamic defense, began to appear own terms, for example, proactive protection. Intrusion detection systems and attacks are usually a software or hardware-software solutions that automate the process of monitoring events occurring in a computer system or network, as well as independently analyze these developments in the search for signs of security problems. As the number different types and ways of organizing unauthorized intrusion into other people's network in recent years has increased significantly, intrusion detection systems (IDS) have become an essential component of the security infrastructure of most organizations [1]. This contributes to a huge amount of literature on the subject that potential attackers are carefully studying and increasingly sophisticated and complex methods and approaches to the detection of hacking attempts of information systems.

Nowadays on the market are a large number of commercial intrusion detection systems. However, until now there is no standardized method of testing, allowing to identify the pros and cons of IDS test. The tests recommended by the manufacturer, as a rule, serve advertising purposes and cannot help to evaluate the functionality of the system.

2 The evaluation criteria for the functional test

Intrusion Detection — the ability of IDS to detect different types of attacks based on the analysis of various parts of a packet. We should consider the following basic characteristics of IDS:

Ability to analyze the headlines — allow to detection attacks associated with the values of IP-packet header. A typical representative is LAND-attack. LAND-attack sends a SYN packet with the same values IP- addresses and source and destination ports. Machine receiver gets into an infinite loop, which can cause the collapse of the network.

Collect packets — the ability IDS to collection fragmented traffic and detect attacks, prisoners in several batches. A typical representative is Tear Drop-attack. This attack is initiated by sending a number of IP-packets that after assembly have overlapping data packets. This can cause instability in the operation of the network or system.

Analysis of the data packet — allows IDS detect attacks associated with the data packets [2]. A typical representative of such an attack is called PHF-attack on HTTP. CGI-program of PHF is an example of a script that you can use to work with the address book and to exploit the vulnerability allows locally run any command.

It is also necessary to take into account the following criteria:

  1. The ability IDS defines IP Dsync — intrusion detection, in which the purpose of masking the non-standard values are given sequence numbers and size.
  2. The ability IDS detects distributed attacks — identified characteristics of IDS, using the correlation method to detect attacks, distributed in time or in space (the attack is carried out with multiple hosts with different IP-addresses).
  3. The ability to save information for analysis — characterizes the capabilities of the program for the conservation of incidents for further analysis.
  4. The presence of a distributed architecture — a very important feature for IDS that are used in large networks. This test determines the architecture of IDS and shows the ability of the console with multiple sensors.
  5. The architecture of the system of decision-making — shows where the final decision about the discovery of attack — on the sensor or on the control console.
  6. Bandwidth — allows you to assess the ability IDS to capture packets, without causing them loss. For this test, we used only the pure traffic not containing attacks.
  7. The impact on system performance — a test to evaluate the impact IDS on the work load of the CPU and memory and also the overall performance of the host.

Checking IDS is done by simulating attacks or anomalous activities. At the same time for the successful completion of checks, signature-based IDS must present signatures for each of the produced action. If these signatures are missing, they must be created manually in the preparation and setting up IDS testing. Topology stand for testing is shown in figure 1.

Fig.1. Scheme stand for testing

Each test is the introduction of special packets to the network, which operates the system under test intrusion detection. Test results can be tracked on the management console system. Tests are universal, they are perceived test IDS as a «black box». All tests used the protocol TCP. In most cases, the tests used embedded interaction between the packets and the third party — the so-called «target» host subjected to «attack».

This host is the purpose of the appointment of all test packets. The presence of such a «target» host allows you to simulate «real». For this purpose is serve emulator network services. Moreover, target host also plays the role of checking the efficiency of the experiment [3]. His reaction to the embedded packet allows you to monitor the behavior of «real» TCP-connection and compare it with information on the behavior displayed on the control console test IDS. In each test the network with software host-load generator is modeled such traffic that might occur during normal operation of the network.

Packets, introduced in traffic, are slightly different for each test. Tested IDS responds to every test detection or intrusion detection. Analyzing posts IDS and type of packets used in the particular test, it can conclude about the possibilities and characteristics of IDS test. Before you carry out comprehensive, special tests should be carried out a series of tests the basic functions of IDS. On the target host for visualize network activity using a packet sniffer. By controlling this activity, you can say whether or not the tested IDS generally detect simulated attack.

3 Performance testing. The objectives of performance testing

Performance tests are conducted in an environment where the attacker, the victim and the COA are located in the same network [4–5]. In this case, the tests do not interfere with the device for limiting the bandwidth. The purpose of the performance tests is determined the characteristics of working IDS with packet. Figure 2 illustrates stand topology for such tests.

Fig.2. Stand topology for performance tests

4 The evaluation criteria for the performance tests

Criteria for assessing the performance of the following:

  1. Bandwidth — allows you to assess the ability of IDS to capture packets, without causing them loss.
  2. Builds — a test to determine the performance of the sensor when assembling packets.
  3. Filtration efficiency — a test designed to assess the overall effectiveness of the system in solving the problem of interception, packet analysis and response to the attack.
  4. The impact on system performance — a test to evaluate the impact work IDS on the load of the CPU and memory and the overall performance of the host.

5 Conclusions

In conclusion we can say that the proposed guidelines define the evaluation criteria for functionalIDS tests based on the analysis of various parts packets and responds to every test detection or intrusion detection in computer networks.

References:

  1. S. Mandujano, A. Galv6n, J. A. Nolazco. An Ontology-based Multiagent Architecture for Outbound Intrusion Detection // Proc. 3rd ACS/IEEE International Conference on Computer Systems and Applications, 2005. — C. 94–101.
  2. Li Muh., Li Min., and Jiang X.DDoS attacks detection model and its application // WSEAS Trans. Computers. 2008. V.7. No. 8.P.1159–1168.
  3. Kim J., Bentley P. An artificial immune model for network intrusion detection: http://neuro.bstu.by/our/immune3.pdf, 20.10.2011.
  4. Kotov V., Vasilyev V. Immune approach to network intrusion detection // Proc. of Security of Information and Networks. 2010. P. 233–237.
  5. Scarfone, Karen; Mell, Peter (February 2007). «Guide to Intrusion Detection and Prevention Systems (IDPS)» (PDF). Computer Security Resource Center (National Institute of Standards and Technology) (800–94). Retrieved 1 January 2010.
Основные термины (генерируются автоматически): IDS, CPU, ACS, COA, HTTP, IDPS, IEEE, PDF, PHF, SYN.


Похожие статьи

The identification of recommendations for development of the expert system for it audit. Analysis of ISO/IEC 27002, COBIT

During the work carried out such tasks as qualify assets, determine subclasses of assets, defining threats and vulnerabilities from ISO/IEC 27002, COBIT 4.1. The knowledge model can be used to support a broad range of information security risk manag...

Procedure for conservation of fixed assets

The key issue of this article is the procedure for conservation of fixed assets. Fixed assets play a huge role in the labor process, as they collectively form the production and technical base and determine the production capacity of the enterprise. ...

Information management and anti-fraud in financial accounting

The article discusses the actual problem of corporate fraud and its impact on the financial statements of enterprises. Special attention is paid to the importance of effective information management and internal control in fraud prevention. The study...

The review of the activity of the commissions concerning a tax payments collecting in regions of the Russian Federation

Tax liability has negative impact on a course of reproduction processes. As the most important function of municipalities the coordination of actions of participants of system of collecting local taxes guaranteeing them uninterrupted operation and co...

Information systems for the implementation of innovative projects in the business incubation of Kazakhstan

In the modern world, the topic of business and startups is relevant. There are many modern business incubators that need to provide an effective information system for the implementation of their projects. An effective information system is needed to...

Improving the removal of sludge in horizontal well sections by turbulizing the drilling mudflow

One of the necessary conditions for ensuring high-quality drilling is efficient transport of drilled rock. When drilling directional and horizontal sections and ensuring sufficient cleaning of the borehole from sludge, it is possible to prevent many ...

An innovative method of cleaning systems based on steam and drip jets

This research paper presents an innovative cleaning method utilizing steam and drip jets, aimed at enhancing the efficiency and effectiveness of industrial cleaning processes. The integration of high-pressure steam with precise drip jet technology al...

Life cycle of construction object. Optimization methods in the construction industry

The article provides a general analysis of the construction object life cycle. At the planning stage, the time required to create a calendar plan that indicates the acceptable run-time and additional time in case of unforeseen factors must be precise...

Функциональная модель процесса «Хирургическое лечение»

Object of research. Public health is a field, where issues and outcomes of many other fields overlap, focus and are concentrated. High satisfaction level of patients depends on all those fields, also on high level of organization and management of th...

Value-at-risk (VaR) method in insurance industry

This article contains the significance of market risk in the insurance industry and the necessity of risk management in this area. Our goal is to improve the methods which are established by insurance supervision using the integrated Value-at-Risk (V...

Похожие статьи

The identification of recommendations for development of the expert system for it audit. Analysis of ISO/IEC 27002, COBIT

During the work carried out such tasks as qualify assets, determine subclasses of assets, defining threats and vulnerabilities from ISO/IEC 27002, COBIT 4.1. The knowledge model can be used to support a broad range of information security risk manag...

Procedure for conservation of fixed assets

The key issue of this article is the procedure for conservation of fixed assets. Fixed assets play a huge role in the labor process, as they collectively form the production and technical base and determine the production capacity of the enterprise. ...

Information management and anti-fraud in financial accounting

The article discusses the actual problem of corporate fraud and its impact on the financial statements of enterprises. Special attention is paid to the importance of effective information management and internal control in fraud prevention. The study...

The review of the activity of the commissions concerning a tax payments collecting in regions of the Russian Federation

Tax liability has negative impact on a course of reproduction processes. As the most important function of municipalities the coordination of actions of participants of system of collecting local taxes guaranteeing them uninterrupted operation and co...

Information systems for the implementation of innovative projects in the business incubation of Kazakhstan

In the modern world, the topic of business and startups is relevant. There are many modern business incubators that need to provide an effective information system for the implementation of their projects. An effective information system is needed to...

Improving the removal of sludge in horizontal well sections by turbulizing the drilling mudflow

One of the necessary conditions for ensuring high-quality drilling is efficient transport of drilled rock. When drilling directional and horizontal sections and ensuring sufficient cleaning of the borehole from sludge, it is possible to prevent many ...

An innovative method of cleaning systems based on steam and drip jets

This research paper presents an innovative cleaning method utilizing steam and drip jets, aimed at enhancing the efficiency and effectiveness of industrial cleaning processes. The integration of high-pressure steam with precise drip jet technology al...

Life cycle of construction object. Optimization methods in the construction industry

The article provides a general analysis of the construction object life cycle. At the planning stage, the time required to create a calendar plan that indicates the acceptable run-time and additional time in case of unforeseen factors must be precise...

Функциональная модель процесса «Хирургическое лечение»

Object of research. Public health is a field, where issues and outcomes of many other fields overlap, focus and are concentrated. High satisfaction level of patients depends on all those fields, also on high level of organization and management of th...

Value-at-risk (VaR) method in insurance industry

This article contains the significance of market risk in the insurance industry and the necessity of risk management in this area. Our goal is to improve the methods which are established by insurance supervision using the integrated Value-at-Risk (V...

Задать вопрос