EVALUATION OF THE INTRUSION DETECTION CAPABILITIES AND PERFORMANCE OF A SECURITY OPERATION CENTER

Abdoul Karim Ganame, Julien Bourgeois, Renaud Bidou, Francois Spies

2006

Abstract

Detecting all kinds of intrusions efficiently requires a global view of the monitored network. We have developed a security operation center which is able to detect coordinated attacks that are not detected by traditional IDS. In this article, we present several methods used to test the accuracy and the performance of our security operation center. A real ISP network have been used as well as experiments in our lab.

References

  1. Aaron, T. and Matt, B. (2005). http://tcpreplay.sourceforge.net.
  2. Anderson, J. (1980). Computer security threat monitoring and surveillance. Technical report.
  3. Avallone, S., Guadagno, S., Emma, D., Pescape, A., and Ventre, G. (2004). D-itg distributed internet traffic generator.
  4. Bidou, R., Bourgeois, J., and Spies, F. (2003). Towards a global security architecture for intrusion detection and reaction management. In 4th Int. workshop on information security applications, pages 111-123.
  5. Cuppens, F. (2001). Managing alerts in a multi-intrusion detection environment. In 17th Annual Computer Security Applications Conference, New-Orleans.
  6. Debar, H., Morin, D., and Wespi, A. (1998). Reference audit information generation for intrusion detection systems. In Proceedings of IFIPSEC 98, pages 405-417.
  7. Heberlein, T., Dias, V., Levitt, K., Mukherjee, B., Wood, J., and Wolber, D. (1990). A network security monitor. In IEEE Symposium on Research in Security and Privacy, pages 296-304.
  8. Lippman, R., Haines, J. W., Fried, D. J., Korba, J., and Kumar, D. (2000). Analysis and results of the 1999 darpa off-line intrusion detection evaluation. In 3th symposium on Recent Advances in Intrusion Detection 2000, pages 162-182.
  9. Neumann, P. G. and Porras, P. A. (1999). Experience with EMERALD to date. In First USENIX Workshop on Intrusion Detection and Network Monitoring, pages 73-80, Santa Clara, California.
  10. Northcutt, S. and Novak, J. (2002). Network Intrusion Detection. ISBN: 0-73571-265-4. New Riders, third edition edition. September.
  11. NSS-Group (2001). Intrusion detection systems group tests (edition 2). http://www.nss.co.uk/ids.
  12. Openwall-Project (2006). John the ripper password cracker (1.7). http://www.openwall.com/john/.
  13. Ptacek, T. H. and Newsham, T. (1998). Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc.
  14. Puketza, N., Chung, M., Olsson, R., and Mukherjee, B. (1997). A software platform for testing intrusion detection systems. IEEE Software, 14(5):43-51.
  15. Puppy, R. F. (2003). A look at whisker's anti-ids tactics. http://www.wiretrip.net/rfp/txt/whiskerids.html.
  16. Schneier, B. (1999). Attacks trees. Dr. Dobb.
  17. Snort (2005). Snort (2.4.3) lightweight intrusion detection for networks http://www.snort.org/dl.
  18. Sommers, J. (2005). Harpoon: A flow-level traffic generator http://www.cs.wisc.edu/ jsommers/harpoon/.
  19. Song, D. (2001a). Dsniff 2.3: A collection of tools for network auditing and penetration testing http://www.monkey.org/ dugsong/dsniff/.
  20. Yu, J., Reddy, Y. V., Selliah, S., Reddy, S., Bharadwaj, V., and Kankanahalli, S. (2005). TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation. Advanced Engineering Informatics, 19(2):93-101.
  21. Zissman, M. (2002). Darpa intrusion detection evaluation data sets. http://www.ll.mit.edu/ist/ideval/.
  22. Zti-Telecom (2005). Ip traffic (2.3), a test and mesure tool. http://www.zti-telecom.com/fr/pages/iptraffic-testmeasure.htm.
Download


Paper Citation


in Harvard Style

Karim Ganame A., Bourgeois J., Bidou R. and Spies F. (2006). EVALUATION OF THE INTRUSION DETECTION CAPABILITIES AND PERFORMANCE OF A SECURITY OPERATION CENTER . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006) ISBN 978-972-8865-63-4, pages 48-55. DOI: 10.5220/0002101900480055


in Bibtex Style

@conference{secrypt06,
author={Abdoul Karim Ganame and Julien Bourgeois and Renaud Bidou and Francois Spies},
title={EVALUATION OF THE INTRUSION DETECTION CAPABILITIES AND PERFORMANCE OF A SECURITY OPERATION CENTER},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)},
year={2006},
pages={48-55},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002101900480055},
isbn={978-972-8865-63-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)
TI - EVALUATION OF THE INTRUSION DETECTION CAPABILITIES AND PERFORMANCE OF A SECURITY OPERATION CENTER
SN - 978-972-8865-63-4
AU - Karim Ganame A.
AU - Bourgeois J.
AU - Bidou R.
AU - Spies F.
PY - 2006
SP - 48
EP - 55
DO - 10.5220/0002101900480055