RE: IDS Requirements

["(infor) urko zurutuza" <uzurutuza () eps mondragon edu>]

Taken from "A Revised Taxonomy for Intrusion-Detection Systems" (Hervé Debar, Marc Dacier and Andreas Wespi. IBM 
Research, Zurich Research Laboratory):

Accuracy. 
Accuracy deals with the proper detection of attacks and the absence of false alarms. Inaccuracy occurs when an 
intrusion-detection system flags as anomalous or intrusive a legitimate action in the environment.

Performance. 
The performance of an intrusion-detection system is the rate at which audit events are processed. If the performance of 
the intrusion-detection system is poor, then real-time detection is not possible.

Completeness. 
Completeness is the property of an intrusion-detection system to detect all attacks. Incompleteness occurs when the 
intrusion-detection system fails to detect an attack. This measure is much more difficult to evaluate than the others 
because it is impossible to have a global knowledge about attacks or abuses of privileges.

Fault tolerance. 
An intrusion-detection system should itself be resistant to attacks, especially denial-of-service attacks, and should 
be designed with this goal in mind. This is particularly important because most intrusion-detection systems run above 
commercially available operating systems or hardware, which are known to be vulnerable to attacks.

Timeliness. 
An intrusion-detection system has to perform and propagate its analysis as quickly as possible to enable the security 
officer to react before much damage has been done, and also to prevent the attacker from subverting the audit source or 
the intrusion-detection system itself. This implies more
than the measure of performance because it not only encompasses the intrinsic processing speed of the 
intrusion-detection system, but also the time required to propagate the information and react to it.

__________________________________________________
MONDRAGON UNIBERTSITATEA
Urko Zurutuza
Dpto. Informática
Loramendi 4 - Aptdo.23
20500 Arrasate-Modragon
Tel. +34 943 739636 // +34 943 794700 Ext.297
www.eps.mondragon.edu
uzurutuza () eps mondragon edu


> -----Mensaje original-----
> De: m2a85 () unb ca [mailto:m2a85 () unb ca]
> Enviado el: martes, 15 de junio de 2004 14:55
> Para: focus-ids () securityfocus com
> Asunto: IDS Requirements
>
>
>
> Hi,
>
> I have begun a research project that focuses on
> determining the essential features IDS Software must
> implement.  Primarily I am concerned with features
> that network administrators are either currently
> using extensively in daily operations or hope will
> become available in the future.
>
> I have read many articles referring to current IDS
> systems and their passive approach to securing
> networks from the lateset global threats.  Has their
> been any advancements in providing network
> administrators with the ability to impose preemptive
> measures before network breaches occur?  What tools
> are being research by industry leaders?
>
> Any links, documents, or lists of core features and
> abilities that an IDS must have would be great.
>
> Thank you for your time,  any followups would be
> greatly appreciated.
>
> --------------------------------------------------------------------------
> -
>
> --------------------------------------------------------------------------
> -



---------------------------------------------------------------------------

---------------------------------------------------------------------------