IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS evaluations procedures

From: Fergus Brooks <fergwa () gmail com>
Date: Thu, 14 Jul 2005 14:29:03 +0800
David, to follow on from Tim's questions, I am assuming that you are
talking about network anomaly detection?

What kind of anomaly detection are you trying to test? 

Protocol anomaly detection? Behavioural anomaly detection? Anomalies
detected via deviation from baseline? Exceeding certain thresholds?
Non-compliance with RFCs?

I would be more than happy to share experiences in methods I have used
to test and demonstrate some of the above if you provide some more
detailed information of the detection methodology...

Rgds.


On 12 Jul 2005 02:40:18 -0000, david.sames () sparta com
<david.sames () sparta com> wrote:

I'm in the process of developing test procedures for evaluating an internal anomaly-based detection system. I'd like 
to construct a test set of nominal data peppered with attack data. What is a reasonable ratio of attack data to 
"normal" traffic that is representative of "real" systems.

Thanks,

Dave

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: