IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Testing IDS?

From: Wilmar SULAIMAN <wilmars () cs mu OZ AU>
Date: Wed, 1 Jun 2005 12:42:45 +1000 (EST)
Dear all,
I am new to the IDS. How you normally test your IDS? Currently I am working using MIT darpa dataset 1999. I believe it is really hard to get 100% accuracy. One of the issues that I found is because this is post attack analysis, we knew the ip victim, therefore do we need to include the non ip victim in the testing? because including non ip victim under testing phase could improve the false positive rate.
http://www.cs.fit.edu/~mmahoney/dist/, I also found this link is very usefull, but the evaluation program doesn't consider the port. So what does it mean is it could be the case that the attack intended to port 80, but our IDS detected port 25 packet as port 80 attack.
Any idea how people normally testing their IDS? especially for 1999 darpa dataset. 


Wilmar Sulaiman


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: