Testing Intrusion Detection Systems

Uploaded on


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Testing Intrusion Testing Detection Systems
  • 2. Introduction
    • Intrusion Detection System (IDS) is a system that attempts to identify intrusions.
    • What is an “Intrusion” ?
    • Un-authorized Use
    • Misuse
    • Abuse of computer systems by authorized user
    • How IDS detects intrusion?
    • By analyzing information about user activity from resources such as audit records, system tables and network traffic summaries.
    • Who uses IDS ?
    • National Security Agency’s Multics Intrusion Detection and Alerting System (MIDAS) , Distributed Intrusion Detection System (DIDS) etc.
  • 3.
    • Why we need to test IDS?
    • User needs to know how effective their IDSs are ?
    • To what extent they can rely on their IDS?
    • Evaluating an IDS to decide to buy it for their system ?
    • Evaluating an IDS is a difficult task why ?
    • It can be difficult or impossible to identify the set of all possible intrusion that might occur at the site where a particular IDS is employed. Why?
    • - Number of intrusion techniques is large
    • - site may not have access to information about all the past
    • intrusion.
    • - Intruders can discover previously known vulnerabilities in a
    • computer system and then use new intrusion techniques to
    • exploit the vulnerabilities .
  • 4.
    • IDS can be affected by various conditions in the computer system.
    • - Even if an IDS detect an intrusion , it may not detect the same
    • intrusion when overall level of computer activity in the system is
    • high.
    • So we have to adopt a methodology for testing IDS which confronts these difficulties.
    • Methodology will measure the effectiveness of an IDS with respect to these objectives.
    • It consists of strategies for selecting test cases , and a series of detailed testing procedures.
    • Unix Tool “expect” is used as a software platform for creating user-simulation scripts for testing expriments.
  • 5. Scenarios for Intrusion
    • Following scenarios are examples of intrusion
    • An employee browse through his/her boss’s employee reviews
    • A user exploits a flaw in a file server program to gain access to and then to corrupt another user’s file.
    • A user exploits a flaw in the system program to obtain “super-user” status
    • An intruder uses a script to crack the passwords of other users on a computer
    • An intruder installs a “snooping program” on a computer to inspect network traffic which may contain sensitive data.
    • An intruder modifies router tables in a network to prevent the delivery of messages to a particular computer. (Denial of Service attack)
  • 6. Concurrent Intrusion
    • Single Intruder Single Terminal (SIST) : Intrusion are launched by a single intruder from a single terminal device or its logical equivalent.
    • Single Intruder Multiple Terminal ( SIMT) : Intruder uses multiple windows on a computer to carry out or more intrusion. Alternatively intruder might use multiple windows to establish several connections to the same target , hoping to hide the intrusive activity by distributing the activity over several windows, each having a separate session to target computer
    • Multiple Intruder Multiple Terminal ( MIMT) : Multiple intruders participate in one or more intrusion simultaneously.
  • 7.  
  • 8. Approaches to Intrusion Detection
    • Main Approaches used by IDS are
    • Anomaly Detection:
    • This is based on the premise that an attack on a computer system will be noticeably different from normal system activity.
    • It will exhibit a pattern of behaviors different from normal user.
    • So IDS attempts to characterize each user’s normal behavior by maintaining the profiles of each user’s activities.
    • Predefined “bounds” are checked while comparing recent activities with past activities.
    • Misuse Detection:
    • IDS watches for indication of “ specific, precisely representable techniques for computer system abuse” .
    • IDS includes a collection of “signatures” which are encapsulation of identifying characteristics of specific intrusion techniques.
  • 9. Software Platform
    • Both computer user and intruder are simulated while IDS is running.
    • Unix Package “expect” to simulate users in our testing experiment.
    • Unix Package called “Tcl” ( Tool Command Language)
    • Using “expect” , scripts ( similar to UNIX shell scripts) are written that include intrusive commands.
    • For running the scripts, “expect” provides a script interpreter which issues the scripts commands to the computer system.
    • “ TCL” package provides an interpreter for a simple programming language that includes variables, procedures, control constructs such as “if” and “for” statements.
    • “ Tcl” is implemented as a C library package.
    • “ expect” extends the “Tcl” command set to include several components to controlling interactive programs.
  • 10.  
  • 11.  
  • 12. Testing Issues
    • Performance Objectives for an IDS :
    • -- Broad Objectives for an IDS : For each intrusion in a broad range of known intrusions, the IDS should be able to distinguish the intrusion from normal behavior.
    • -- Economy in Resource Usage : The IDS should function without using too much system resources such as main memory, CPU time and disk space .
    • -- Resilience to Stress : The IDS should still function correctly under stressed condition in the system.
  • 13. Test Case Selection
    • Test case is a simulated user session
    • A key problem is to select which intrusions to simulate
    • Testers should first collect as much as intrusion possible.
    • Testers must partition the set of intrusion into classes, and then create a representative subset of intrusion. [ Equivalence Partitioning].
    • One test case from each class can be selected to represent the class in the final set of test cases.
    • Intrusions can be classified on the basis of “signatures”.
  • 14. Limitation on Test Case Selection
    • The software problem that we use to simulate users cannot completely simulate the behavior of a user working with a GUI based program.
    • --- The intruder’s activities generate some system activity ,
    • subset of which is related directly to the attack.
    • --- The simulation tool must be capable of causing that
    • subset of activity to occur.
    • Testing is designed to test systems that primarily perform misuse detection.
    • --- Some of the testing procedures can be adapted for
    • testing IDS that perform anomaly detection as well.
  • 15. Testing Methodology
    • Basic Testing procedure is as follows
    • Create and /or select a set of test scripts
    • Establish the desired conditions in the computing environment.
    • Start the IDS
    • Run the test scripts
    • Analyze the IDS output.
    • we divide the test procedures into three categories which occurred directly to the three performance objectives.
  • 16. Intrusion Identification Tests
    • Two intrusion identification tests measure the ability of the IDS to distinguish known intrusion from normal behavior.
    • Basic Detection Test :
    • Create a set of intrusion scripts
    • As much as possible, eliminate unrelated computing activity in the environment.
    • Start the IDS
    • Run the intrusion scripts.
    • Normal User Test
    • Creates a set of user scripts
    • Start the IDS
    • Run the normal-user scripts.
  • 17. Resource Usage Test
    • The Resource Usage test measure how much system resources used by the IDS .
    • Results from these tests can be used to decide if it is practical to run a particular IDS in a particular computing environment.
    • Disk Space Test ( A type of Resource Usage Test) :
    • Eliminate unrelated activity in the test environment
    • Start the IDS
    • Run the test scripts for a measured period of time
    • Calculate the total disk space used by the IDS to record the session associated with the scripts.
  • 18. Stress Test
    • Stress test check if the IDS can be affected by “stressful” conditions in the computing environment.
    • An intrusion that the IDS would ordinarily detect might go undetected under such condition.
    • Stress Test : Smoke Screen Noise:
    • “Noise” is an activity that is not directly part of an intrusion. An intruder might attempt to disguise an intrusion by employing noise as smoke screen.
    • Create suitable test scripts.
    • Test should be conducted like Basic Detection Test.
    • Testers should conduct further tests to determine the cause of problem.
  • 19.
    • Stress Test : Intensity: The intensity checks if the IDS affected by sessions in which a lot of activity is generated very quickly, and therefore the IDS information source logs a lot of activity in short time.
    • “Stress Scripts” that simulates such a session should be created.
    • Script should simulate several user sessions.
    • Scripts logs all the activity after the intrusion and then logs out the user session.
    • Such script is normally combine form of Basic detection tests scripts.
    • The scripts should be run once.
    • Stress test can be repeated by several times , each time with different number of stress scripts running.
  • 20.
    • Stress Test : Load
    • The load Stress test investigates the effect of the load on the IDS host CPU.
    • A high load should be established on the IDS host .
    • A high load can be created by running additional program on the IDS host.
    • Unix “nice” command can be used.
    • The output from this test should be compared to the output from the basic detection Test.
    • Difference may be evidence that the IDS is missing some intrusive activity.
    • Test should be repeated several times, each time with a different load on the IDS host.