Testing Intrusion Testing Detection Systems
Introduction  <ul><li>Intrusion Detection System (IDS) is a system that attempts to identify intrusions. </li></ul><ul><li...
<ul><li>Why we need to test IDS? </li></ul><ul><li>User needs to know how effective their IDSs are ? </li></ul><ul><li>To ...
<ul><li>IDS can be affected by various conditions in the computer system.  </li></ul><ul><li>- Even if an IDS detect an in...
Scenarios for Intrusion <ul><li>Following scenarios are examples of intrusion </li></ul><ul><li>An employee browse through...
Concurrent Intrusion <ul><li>Single Intruder Single Terminal (SIST)  : Intrusion are launched by a single intruder from a ...
 
Approaches to Intrusion Detection <ul><li>Main Approaches used by IDS are  </li></ul><ul><li>Anomaly Detection: </li></ul>...
Software Platform <ul><li>Both computer user and intruder are simulated while IDS is running. </li></ul><ul><li>Unix Packa...
 
 
Testing Issues <ul><li>Performance Objectives for an IDS : </li></ul><ul><li>-- Broad Objectives for an IDS :  For each in...
Test Case Selection <ul><li>Test case is a simulated user session </li></ul><ul><li>A key problem is to select which intru...
Limitation on Test Case Selection <ul><li>The software problem that we use to simulate users cannot completely simulate th...
Testing Methodology <ul><li>Basic Testing procedure is as follows </li></ul><ul><li>Create and /or select a set of test sc...
Intrusion Identification Tests <ul><li>Two intrusion identification tests measure the ability of the IDS to distinguish kn...
Resource Usage Test <ul><li>The Resource Usage test measure how much system resources used by the IDS . </li></ul><ul><li>...
Stress Test <ul><li>Stress test check if the IDS can be affected by “stressful” conditions in the computing environment.  ...
<ul><li>Stress Test : Intensity:  The intensity checks if the IDS affected by sessions in which a lot of activity is gener...
<ul><li>Stress Test : Load   </li></ul><ul><li>The load Stress test investigates the effect of the load on the IDS host CP...
Upcoming SlideShare
Loading in …5
×

Testing Intrusion Detection Systems

2,020 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,020
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
56
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Testing Intrusion Detection Systems

  1. 1. Testing Intrusion Testing Detection Systems
  2. 2. Introduction <ul><li>Intrusion Detection System (IDS) is a system that attempts to identify intrusions. </li></ul><ul><li>What is an “Intrusion” ? </li></ul><ul><li>Un-authorized Use </li></ul><ul><li>Misuse </li></ul><ul><li>Abuse of computer systems by authorized user </li></ul><ul><li>How IDS detects intrusion? </li></ul><ul><li>By analyzing information about user activity from resources such as audit records, system tables and network traffic summaries. </li></ul><ul><li>Who uses IDS ? </li></ul><ul><li>National Security Agency’s Multics Intrusion Detection and Alerting System (MIDAS) , Distributed Intrusion Detection System (DIDS) etc. </li></ul>
  3. 3. <ul><li>Why we need to test IDS? </li></ul><ul><li>User needs to know how effective their IDSs are ? </li></ul><ul><li>To what extent they can rely on their IDS? </li></ul><ul><li>Evaluating an IDS to decide to buy it for their system ? </li></ul><ul><li>Evaluating an IDS is a difficult task why ? </li></ul><ul><li>It can be difficult or impossible to identify the set of all possible intrusion that might occur at the site where a particular IDS is employed. Why? </li></ul><ul><li>- Number of intrusion techniques is large </li></ul><ul><li> - site may not have access to information about all the past </li></ul><ul><li>intrusion. </li></ul><ul><li> - Intruders can discover previously known vulnerabilities in a </li></ul><ul><li>computer system and then use new intrusion techniques to </li></ul><ul><li>exploit the vulnerabilities . </li></ul>
  4. 4. <ul><li>IDS can be affected by various conditions in the computer system. </li></ul><ul><li>- Even if an IDS detect an intrusion , it may not detect the same </li></ul><ul><li>intrusion when overall level of computer activity in the system is </li></ul><ul><li>high. </li></ul><ul><li>So we have to adopt a methodology for testing IDS which confronts these difficulties. </li></ul><ul><li>Methodology will measure the effectiveness of an IDS with respect to these objectives. </li></ul><ul><li>It consists of strategies for selecting test cases , and a series of detailed testing procedures. </li></ul><ul><li>Unix Tool “expect” is used as a software platform for creating user-simulation scripts for testing expriments. </li></ul>
  5. 5. Scenarios for Intrusion <ul><li>Following scenarios are examples of intrusion </li></ul><ul><li>An employee browse through his/her boss’s employee reviews </li></ul><ul><li>A user exploits a flaw in a file server program to gain access to and then to corrupt another user’s file. </li></ul><ul><li>A user exploits a flaw in the system program to obtain “super-user” status </li></ul><ul><li>An intruder uses a script to crack the passwords of other users on a computer </li></ul><ul><li>An intruder installs a “snooping program” on a computer to inspect network traffic which may contain sensitive data. </li></ul><ul><li>An intruder modifies router tables in a network to prevent the delivery of messages to a particular computer. (Denial of Service attack) </li></ul>
  6. 6. Concurrent Intrusion <ul><li>Single Intruder Single Terminal (SIST) : Intrusion are launched by a single intruder from a single terminal device or its logical equivalent. </li></ul><ul><li>Single Intruder Multiple Terminal ( SIMT) : Intruder uses multiple windows on a computer to carry out or more intrusion. Alternatively intruder might use multiple windows to establish several connections to the same target , hoping to hide the intrusive activity by distributing the activity over several windows, each having a separate session to target computer </li></ul><ul><li>Multiple Intruder Multiple Terminal ( MIMT) : Multiple intruders participate in one or more intrusion simultaneously. </li></ul>
  7. 8. Approaches to Intrusion Detection <ul><li>Main Approaches used by IDS are </li></ul><ul><li>Anomaly Detection: </li></ul><ul><li>This is based on the premise that an attack on a computer system will be noticeably different from normal system activity. </li></ul><ul><li>It will exhibit a pattern of behaviors different from normal user. </li></ul><ul><li>So IDS attempts to characterize each user’s normal behavior by maintaining the profiles of each user’s activities. </li></ul><ul><li>Predefined “bounds” are checked while comparing recent activities with past activities. </li></ul><ul><li>Misuse Detection: </li></ul><ul><li>IDS watches for indication of “ specific, precisely representable techniques for computer system abuse” . </li></ul><ul><li>IDS includes a collection of “signatures” which are encapsulation of identifying characteristics of specific intrusion techniques. </li></ul>
  8. 9. Software Platform <ul><li>Both computer user and intruder are simulated while IDS is running. </li></ul><ul><li>Unix Package “expect” to simulate users in our testing experiment. </li></ul><ul><li>Unix Package called “Tcl” ( Tool Command Language) </li></ul><ul><li>Using “expect” , scripts ( similar to UNIX shell scripts) are written that include intrusive commands. </li></ul><ul><li>For running the scripts, “expect” provides a script interpreter which issues the scripts commands to the computer system. </li></ul><ul><li>“ TCL” package provides an interpreter for a simple programming language that includes variables, procedures, control constructs such as “if” and “for” statements. </li></ul><ul><li>“ Tcl” is implemented as a C library package. </li></ul><ul><li>“ expect” extends the “Tcl” command set to include several components to controlling interactive programs. </li></ul>
  9. 12. Testing Issues <ul><li>Performance Objectives for an IDS : </li></ul><ul><li>-- Broad Objectives for an IDS : For each intrusion in a broad range of known intrusions, the IDS should be able to distinguish the intrusion from normal behavior. </li></ul><ul><li>-- Economy in Resource Usage : The IDS should function without using too much system resources such as main memory, CPU time and disk space . </li></ul><ul><li>-- Resilience to Stress : The IDS should still function correctly under stressed condition in the system. </li></ul>
  10. 13. Test Case Selection <ul><li>Test case is a simulated user session </li></ul><ul><li>A key problem is to select which intrusions to simulate </li></ul><ul><li>Testers should first collect as much as intrusion possible. </li></ul><ul><li>Testers must partition the set of intrusion into classes, and then create a representative subset of intrusion. [ Equivalence Partitioning]. </li></ul><ul><li>One test case from each class can be selected to represent the class in the final set of test cases. </li></ul><ul><li>Intrusions can be classified on the basis of “signatures”. </li></ul>
  11. 14. Limitation on Test Case Selection <ul><li>The software problem that we use to simulate users cannot completely simulate the behavior of a user working with a GUI based program. </li></ul><ul><li>--- The intruder’s activities generate some system activity , </li></ul><ul><li>subset of which is related directly to the attack. </li></ul><ul><li>--- The simulation tool must be capable of causing that </li></ul><ul><li>subset of activity to occur. </li></ul><ul><li>Testing is designed to test systems that primarily perform misuse detection. </li></ul><ul><li> --- Some of the testing procedures can be adapted for </li></ul><ul><li>testing IDS that perform anomaly detection as well. </li></ul>
  12. 15. Testing Methodology <ul><li>Basic Testing procedure is as follows </li></ul><ul><li>Create and /or select a set of test scripts </li></ul><ul><li>Establish the desired conditions in the computing environment. </li></ul><ul><li>Start the IDS </li></ul><ul><li>Run the test scripts </li></ul><ul><li>Analyze the IDS output. </li></ul><ul><li>we divide the test procedures into three categories which occurred directly to the three performance objectives. </li></ul>
  13. 16. Intrusion Identification Tests <ul><li>Two intrusion identification tests measure the ability of the IDS to distinguish known intrusion from normal behavior. </li></ul><ul><li>Basic Detection Test : </li></ul><ul><li>Create a set of intrusion scripts </li></ul><ul><li>As much as possible, eliminate unrelated computing activity in the environment. </li></ul><ul><li>Start the IDS </li></ul><ul><li>Run the intrusion scripts. </li></ul><ul><li>Normal User Test </li></ul><ul><li>Creates a set of user scripts </li></ul><ul><li>Start the IDS </li></ul><ul><li>Run the normal-user scripts. </li></ul>
  14. 17. Resource Usage Test <ul><li>The Resource Usage test measure how much system resources used by the IDS . </li></ul><ul><li>Results from these tests can be used to decide if it is practical to run a particular IDS in a particular computing environment. </li></ul><ul><li>Disk Space Test ( A type of Resource Usage Test) : </li></ul><ul><li>Eliminate unrelated activity in the test environment </li></ul><ul><li>Start the IDS </li></ul><ul><li>Run the test scripts for a measured period of time </li></ul><ul><li>Calculate the total disk space used by the IDS to record the session associated with the scripts. </li></ul>
  15. 18. Stress Test <ul><li>Stress test check if the IDS can be affected by “stressful” conditions in the computing environment. </li></ul><ul><li>An intrusion that the IDS would ordinarily detect might go undetected under such condition. </li></ul><ul><li>Stress Test : Smoke Screen Noise: </li></ul><ul><li>“Noise” is an activity that is not directly part of an intrusion. An intruder might attempt to disguise an intrusion by employing noise as smoke screen. </li></ul><ul><li>Create suitable test scripts. </li></ul><ul><li>Test should be conducted like Basic Detection Test. </li></ul><ul><li>Testers should conduct further tests to determine the cause of problem. </li></ul>
  16. 19. <ul><li>Stress Test : Intensity: The intensity checks if the IDS affected by sessions in which a lot of activity is generated very quickly, and therefore the IDS information source logs a lot of activity in short time. </li></ul><ul><li>“Stress Scripts” that simulates such a session should be created. </li></ul><ul><li>Script should simulate several user sessions. </li></ul><ul><li>Scripts logs all the activity after the intrusion and then logs out the user session. </li></ul><ul><li>Such script is normally combine form of Basic detection tests scripts. </li></ul><ul><li>The scripts should be run once. </li></ul><ul><li>Stress test can be repeated by several times , each time with different number of stress scripts running. </li></ul>
  17. 20. <ul><li>Stress Test : Load </li></ul><ul><li>The load Stress test investigates the effect of the load on the IDS host CPU. </li></ul><ul><li>A high load should be established on the IDS host . </li></ul><ul><li>A high load can be created by running additional program on the IDS host. </li></ul><ul><li>Unix “nice” command can be used. </li></ul><ul><li>The output from this test should be compared to the output from the basic detection Test. </li></ul><ul><li>Difference may be evidence that the IDS is missing some intrusive activity. </li></ul><ul><li>Test should be repeated several times, each time with a different load on the IDS host. </li></ul>

×