Analysis and evaluation of network intrusion detection methods; a case of anomaly detection and signature detection approaches
Loading...
Date
2010-06
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Kampala International University, College of Computing
Abstract
Many Network administrators and network analysts in organizations do not know which intrusion detection system to use. This is partly due to the fact that there is no clear comparison between the different intrusion detection systems. Therefore. organizations need concrete comparisons between different tools in order to choose which best suite for their needs is. This research aims at comparing anomaly with signature detection methods in order to establish which is best suited to guard organization. such as data theft. The difference between anomaly and signature-based detection is that an anomaly Intrusion Detection System needs to be trained and generate many alerts, the majority of which being false alarms: hence another aim is to establish the in influence of the training period length of an anomaly Intrusion Detection system on its dctcction rate. I lence. this research presents a Network-based Intrusion Detection System evaluation testbed setup. and it shows the setup for two of these using the signature detector (Snort) and the anomaly detector Statistical Packet Anomaly Detection Engine (SPADE). Thc evaluation test bed is then used to create a data theft scenario that includes the following stages: reconnaissance: gaining unauthorized access: and finally data theft. Therefore. it offers
the opportunity to compare both detection methods with regards to that threat. this research acts as documentation for setting up a network Intrusion Detection System evaluation test bed. SPADE. lack a centralized documentation and no research paper could be identified that clearly documents the configuration of an evaluation test bed for Intrusion Detection System. Standards for evaluating Intrusion Detection System could not identified, and thus this required the creation of a bespoke evaluation test bed which. in tum~ limited the time dedicated to evaluating the threat scenario itself. Along with this. results show that configuration. testing and verification of the anomaly detection s> stem is highly error-prone.
Description
Project report submitted to the school of computer studies in partial fulfillment of the requirements for the award of Bachelor of Computer Science of Kampala International University
Keywords
network intrusion, signature detection