In this section we introduce a practical mathematical model for evaluating and deploying IDSs in your network. This section is based on
Because of the nature of IDSs, they will always be at a
Moreover, monitoring "switched networks" is
Another limitation of IDSs is that they are extremely vulnerable to attack or evasion. For example, denial-of-service (DoS) attacks such as SYN floods or
Later in this chapter, we will discuss ways to hack through IDSs. However, before completely discouraging you from using them, we will first provide some mathematical models that show you how IDSs can help protect your network. The following section will introduce statistical methods for evaluating the effectiveness of IDSs. Based on your statistical evaluations, you will then be able to intelligently implement different flavors of IDSs at different points in your network.
Sensitivity Versus Specificity
This section discusses the properties of diagnostic software, and their implications for interpreting test results. By understanding these concepts and how they apply to IDSs, you can make better
Consider a typical IDS report monitor as represented by the 2x2 table in Figure 14.1. One axis called Intrusion represents whether an intrusion has really occurred . For example, on this axis, the "+" means there really was an intrusion, while the "-" means there was no intrusion.
Figure 14.1. Sensitivity versus specificity.
TP = True Positive = "Intrusion Correctly Detected"
FP = False Positive = "False Alarm"
FN = False Negative = "Intrusion Missed"
TN = True Negative = "Integrity Correctly Detected"
The other axis is called IDS Response and represents whether or not the IDS thinks it has detected an intrusion. For example, on this axis, the "+" means the IDS thinks there was an intrusion, while the "-" means the IDS thinks there was no intrusion. As in the real world, this model shows that the IDS is not always correct. We can use the incidence of each quadrant of the 2x2 table to help us understand the statistical properties of an IDS.
is defined as the true positive rate (for example, the fraction of intrusions that are detected by the IDS). Mathematically, sensitivity is
True Positives / (True Positives + False Negatives)
The false negative rate is equal to 1 minus the sensitivity. The more sensitive an IDS is, the less likely it is to
Sensitive IDSs are useful for identifying attacks on areas of the network that are easy to fix or should never be missed. Sensitive tests are more useful for "screening"; that is, when you need to rule out anything that might even remotely represent an intrusion. Among sensitive IDSs, negative results have more inherent value than positive results do.
For example, you would need a sensitive IDS to monitor host machines sitting deep in the corporate LAN,
Figure 14.2. Sample network.
Mathematically, specificity is expressed as follows:
True Negatives / (True Negatives + False Positives)
True negatives represent an IDS that is correctly reporting that there are no intrusions. False positives occur when an IDS mistakenly
Specific IDSs have the greatest utility to the network administrator. For these programs, positive results are more useful than negative results. Specific tests are useful when consequences for false positive results are serious.
You would choose an IDS with a high specificity for an area of the network where automatic diagnosis is critical. For example, in Figure 14.2, Area 1 represents the corporate firewall that faces the Internet. In this case, you would need an IDS that has a high specificity to detect DoS attacks, because they can be fatal if not detected early. At this point in the network, you care less about overall sensitivity, because you are "
Often, a trade-off occurs between sensitivity and specificity that varies on a continuum dependent on an arbitrary cutoff point. A cutoff for abnormality can be
However, there are situations when you need to
For example, you might need a high-accuracy IDS in an area of the network such as Area 3 in Figure 14.2. In this case, your Web server is under constant attack, and it would also cause the most immediate embarrassment and financial loss if compromised. In this case, you need to process any
Guide to Wireless Network Security
Darknet: Hollywood's War Against the Digital Generation
ARRL Ham Radio License Manual: All You Need to Become an Amateur Radio Operator (Arrl Ham Radio License Manual) (Arrl Ham Radio License Manual)
Wireless Communications Security (Artech House Universal Personal Communications)