Architecture for Evaluating and Correlating NIDS in Real-World Networks
Co-author: Robert Koch (Bundeswehr University)
Research in the field of IT security - in this case especially the Evaluation and Correlation of Intrusion Detection Systems (IDS) - implies special demands for the construction and operation of IT systems. In order to (i) evaluate multiple IDS under absolutely identical conditions and to (ii) check their reactions especially against novel attack patterns / attacker behaviour, all attack related actions (i.e. all traffic) have to be forwarded to all IDS in parallel at real-time. In addition, an attractive target needs to be offered to potential attackers, awaking the outward semblance of real-productive systems / networks including the corresponding behaviour.
In particular, the correlation of IDS seems a promising approach to compensate the individual deficiencies of IDS. For example, while knowledge based systems are only able to detect previously known attacks, anomaly based systems suffer from higher False Alarm Rates (FARs). Even more, periodic performance evaluation studies, e.g., by NSS-Labs, have illustrated that numerous IDS are not configured properly and have a much worse system performance and detection capability than announced by the vendors. However, changing parameters of systems in productive networks (for the correlation of IDS as well as for their evaluation) can result in an enhanced endangerment of the security or even a breakdown of the network in case of horrible misconfigurations.
To overcome these shortcomings, we present an architecture that supports research in the field of IT security and simultaneously ensures that all actions associated with an attack get recorded and a spill over of the attack from the research to the productive environment is prevented. Each test system is supplied with an unaltered live record of the network traffic. This allows an assessment of the detection as well as a comparison of different NIDS concepts/products. In addition, different correlation strategies of alerts of multiple systems can be evaluated. Furthermore, superior configurations can be identified and assessed without endangerment of the productive network.