IIT Home Page CNR Home Page

Testing Network Security Detectors

Network security has enjoyed a growth in interest as the number of Internet users, and threats, has increased. However, the expected performance for any given security detector cannot be predicted, nor can the ability of the detector to recognize events with differing characteristics be quantified. Further, comparing two different detectors in order to determine which will perform best under a given set of conditions is not easily achieved. Rather, the performance results for security detectors, when presented at all, tend to be based on either results from testing using MIT's Lincoln Labs data set or from tests using network traces captured from a single network block. The first approach, while providing a useful baseline for side-by-side comparisons of security detectors, consists of an aging data set that has well-known shortcomings, while the second approach does not address how well a detector will perform in an environment that differs in size, usage or design. In this presentation I will start with examining some of the issues involved in testing network security detectors. I will then present a new testing methodology, which I used to test a co-ordinated port scan detector. The end result from this methodology is a regression model that describes how well the detector performs in the test environment given scans with varying characteristics. I demonstrate the model's predictive capability when faced with a new operating environment, as well as illustrate its ability to compare the capabilities of two different detectors.


Dal 18/03/2008-12.59 al 18/03/2008-12.59 , Istituto di Informatica e Telematica

Responsabile: Fabio Martinelli


Note: Speaker: Carrie Gates, CA Labs