OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
IDS Archives: Re: IDS: RE: COTS intrusion detectors

Re: IDS: RE: COTS intrusion detectors

Dug Song (dugsonganzen.com)
Fri, 10 Sep 1999 10:06:38 -0400 (EDT)

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
--------------------------------------------------------------------------- 

---
On Thu, 9 Sep 1999, Bawcom, Aaron wrote:

> The best way to find which IDS suits your needs is to try the products out
> in your environment and see for yourself which ones meet your needs.

but few ppl define their needs in any concrete way to begin with.

i've seen a few evaluation matrices ppl have come up with, and they tended
to be vague and incomplete. 

beyond the basic attack coverage metric (hit/miss/false alarm - of which
false alarm rate is the most important [1]), there are issues of
performance, reliability, robustness, maintainability, etc. etc. and of
course, usability as well.

but few ppl understand what their actual testing requirements should be,
or have the kind of coverage tools they need to do basic software testing.
sadly, not even the vendors. 

for users looking to evaluate - for purchase and deployment - software
security systems whose operational failure mode is to FAIL-OPEN, this is
EXTREMELY dangerous. and on the part of vendors, irresponsible.

-d.

[1] S. Axelsson, "On a Difficulty of Intrusion Detection" (regarding the
Bayesian base-rate fallacy in IDS, presented at this week's RAID'99
conference)

This archive was generated by hypermail 2.0b3 on Fri Sep 10 1999 - 21:44:54 CDT