Design and Implementation of an Open Network and Host-Based Intrusion Detection Testbed with an Emphasis on Accuracy and Repeatability

Abstract

The Open Network and Host Based Intrusion Detection Test bed (ONBIT) has been designed to make use of both network and host-based monitoring while validating and evaluating IDS tools and algorithms. This test bed was found to be of critical need for scenarios in which external test beds cannot be used. The ONBIT test bed can be used to verify algorithms, concepts, and protocols, as well as discover more practical problems for future security research. This test bed is unique in its real-time nature and real-world performance and efficiency metrics, critical metrics for capabilities being readied for deployment. The ONBIT test bed was built using open source software and was designed to take accuracy and repeatability into consideration at each step of experimentation. Using a link emulator called Dummy Net, the ONBIT test bed has the ability to control how the network behaves. Dummy Net creates controlled packet loss, introduces latency, and allows for the configuration of various size network pipes. We show the benefit of correlating host-based and network-based IDS data in a real-world demonstration of the testbed's use.