A Methodology for Evaluation of Host-Based Intrusion Prevention Systems and Its Application

2006 IEEE Information Assurance Workshop Pub Date : 2006-06-21 DOI:10.1109/IAW.2006.1652120

K. G. Labbe, N. Rowe, J. D. Fulp

{"title":"A Methodology for Evaluation of Host-Based Intrusion Prevention Systems and Its Application","authors":"K. G. Labbe, N. Rowe, J. D. Fulp","doi":"10.1109/IAW.2006.1652120","DOIUrl":null,"url":null,"abstract":"Host-based intrusion-prevention systems are currently popular technologies which try to prevent exploits from succeeding on a host. They are like host-based intrusion-detection systems (P. E. Proctor, 2001) but include means to automatically take actions once malicious activities or code are discovered. This can include terminating connections, services, or ports; refusing commands; blocking packets from specific Internet addresses; initiating tracing of packets; and sending modified packets back to a user. Automated responses to exploits can be quick without human intervention. Around ten commercial vendors are currently offering intrusion-prevention products (N. Desai, May 2006), and Snort-Inline is a popular open-source tool. Total intrusion prevention is a difficult goal to achieve, since it takes time to recognize an exploit and by then the damage may be done. So it is important to have a way to test the often-broad claims of intrusion-prevention products. The testing we propose is not as comprehensive as that offered by attack-traffic simulators like Skaion's TGS (www.skaion.com) or by the DETER testbed (www.deterlab.net). But attack-traffic simulators, even when up-to-date, only model broad characteristics of attacks and not their context-dependent behavior, so they can produce significant numbers of false negatives. DETER emulates rather than executes malicious software to provide added safety, which is not quite the same. DETER also imposes several bureaucratic obstacles for getting approval for experiments and obtaining time on their hardware to run them; this bureaucracy requires motivation and time to navigate. For quick testing in depth of a new product that has not been evaluated in DETER, or for finding reasons to rule out a product, a simpler approach that is easier to set up is required","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"96 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2006 IEEE Information Assurance Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IAW.2006.1652120","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

Host-based intrusion-prevention systems are currently popular technologies which try to prevent exploits from succeeding on a host. They are like host-based intrusion-detection systems (P. E. Proctor, 2001) but include means to automatically take actions once malicious activities or code are discovered. This can include terminating connections, services, or ports; refusing commands; blocking packets from specific Internet addresses; initiating tracing of packets; and sending modified packets back to a user. Automated responses to exploits can be quick without human intervention. Around ten commercial vendors are currently offering intrusion-prevention products (N. Desai, May 2006), and Snort-Inline is a popular open-source tool. Total intrusion prevention is a difficult goal to achieve, since it takes time to recognize an exploit and by then the damage may be done. So it is important to have a way to test the often-broad claims of intrusion-prevention products. The testing we propose is not as comprehensive as that offered by attack-traffic simulators like Skaion's TGS (www.skaion.com) or by the DETER testbed (www.deterlab.net). But attack-traffic simulators, even when up-to-date, only model broad characteristics of attacks and not their context-dependent behavior, so they can produce significant numbers of false negatives. DETER emulates rather than executes malicious software to provide added safety, which is not quite the same. DETER also imposes several bureaucratic obstacles for getting approval for experiments and obtaining time on their hardware to run them; this bureaucracy requires motivation and time to navigate. For quick testing in depth of a new product that has not been evaluated in DETER, or for finding reasons to rule out a product, a simpler approach that is easier to set up is required

查看原文本刊更多论文

一种基于主机的入侵防御系统评估方法及其应用

基于主机的入侵防御系统是目前流行的技术，它试图阻止攻击者在主机上取得成功。它们类似于基于主机的入侵检测系统(p.e. Proctor, 2001)，但包括一旦发现恶意活动或代码就自动采取行动的手段。这可能包括终止连接、服务或端口;拒绝命令;阻止来自特定互联网地址的数据包;启动数据包跟踪;并将修改后的数据包发送回用户。对漏洞的自动响应可以在没有人工干预的情况下快速完成。目前大约有十家商业供应商提供入侵防御产品(N. Desai, 2006年5月)，Snort-Inline是一种流行的开源工具。全面的入侵防御是一个难以实现的目标，因为识别漏洞需要时间，到那时可能已经造成了损害。因此，有一种方法来测试通常广泛宣称的防入侵产品是很重要的。我们提出的测试不像Skaion的TGS (www.skaion.com)或DETER测试台(www.deterlab.net)等攻击流量模拟器提供的测试那样全面。但是，即使是最新的攻击流量模拟器，也只能模拟攻击的广泛特征，而不能模拟与上下文相关的行为，因此它们可能产生大量的假阴性结果。威慑模拟而不是执行恶意软件，以提供额外的安全性，这是不完全相同的。在获得实验批准和获得运行实验的硬件时间方面，DETER还设置了一些官僚障碍;这种官僚作风需要动力和时间来驾驭。对于尚未在威慑中评估的新产品进行快速深入测试，或寻找排除产品的原因，需要更简单，更容易设置的方法

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2006 IEEE Information Assurance Workshop

自引率

0.00%

发文量