Research
Paper Abstract: Air Force Intrusion Detection System Evaluation Environment
Ongoing DARPA-sponsored research in computer intrusion detection (ID) has produced emerging systems that exploit a variety of techniques such as network sniffing, filesystem checks and local host audit record inspection, or more complex correlations of distributed sensors’ various reports. This research has become increasingly important as computer attacks increase in number, publicity and damage done. The Air Force Research Laboratory (AFRL) INFOSEC Technology Office has volunteered to regularly test and evaluate these emerging ID systems for possible insertion into critical national networks.
The evaluations included running the ID systems in a live network and then flooding that network with a variety of traffic, both “normal” (legitimate traffic that any office network would reasonably expect to occur, such as email, HTTP, telnet, etc.) and attacks, including fairly recent and more well-known network attacks. For the sake of the testbed’s real security and the integrity of the evaluations, AFRL built a self-contained test environment to model an actual base network.
Supporting the AFRL test effort, the Massachusetts Institute of Technology’s Lincoln Laboratory developed non-real-time evaluation tools for assessing the performance of individual ID systems. Their testbed, designed for repeatability, dramatically accelerated playing back huge volumes of data to quickly produce high-confidence performance measurements. However, ID systems in the field will likely have to defend larger and more complex networks and will interact with other components. This interaction and the resulting performance required AFRL’s building a more complex, real-time environment.
Air Force Intrusion Detection System Evaluation Environment (667K PDF)
| Home | About | Products | Services | Research | News | Contact Us |