R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Testing and Evaluating Computer Intrusion Detection Systems. CACM, 42(7):53--61, July 1999.  Home/Search   Document Not in Database   Summary   ACM   TOC   Related Articles   Check

....Available from ftp: ftp.ee. lbl.gov tcpdump.tar.Z Available from http: cvs.nessus.org Available from http: www.fish.com satan Available from http: www.insecure.org nmap Available from http: www.nai.com For information on more rigorous IDS testing, refer to [DURST99] and [Jackson99] See also [Spitzner99 5] for firewall validation methods. Each scan was originally done using all three scanning tools. For brevity, however, we shall only detail the results gained using Nessus the results gained from the other tools were similar. In addition, Nmap was used to ....

Robert Durst, Terrence Champion, Brian Witten, Eric Miller and Luigi Spagnuolo "Testing and Evaluating Computer Intrusion Detection Systems", Communications of the ACM, July 1999, Vol. 42 no. 7, p. 53-61

....state transition diagrams were used to develop and reason about attacks, but these diagrams were translated by hand to the form required by the target IDS. The effectiveness of these original STAT based tools was successfully demonstrated in the 1998 DARPA Intrusion Detection Systems Evaluation [20, 7, 8]. Participation in this evaluation revealed that although USTAT and NetSTAT were both developed in an ad hoc way and virtually independently of each other, there were many similarities in the mecha2 Application specific Language Extension Application specific Extension Module Intrusion ....

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Testing and Evaluating Computer Intrusion Detection Systems. CACM, 42(7):53--61, July 1999.

....state transition diagrams were used to develop and reason about attacks, but these diagrams were translated by hand to the form required by the target IDS. The effectiveness of these original STAT based tools was successfully demonstrated in the 1998 DARPA Intrusion Detection Systems Evaluation [20, 7, 8]. Participation in this evaluation revealed that although USTAT and NetSTAT were both developed in an ad hoc way and virtually independently of each other, there were many similarities in the mecha2 Application specific Language Extension Application specific Extension Module Intrusion ....

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Addendum to "Testing and Evaluating Computer Intrusion Detection Systems". CACM, 42(9):15, September 1999.

.... Windows NT environments, called USTAT and WinSTAT, respectively [5 7] a networkbased intrusion detection system called NetSTAT [14, 15] and a distributed event analyzer called NSTAT [16] Two of the systems, namely USTAT and NetSTAT, have been used in four di erent DARPA sponsored evaluations [17, 18]. The CommSTAT communication infrastructure has been completed and distributed to the intrusion detection community through the IETF idwg mailing list. A rst prototype of the MetaSTAT component that collects alerts from multiple sensors concurrently, stores them in a MySQL alert database and ....

Durst, R., Champion, T., Witten, B., Miller, E., Spagnuolo, L.: Testing and Evaluating Computer Intrusion Detection Systems. CACM 42 (1999) 53-61

....state transition diagrams were used to develop and reason about attacks, but these diagrams were translated by hand to the form required by the target IDS. The effectiveness of these original STAT based tools was successfully demonstrated in the 1998 DARPA Intrusion Detection Systems Evaluation [18, 6, 7]. Participation in this evaluation revealed that although USTAT and NetSTAT were both developed in an ad hoc way and virtually independently of each other, there were many similarities in the mechanisms they used to match attack scenarios against the input event streams. As a consequence, it was ....

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Testing and Evaluating Computer Intrusion Detection Systems. CACM, 42(7):53--61, July 1999.

....state transition diagrams were used to develop and reason about attacks, but these diagrams were translated by hand to the form required by the target IDS. The effectiveness of these original STAT based tools was successfully demonstrated in the 1998 DARPA Intrusion Detection Systems Evaluation [18, 6, 7]. Participation in this evaluation revealed that although USTAT and NetSTAT were both developed in an ad hoc way and virtually independently of each other, there were many similarities in the mechanisms they used to match attack scenarios against the input event streams. As a consequence, it was ....

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Addendum to "Testing and Evaluating Computer Intrusion Detection Systems". CACM, 42(9):15, September 1999.

....A second real time evaulation was performed in tandem with this off line evaluation to address these practical issues. This real time evaluation used four hours of background traffic and included a smaller number of complete packaged systems that could be delivered and run on a test network [11]. It made use of many of the traffic generation tools and attacks developed for the offline evaluation. 3. Evaluation Test Bed Three approaches were initially explored to generate a corpus that could be widely distributed and that included both background traffic and attacks. The first proposal ....

....various types (e.g. secretaries, programmers, managers) on outside workstations who perform work using telnet and other services on the three inside victim machines and the other inside workstations. The three gateway machines contain operating system kernel modifications similar to those used in [11] in conjunction with custom software web, mail, telnet, and other servers to allow a small number of actual hosts to appear as if they were 1000 s of hosts with different IP addresses. The contents of network traffic such as SMTP, HTTP, and FTP file transfers are either statistically similar to ....

[Article contains additional citation context not shown here]

R. Durst, T. Champion, B. Witten, E. Miller and L. Spagnuolo, "Testing and evaluating computer intrusion detection systems", Communications of the ACM, 42(7), 1999, pp. 53-61.

....a completely new tool that would fit the new domain. In the second half of 1998, the NetSTAT and USTAT systems were evaluated as part of both the MIT Lincoln Laboratory s off line intrusion detection system evaluation [12] and the Air Force Research Laboratory (AFRL) real time evaluation [3, 4]. In the first case, USTAT and NetSTAT were used to analyze BSM logs and network traffic dumps of several weeks of traffic looking for attack signatures. In the second case, NetSTAT and USTAT were installed on a testbed network at AFRL. In both efforts the STAT based tools performed very well and ....

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Testing and Evaluating Computer Intrusion Detection Systems. CACM, 42(7):53--61, July 1999.

....a completely new tool that would fit the new domain. In the second half of 1998, the NetSTAT and USTAT systems were evaluated as part of both the MIT Lincoln Laboratory s off line intrusion detection system evaluation [12] and the Air Force Research Laboratory (AFRL) real time evaluation [3, 4]. In the first case, USTAT and NetSTAT were used to analyze BSM logs and network traffic dumps of several weeks of traffic looking for attack signatures. In the second case, NetSTAT and USTAT were installed on a testbed network at AFRL. In both efforts the STAT based tools performed very well and ....

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Addendum to "Testing and Evaluating Computer Intrusion Detection Systems". CACM, 42(9):15, September 1999. 9

....authors make solid claims in this area, and especially in relation to some usability scenario, i.e. as a percentage of how much a system owner would be willing to let intrusion detection cost him. 12 Since the rst version of this paper, there has been some activity in this area, most notably [12, 39, 57]. 13 This cathegory has not been tabulated as it is not a feature of the surveyed systems. It becomes clear when studying the surveyed references however. 14 False alarm, if you will. 14 classi ed intrusions (true positives) to the number of intrusions incorrectly classi ed as ....

Robert Durst, Terrence Champion, Brian Witten, Eric Miller, and Luigi Spagnuolo. Testing and evaluating computer intrusion detection systems. Communications of the ACM, 42(7):53-61, July 1999.

No context found.

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Testing and Evaluating Computer Intrusion Detection Systems. CACM, 42(7):53--61, July 1999.

No context found.

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Addendum to "Testing and Evaluating Computer Intrusion Detection Systems". CACM, 42(9):15, September 1999.

No context found.

R. Durst, T. Champion, B. Witten, E. Miller and L. Spagnuolo, "Testing and evaluating computer intrusion detection systems," Communications of the ACM, Vol. 42(7), 1999, pp.53-61.

No context found.

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo, "Testing and evaluating computer intrusion detection systems", Communications of the ACM, 42(7), pp. 53-61 (1999)

No context found.

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo, "Testing and evaluating computer intrusion detection systems", Communications of the ACM, 42(7), pp. 53-61 (1999)

No context found.

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Testing and Evaluating Computer Intrusion Detection Systems. CACM, 42(7):53--61, July 1999.

No context found.

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Addendum to "Testing and Evaluating Computer Intrusion Detection Systems". CACM, 42(9):15, September 1999.

No context found.

D. Robert, C. Terrence, W. Brian, M. Eric, and S. Luigi. Testing and evaluating computer intrusion detection systems. Communications of the ACM, 42(7):53--61, September 1999.

No context found.

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Testing and Evaluating Computer Intrusion Detection Systems. CACM, 42(7):53--61, July 1999.

No context found.

R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo. Addendum to "Testing and Evaluating Computer Intrusion Detection Systems". CACM, 42(9):15, September 1999.

No context found.

Durst R., Champion T., Witten B., Miller E., and Spagnuolo L., Testing and Evaluating Computer Intrusion Detection Systems. Communications of the ACM,

No context found.

Durst, Robert, Terrence Champion, Brian Witten, Eric Miller, and Luigi Spagnuolo. "Testing and Evaluating Computer Intrusion Detection Systems," Communications of the ACM 42(7) July 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC