Skip to Main content Skip to Navigation

Evaluation des systèmes de détection d'intrusion

Mohammed Gad El Rab 1
1 LAAS-TSF - Équipe Tolérance aux fautes et Sûreté de Fonctionnement informatique
LAAS - Laboratoire d'analyse et d'architecture des systèmes
Abstract : This thesis contributes to the improvement of intrusion detection system (IDS) evaluation. The work is motivated by two problems. First, the observed increase in the number and the complexity of attacks requires that IDSes evolve to stay capable of detecting new attack variations efficiently. Second, the large number of false alarms that are generated by current IDSes renders them ineffective or even useless. Test and evaluation mechanisms are necessary to determine the quality of detection of IDSes or of their detection algorithms. Unfortunately, there is currently no IDS evaluation method that would be unbiased and scientifically rigorous. During our study, we have noticed that current IDS evaluations suffer from three major defects: 1) the lack of a rigorous methodology; 2) the use of non-representative test datasets; and 3) the use of incorrect metrics. From this perspective, we have introduced a rigorous approach covering most aspects of IDS evaluation. In the first place, we propose an evaluation methodology that allows carrying out the evaluation process in a systematic way. Secondly, in order to create representative test datasets, we have characterized attacks by classifying attack activities with respect to IDS-relevant manifestations or features. This allows not only to select attacks that will be included in the evaluation dataset but also to analyze the evaluation result with respect to attack classes rather than individual attack instances. Third, we have analyzed a large number of attack incidents and malware samples, such as viruses and worms. Thanks to this analysis, we built a model for the attack process that exhibits the dynamics of attack activities. This model allows us to generate large number of realistic and diverse attack scenarios. The proposed methods have been experimented on two very different IDSes to show how general is our approach. The results show that the proposed approach allows overcoming the two main defects of existing evaluat ions, i.e., the lack of a rigorous methodology and the use of non-representative datasets. Moreover, it allows to better manage the evaluation process and to select representative attack test cases in a flexible manner while providing a better coverage of the attack space.
Complete list of metadata

Cited literature [110 references]  Display  Hide  Download
Contributor : Arlette Evrard <>
Submitted on : Monday, March 9, 2009 - 2:31:52 PM
Last modification on : Thursday, June 10, 2021 - 3:06:01 AM
Long-term archiving on: : Tuesday, June 8, 2010 - 8:15:44 PM


  • HAL Id : tel-00366690, version 1


Mohammed Gad El Rab. Evaluation des systèmes de détection d'intrusion. Networking and Internet Architecture [cs.NI]. Université Paul Sabatier - Toulouse III, 2008. English. ⟨tel-00366690⟩



Record views


Files downloads