Dominique Alessandri

Using Rule-Based Activity Descriptions to Evaluate Intrusion-Detection Systems

After more than a decade of development, there are now many commercial and non-commercial intrusion-detection systems (IDSes) available. However, they tend to generate false alarms at high rates while overlooking real threats. The results described in this paper have been obtained in the context of work that aims to identify means for supporting the analysis, evaluation, and design of large-scale intrusion-detection architectures. We propose a practical method for evaluating IDSes and identifying their strengths and weaknesses. Our approach shall allow us to evaluate IDSes for their capabilities, unlike existing approaches that evaluate their implementation. It is furthermore shown how the obtained knowledge can be used to analyze and evaluate an IDS.

Target Naming and Service Apoptosis

The volume of traffic on security mailing lists, bulletin boards, news forums, et cetera has grown so sharply in recent times that it is no longer feasible for a systems administrator to follow all relevant news as a background task; it has become a full-time job. Even when relevant information does eventually reach the systems administrator, there is, often a dangerous window between public knowledge of a vulnerability and the administrators ability to correct it. Automated responses mechanisms are the key to closing these vulnerability windows. We propose a database of likely areas of vulnerability, called targets, in a machine readable and filterable manner so that administrators can greatly reduce the amount of security mail to be read. We then propose a cryptographically secure service with which semi-trusted third parties can act in a manner limited by the system administrator, say shutting down a specific service while not allowing general access, to diminish the window of vulnerability.