Seth E. Webster

Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation

An intrusion detection evaluation test bed was developed which generated normal traffic similar to that on a government site containing 100s of users on 1000s of hosts. More than 300 instances of 38 different automated attacks were launched against victim UNIX hosts in seven weeks of training data and two weeks of test data. Six research groups participated in a blind evaluation and results were analyzed for probe, denial-of-service (DoS) remote-to-local (R2L), and user to root (U2R) attacks. The best systems detected old attacks included in the training data, at moderate detection rates ranging from 63% to 93% at a false alarm rate of 10 false alarms per day. Detection rates were much worse for new and novel R2L and DoS attacks included only in the test data. The best systems failed to detect roughly half these new attacks which included damaging access to root-level privileges by remote users. These results suggest that further research should focus on developing techniques to find new attacks instead of extending existing rule-based approaches.

Visualizing attack graphs, reachability, and trust relationships with NAVIGATOR

A new tool named NAVIGATOR (Network Asset VIsualization: Graphs, ATtacks, Operational Recommendations) adds significant capabilities to earlier work in attack graph visualization. Using NAVIGATOR, users can visualize the effect of server-side, client-side, credential-based, and trust-based attacks. By varying the attacker model, NAVIGATOR can show the current state of the network as well as hypothetical future situations, allowing for advance planning. Furthermore, NAVIGATOR explicitly shows network topology, infrastructure devices, and host-level data while still conveying situational awareness of the network as a whole. This tool is implemented in Java and uses an existing C++ engine for reachability and attack graph calculations.

Experience Using Active and Passive Mapping for Network Situational Awareness

Passive network mapping has often been proposed as an approach to maintain up-to-date information on networks between active scans. This paper presents a comparison of active and passive mapping on an operational network. On this network, active and passive tools found largely disjoint sets of services and the passive system took weeks to discover the last 15% of active services. Active and passive mapping tools provided different, not complimentary information. Deploying passive mapping on an enterprise network does not reduce the need for timely active scans due to non-overlapping coverage and potentially long discovery times