A model-driven approach for experimental evaluation of intrusion detection systems



Because attacks are becoming more frequent and more complex, intrusion detection systems (IDSes) need significant improvements to be able to detect new attacks and variants of already known attacks. It is thus necessary to assess precisely their quality of detection, performance, and robustness in the environment where they will be deployed. In this paper, we present an evaluation approach designed to overcome most of the identified weaknesses in several IDS evaluation: the lack of a rigorous methodology, the use of non-representative test datasets, and the use of inappropriate metrics. In our approach, model-based evaluation is combined with experimental testing. Because testing an IDS against all possible attacks is practically impossible, we propose a classification of elementary attacks and a model of attack processes. Then, we developed the attack planning and injection tool that helps security administrators to plan and select the most relevant attack scenarios. Attack planning and injection tool is able to generate and carry out concrete and adaptable attacks on specifically identified computers. To demonstrate the validity of our approach, we experimented our tool in a case study environment to compare well-known IDSes. Copyright © 2013 John Wiley & Sons, Ltd.