Multi-Level IDS Security Evaluation Based On DFA

The traditional security technology usually can be used to protect ourcomputers or network from outer intrusion to a certain extent. However, theyare helpless when authorized users misuse their priorities. Some kinds ofmeans of attack, such as protocol loophole, source routing and addressfabrication, can be dealt with firewall packet filter, application layer gatewayand VPN (virtual private network). But they can't deal with the drawback ofsome application design and attack through encrypted tunnel. Thus, it is notenough to have access control or firewall technology, but it urgently calls fora technology that can detect the unauthorized access and abnormal activityand then report it on time. We call it ID (intrusion detection).Now IDS is widely used with people's gradual increasing safeconsciousness. So the demand to test and evaluate the current IDS is then putin the agenda. Both parties are eager to have the convenient platform andreasonable method to test and evaluate IDS scientifically justifiably andbelievably.For the researchers and developers of IDS, IDS periodicalevaluation may help them keep up with the situation of technicaldevelopment and the drawback of system, so that they can place importanceon those key technical problems, thus reduce the drawback of system andpromote the performance of system. For the users of IDS, because theydepend on IDS increasingly, they hope to select the products suitable forthemselves by evaluation to avoid being misled by some IDS advertisement.The users of IDS are in need of testing evaluation urgently. Because they donot know much about IDS, they hope to have the evaluation result ofspecialists as the basis of their own choices.Many companies and producers establish various kinds of evaluationstandards. However, those standards can only cover some part of IDS. Thereis not a perfect and scientific evaluation system so far.The main drawbacks of the former IDS evaluation system are:? Do attack evaluation directly and read the log file to analyze, thismethod has the deficiency of flexibility.? Do not forecast the next testing.In view of the existing limitations, we proposed the way of doingevaluation by adopting the DFA as an auxiliary analysis technology.This paper mainly aims at the security evaluation of IDS, because thereis not secutity testing at present security evaluation of IDS .DFA fragment isused to denote the process of test. It makes the process of evaluation morestraightforward and vivid. It can improve the efficiency and flexibility of thecurrent system effectively.In order to describe the process of evaluation, DFA is adopted to presentthe process of evaluation based on the consideration of the logic relationshipbetween attack functions and the change of the state of system. We make useof the effectiveness of state and process in the evaluation.In the process of evaluation to current IDS, due to the restriction ofnetwork resources and system resources, the number of data packets that canbe dealt with per second is limited. Also, the number of packets that can bedealt with per second by network adapter is limited. We proposed the ideaof multi-stages evaluation based on the character of packet and attack.Attacking data is divided into three levels by flux.Multi-stages evaluation made each measurement a credibility level inorder to help users to know whether the product can meet their demand, andwhether the danger hidden in the process of application is endurable.Multi-stages evaluation can analyze weakness independently. Then weimplement security evaluations based on the analysis of weakness .so we canverify if the product can withstand the attack from some potential attackers.The attack cover of the concentrated attack data is hard to reach. If weput all known attack into the attack data that it can be turned to unrealitybecause of the large tasks. Therefore, we must find a balance betweenperfection and covertures. The best way to resolve this problem is to dividethe attack into different categories. Then choose one or more representativeattack from each category and use them in our experiment in order to makethe attack adding conveniently.The Internet is mostly based on the TCP/IP protocol. Most of data in thenetwork are based on the TCP/IP protocol too. Therefore, we pay moreattention to the network based on the TCP/IP protocol.You can add evaluation data freely in our model that enhance theflexibility and timeliness. We adopted multi-stages evaluation in the processof evaluation. The data may belong to either separate stage attack ormulti-stages attack. The evaluation data can be generated by means of usingthe weaknesses of TCP/IP protocol. The evaluation in each stage is simplified.Different stage may generate the evaluation data at different position. Theinfluence to network can also be decreased.The platform of security testing covers the attack of single level and thecombination of more level of TCP/IP. We divide these attacks into threelevels. The result of test demonstrates that this method enhances the extentand profundity, so the result of test is more reliable.