| In today's world, it is very difficult for big organizations to overlook the challenges posed by information security. More and more, computer infrastructures are interconnected with each others and are exposed to threats coming from inside and outside of the organization. To face those threats, among the means to defend the network, we have the intrusion detection system (IDS). Those systems; which can be software or hardware in nature, have an increasing widespread use and can represent an important part of an Information Technology department's budget. Unfortunately, those equipments, even though very useful, have non negligible flaws. The number of false positive, being the false alarm, can rapidly overwhelm the capability of the security analysts to analyse them.; To address this performance issue, many solutions have been put forward. In recent years, we have seen different IDS architectures such as hierarchical, by agents and by mobile agents, for example, making their appearance. Many detection strategies were put forward to try to improve on the situation. We have seen strategies such as intrusion detection by statistical learning, by rules like popular IDS SNORT and by Petri Network just to name a few.; Unfortunately, we found out that assessing the real efficiency of those solutions was very difficult. Right now, it is very difficult to make the connection between performance metrics, IDS's characteristics and the environment which has a huge impact on results.; To assess the links between the environment, IDS's characteristics and performance metrics, we decided in this master thesis to put forward an IDS performance evaluation framework. To do so, we have elaborated a taxonomy to allow the characterization of the environment in an objective and subjective manner. We also have built a taxonomy of intrusion detection system's characteristics which can influence performances and take into account mobile agents' properties. Furthermore, we have selected a set of metrics which can be good performance indicators.; To allow us to make hypothesis on an environment too complex to be fully apprehended, we came up with a simplified mathematical model to which our conclusions will apply. Inside this model we can understand the relations between the environment, IDS of interest and their impacts on performance.; To allow for the experimental validation of our framework, we built an IDS which makes use of mobile agents to perform spatial and temporal information correlation. We compared the performances of our solution against another IDS making use of mobile agents and a standard architecture.; To carry on our experiments, we built a test platform able to generate false positive and attack events. False positive events were modeled after half opened TCP connections which can look like a SYN Flood attack. Attacks were modeled to look like a Fast Scan attack. We shall describe a Fast Scan as a port scan of one or more designated hosts over a very short period of time.; During our test sessions, we chose as a metric, the false positive rate, which is the number of false alarms, and the false negative rate, which is the number of attack that passed without triggering an alarm. We compared between each other the false positive and false negative rate of our algorithms for different IDS and environmental parameters. We found that our experimental results where coherent with our theoretical results. We found out that each environmental parameter and each IDS parameter have an influence on the false positive and false negative rate that we obtain.; Our experiment allowed us to validate our hypothesis and establish a link between the environment variables, the characteristics of each IDS and the intrusion detection performances. Also, were able to observe a functional relation between different, metrics. Through out our experiments, we were unable to optimize the false positive rates without noticing a degradation of the false negative... |
