PERFORMANCE METHOD OF ASSESSMENT OF THE INTRUSION DETECTION AND PREVENTION SYSTEMS

PERFORMANCE METHOD OF

ASSESSMENT OF THE INTRUSION

DETECTION AND PREVENTION

SYSTEMS

YOUSEF FARHAOUI

LabSiv, Equipe SCCAM

Faculty of sciences Ibn Zohr University B.P 8106, City Dakhla, Agadir, Morocco. [email protected]

AHMED ASIMI

LabSiv, Equipe SCCAM

Faculty of sciences Ibn Zohr University B.P 8106, City Dakhla, Agadir, Morocco. [email protected]

Abstract:

The intrusion detection systems and intrusion prevention systems (IDS / IPS) are the latest tools of the security of the computerised data of a company although the evaluation of their performance and efficiency is important. In [13], we tried to assess the performance of these tools with regard to the analysis methods, reliability, etc; in [14], with regard to the objectives of the computer security; and in [15], we evaluated the performance of the IDS and IPS on the basis of the artificial neural network.

This article is organized as follows: section 2 presents the assessment of the analysis method, reliability, responsiveness, easiness of implementation and adaptability, etc; section 3 presents the performance assessment in relation to the objectives of the computer security embodied in integrity, confidentiality, authenticity and availability; section 4 presents an IDS and IPS performance evaluation based on the artificial neural network. The article closes up with a conclusion.

Keywords: Intrusion Detection, Intrusion Prevention, Classification, Tools.

1. Introduction

2. Performance Assessment of the intrusion Detection and Prevention Systems: According to the method of analysis, reliability, reactivity, facility, adaptability and performance

2.1. The IDS/IPS systems features to assess and to compare

The expression" system of detection and prevention of the intrusions" is used to describe multiple technologies and solutions of security. This paper focuses on the systems of prevention of the intrusions capable to take immediate measures to tackle the attacks and intrusions without manual intervention. The tools of the intrusions detection and prevention systems display the following features:

 Online machine capable to reliably and accurately detect the attacks and to block them with precision  High online velocity without any effect on the performance or the availability of the network

 Efficient integration within the environment of the security management  Easy and quick adaptation with and anticipation of the unknown intrusions  Accurate and precise intervention

 Good citizenship on the network  Efficient security-based management

An IDS/IPS system must include flexible and transparent methods to update its data-base with regard to the new signatures of attack. Besides, the IDS/IPS systems must have methods capable to react to new attacks without updates of signature.

The inverse exclusion, where all requests, except of those legitimate for a definite destination, are deleted, the validation of protocol, in which the methods of illegitimate requests are deleted, or the independent blockage of the attack, where the attackers are identified and the whole traffic that comes is deleted, whether the attacks are known or not.

2.2. The criteria of classification of the IDS and the IPS

There are a lot of products whose complexity of implementation and degree of integration are varied. The tools strictly based on behavioural models affect the velocity. But they are more and more integrated in IDS / IPS initially based on a library of signatures, thanks to their complementarily. The tools systems are worst facing to the tools networks. The invention of the hybrid tools that brings a less partial security in the protection of the system of information can solve this dilemma.

The first criterion of classification of the IDS/IPS is the method of analysis. It consists in two approaches.  The approach by script: this approach consists in searching for in the activity of the element supervised

the prints (or signatures) of known attacks. This type of IDS/IPS is merely reactive; it can only detect the attacks of which it possesses the signature. Therefore, it requires frequent updates. Besides, the efficiency of this detection system depends strongly on the precision of its signature basis. This is why these systems are vulnerable for the pirates who use some techniques “escape" that consists in making up the used attacks. These techniques have the trend to vary the signatures of the attacks that are not recognized anymore by the IDS/IPS

 The behavioural approach: it consists in detecting some anomalies. The implementation always consists of a phase of training during which the IDS/IPS is going to discover the normal functioning of the supervised elements. They are able, thus, to signal the divergences in relation to the working of the reference. The behavioural models can be elaborated from statistical analyses. They present the advantage to detect new types of attacks. However, frequent adjustments are necessary in order to evolve the reference model so that it reflects the normal activity of the users and reduce the number of false alerts generated.

Each of these two approaches can drive to falsepositives or to falsenegatives.

The intrusion detection and prevention systems become indispensable at the time of the setting up of an operational security infrastructure. Therefore, they always integrate in a context and in an architecture imposing various constraints.

The following parameters will be adopted in the classification of the IPS/IDS:  Reliability: The generated alerts must be justified and no intrusion to escape

 Reactivity: An IDS/IPS must be capable to detect and to prevent the new types of attacks as quickly as possible. Thus, it must constantly self-update. Capacities of automatic update are so indispensable  Facilityofimplementationandadaptability: An IDS/IPS must be easy to function and especially to adapt

to the context in which it must operate. It is useless to have an IDS/IPS giving out some alerts in less than 10 seconds if the resources necessary to a reaction are not available to act in the same constraints of time

 Performance: the setting up of an IDS/IPS must not affect the performance of the supervised systems. Besides, it is necessary to have the certainty that the IDS/IPS has the capacity to treat all the information in its disposition because in the reverse case it becomes trivial to conceal the attacks while increasing the quantity of information.

These criteria must be taken into consideration while classifying an IDS/IPS, as well:  The sources of the data to analyze, network, system or application

 The behaviour of the product after intrusion ,passive or active  The frequency of use, periodic or continuous

 The operating system in which operate the tools, Linux, Windows, etc.  The source of the tools, open or private

2.3. The Tool IDS / IPS

In order to ensure an invulnerable security of data, various tools are available. They are mainly used altogether in order to secure the system as a whole. To avoid all sorts of inconveniences of the NIDS, NIPS, HIDS or HIPS it is very important to combine these different systems. The lack of information at the host level of the NIDS and NIPS in addition to the cost of installation-administration of the HIDS can be overcome through a good cohabitation of these systems on the network. There is no perfectly complete system. The optimum security is achieved as a result of the combination of several systems.

Moreover, most of these solutions are developed by the leading companies of securities. These solutions are complete and can be easily put in work in a network, which is also true for the updates. The modular format used by these allows them to have several agents for a centralized interface. However, these solutions are particularly very expensive.

Most of the existing solutions concerning intrusion detection are related to the setting up of NIDS in association with some HIDS and other software types of management.

Table 1. The Tool IDS / IPS

S: Signature; C: behavioural ; L: softwire; Lbr: Open Source ; Cm: Commercial ;Auto: Automatic ; Smp : Simple ; Dff : Difficult; + : Low ; ++ : Average ; +++ : Good

IPS IDS Met

h

od

Pla

tfo

rm _(Max) Debit software or _Appliance

Open Source or comm update install and config false alerts behaviour of t h e product after intrusion frequency of use Reliability React ivit y performanc e

HIPS NIPS HIDS NIDS

Cisco

NetRanger √ √ √ S

O S

commun 4 Gb/s A/L Cm Auto Smp ++ Active Continu ++ Active ++

Snort

Snort √ √ √ S

Linux win

large

networks L Lbr Man Dff ++ Active Continu ++ Active ++

ISS RealSecure et

Proventia

√ √ √ √ S/C O S

commun

Until 10

Gb/s A/L Cm Auto Smp ++ Active Continu ++ Active ++

Arkoon Arkoon IDS en

coupure

√ √ √ √ S Linux

win

Until 11

Gb/s A Cm Auto Smp ++ Active Continu +++ Active +++

Watchguard

Gamme Firebox √ S/C

O S

commun 10 Gb/s A Cm Auto Smp ++ Active Continu ++ Active ++

Enterasys Networks Dragon

√ √ S O S

commun 1Gb/s A/L Cm Auto Smp ++ Passive Continu + Passive +

Computer Associates eTrust Intrusion

Detection

√ S win 1Gb/s L Cm Auto Smp ++ Active Continu + Active +

NFR Security

Sentivist √ √ S

O S

commun 4 Gb/s L Cm Auto Smp ++ Active Continu ++ Active ++

Symantec Host IDS et Symantec

ManHunt

√ √ S O S

commun 4 Gb/s L/A Cm Auto Smp ++ Passive Continu ++ Passive ++

TopLayer Attack Mitigator

IPS

√ S/C O S

commun

100mb/s Several Gb/s

A Cm Auto Smp ++ Active Continu + Active +

Prelude IDS √ √ S O S

commun 1 Gb/s L Lbr Man Dff ++ Passive Continu ++ Passive ++

Nessus √ √ S O S

commun L Lbr Man Smp ++ Passive Continu + Passive +

Suricata √ √ HTP O S

commun

L Lbr Man Dff ++ Active Continu + Active +

Tripwire √ S linux L Lbr Dff ++ Passive Continu + Passive +

Tools

3. Performance Assessment of the intrusion Detection and Prevention Systems according to the objectives of security

The system of information is generally defined by the amalgam of the data and the material and software resources of the company which permit to stock or to circulate them. The system of information represents an essential element of the company which is to be protected. In general, the computer security consists to assure that the material or software resources of an organization are used solely in the foreseen setting. The computer security is generally based on six main objectives:

 Integrity. It aims at ensuring that the data cannot be affected or changed

 Confidentiality. It is meant to assure that only the authorized people can have access to the exchanged resources

 Availability. It permits to maintain the good working of the system of information  Non-repudiation. It allows to guarantee that a transaction cannot be denied

 Authentication. It consists in assuring that only the authorized people can have access to the resources.  AccessControl. It means that the user's access to information in a computer is restricted and controlled

3.1. Attacks to security

The attacks linked to the security of a computer or a network are better characterized by considering the system as supplier of information. In general, the categories of attacks fall in four: interruption, interception,

modification and manufacture.

a) Interruption

It is happens when an asset of the system is destroyed or becomes unavailable or unusable. It is an attack which targets the availability of the system. It results in the destruction of the hardware, the cut of a communication line or the turn off of a system of files management

b) Interception

It happens when an alien gets access to an asset. It is a threat to confidentiality. It can be from a person, a program or another computer.

c) Modification

It occurs when there is a non-authorized access to an asset which results in an undetectable modification. It is an attack to the integrity. It can change some values in a file of data, alter a program in order to upset its behaviour or modify the content of messages being transmitted on a network.

d) Manufacture

It consists in a non-authorized insertion of some counterfeiting in the system. It is an attack to the authenticity. It can be displayed in the insertion of false messages in the network or in saving these messages in some files.

3.2. Attacks to the IDS/IPS

The attackers often try to target the IDS/IPS before attacking the system protected, and since the IDS/IPS are computer systems, they can have some weaknesses. There are several types of attacks as the denial of service, the insertion, the escape and the modification of the packets between the sensor and the analyzer. The denial of service saturates the IDS/IPS of information and then stops them to function. To guard against this, it is necessary to filter and to stock the information correctly and to have an effective IDS/IPS that manages a set of packets without loss. Also, we must have a monitoring system which permits to check the real efficiency of the IDS/IPS.

The act of detecting an IDS/IPS is similar to attacking a machine. To attack an IDS/IPS, we should be able to detect it. The intrusion of an IDS/IPS can as the following:

 Usurpation of MAC address: the NIDS put the interface of the capture of packet network in promiscuous mode where they see all packets that pass in transit. Thus, by sending an ICMP packet of type" echo request" to a machine, the later must give out an ICMP packet of type" echo reply" with a MAC address recipient inexistent in the network to can show that the machine responds. Thus, since the NIDS is in promiscuous mode, it will recognize the echo reply packet and send it back without even checking if it is the actual recipient of the ICMP packet

 Observation of the requests: after an attack, the IDS, generally, sends some messages to a central computer that is going to deal with the set of alerts. Thus, while observing the packets, we can try to find the packets heading towards the central computer

One of the problems of this kind of attacks is, in most cases, that the IDS doesn't warn the whole system that it doesn't function anymore. It is more dangerous when the IDS doesn't know if it functions correctly or not. Thus, after having attacked the IDS, the pirate can attack the system in all impunity. Therefore, the IDS must be able to check if the pirate attacks the IDS or the system of the machines it protects in order to warn the system

3.3. Evaluation of the performances of the IDS/IPS tools

To ensure that the IDS/IPS tools are working effectively, we have to take into consideration these parameters: the confidentiality, the integrity, the availability and the authenticity. The protection of the data depends on the system to protect.

To assure the confidentiality, the integrity, the availability and the authenticity of the subject system, we follow a set of security measures: remove the non used programs, use some firewalls, use controls of access, configure the programs correctly, use the anti-viruses, use some IDS, etc.

Among the methods used in assessment of the detection systems [1][2][3][4][5], this study adopts themethodof theobjectivesofthesecurity which is based on:

- Integrity : the number of robust bits; - Confidentiality : encryption algorithm ; - Availability : Operation time;

- Authentication: ensure the identity of a user.

In order to assess the parameters set above, we have adopted the following parameters:  The debit (bits/s);

 The data /the attacks; by using four adequate types: denial of service (DoS), man in the middle (MITM), chopchop and usurpation of MAC address.

This study targets six tools of intrusion detection, three for the wirely-linked networks and three for the wireless networks.

3.3.1. The debit

Concerning the parameter debit, we can test the performances of the intrusions detection tools via the increase of debit of the data circulated on the tested networks.

a.

It is necessary to assure that the data securized by IDS / IPS have not been changed by an unauthorized person. Thus, in this test, the number of erroneous bits will be considered by increasing the flow of data circulated on the network. (Table 2)

Table 2. integrity level

We can say that whenever the flow increases, the number of erroneous bits becomes high. As a result, the effectiveness of the tool decreases.

b. Confidentiality

Obviously, if we do not use any encryption mechanism, we run the risk that our data can be easily intercepted by an attacker. Data should be visible only to authorized persons. However, there are some ciphers that are easily decrypted by the attackers.

Accordingly, to test the confidentiality level of a system, we have to test the strength of encryption algorithm used.

Tool

Debit

Snort CISCO NetRanger

NetScreen (IDP)

Snort-

Wireless AirMagnet AirDefense

5 MB/s normal normal normal normal normal normal

10 MB/s normal normal normal normal abnormal abnormal

1 GB/s normal normal normal

4 GB/s normal normal abnormal

Comparison of the encryption algorithms used by each tool (Table 3)

Table 3. Algorithm Encryption

Twofish uses addition method which is very difficult to protect against attacks by power and time analysis. The use of Masquerade technique does not decrease the performance, but it significantly increases the RAM used. It

remains vulnerable to attacks by power analysis. In contrast, the RC4 algorithm is very low [6] [7] [8]. Thus, to ensure the confidentiality of a computer system

we must choose a detection system that includes a stronger encryption algorithm. c. Availability

A DOS attack is intended to prevent normal users of a service to have access to it. To test the level of availability of a system, we have tried to compare the running time of each tool as shown in the table below:

Table 4. Availability level

Snort CISCO NetRanger

NetScreen (IDP)

Snort-

Wireless AirMagnet AirDefense

Time of operation (Real or not)

Yes Yes Yes Yes Yes Yes

The test has proved that the running time of both tools IDS/IPS is not affected. Accordingly, the availability of the system as a whole remains intact.

d. Authentication

In order assess the level of authentication on a system, the method used to check the identity of users will be compared for each tool. (Table 5)

Table 5. Authentication Level

Snort CISCO NetRanger

NetScreen (IDP)

Snort-

Wireless AirMagnet AirDefense Ensure the

identity of a user

high high medium high medium medium

As shown in the table above, some tools strictly check the identity of the user before permitting access, but some others can not do this in a way which prevents any non-authorized user to access the system.

3.3.2. Attacks

a. Denial of Service (DOS)

The DOS attack is an attack against availability. This attack temporarily paralyzes and makes unavailable servers so that they can not serve nor respond to requests from its legitimate users. This kind of attacks exploits the vulnerabilities and weaknesses in the conception or implementation of protocols, services and applications. DOS attacks are the easiest to carry out.

The table below shows the results of applying a DOS attack on the IDS/IPS tools.

Table 6. Level of efficiency compared DOS attack

Snort CISCO NetRanger

NetScreen (IDP)

Snort-

Wireless AirMagnet AirDefense

Efficiency medium medium weak medium weak Weak

The application of this kind of attacks on the IDS/IPS has shown that it affects these tools in a way that they give out false positives and false negatives, especially with wireless tools.

Snort _NetRanger CISCO NetScreen _{(IDP) Wireless} Snort- AirMagnet AirDefense

Algorithm

b. Man In The Middle (MITM)

The MITM attack is an attack to integrity. The MITM attack is a complete redirection of a connection between two machines. Each of the two interlocutors believes that it interacts directly with the other one, but, in reality, it sends its data to a third machine that acts as a router and sends the modified frames to the actual recipient. The table below shows the results of a study of the effect of an MITM attack to the systems of detection and prevention.

Table 7. Level of efficiency compared MITM attack

Snort CISCO NetRanger

NetScreen (IDP)

Snort-

Wireless AirMagnet AirDefense

Efficiency high high high medium weak weak

c. MAC address spoofing

The MAC address spoofing attacks are attacks to the authentication. It pretends to be an authorized user. It just needs to intrude so that it takes the identity of another legitimate station (MAC address) in order to mount an attack without being detected, to access privileged services or to hijack a system MAC address filtering. Technically, it is easy to change the MAC address of a wireless interface. However, the intruder does not need to change its address since it is sufficient to form an 802.11 frame with the MAC addresses of their choice. Several studies have attempted to detect MAC spoofing attack [9][10][11], but none could do so effectively. Therefore, cases of false positives and false negatives persist.

The following table illustrates the results a MAC address spoofing attack may have on the IDS/IPS tools

Table 8. Level of efficiency compared MAC spoofing

Snort CISCO NetRanger

NetScreen (IDP)

Snort-

Wireless AirMagnet AirDefense

Efficiency medium medium medium weak weak weak

The study has shown that the IDS/IPS still produce some false positives and false negatives

d. Chopchop

Each package consists of two parts: the Data and CRC32 which ensures the integrity of the data. Both are then sent to the WEP encryption algorithm RC4 and the encrypted packet sent on to the network is the result of the xor between the concatenation of the message and its CRC32 and the keystream is a function of the WEP key and the initialization vector current. If D is the plaintext message, the operation CRC32 ICV (Integrity Check Value), C is the encrypted message, K is the WEP key, IV initialization vector current and | | the concatenation operator, so we can write:

C = RC4 (IV | | K) xor (D | | ICV (D))

The CRC32 was written to ensure data integrity and in no case to ensure their safety. The attack chopchop [12] will therefore use several weaknesses in this algorithm to inject data on the network. If you want to inject data into the network from an encrypted packet captured while we have the following relations:

C = RC4 (IV | | K) xor (D | | ICV (D)) is the captured packet.

D 'represents the data that we will inject into the network such as: D' = D xor Mod We have:

C '= RC4 (IV | | K) xor (D' | | ICV (D '))

Here, as we do not know D, we do not know D '.

D '| | ICV (D') = (D | | ICV (D)) xor (Mod | | ICV '(Mod)) or ICV' is a CRC32modified So

C '= RC4 (IV | | K) xor (D | | ICV (D)) xor (Mod | | ICV' (Mod)) C '= C xor (Mod | | ICV' (Mod))

This relation shows that after a valid encrypted packet, it is possible to inject any modification of this package. C' that was unknown is final only function known element. The chopchop attack uses a different CRC32 vulnerability. If the message C is truncated of its last data byte, the message becomes invalid because the CRC32 does not match. However if we xor C with some value Mod, then the package becomes invalid. A mathematical proof shows that Mod depends only on the clear value of the byte truncated.

We can therefore write Mod = f (X) where X is the clear value of the byte truncated. Since there are 256 possible values for X, it suffices to test all of these values. So we take our captured packet C, we remove the last byte of data. It is assumed that the value of the unencrypted byte truncated X is 0 and we generate our modification:

C '= C xor f (x) with x = 0

It sends C' if C’ is replayed by the access point then is that our package C' was valid, so our assumption on X was good. It is therefore to find a byte of plain C ( a byte of D), our assumption on X was good. It is therefore to find a byte of plain C (a byte of D), and therefore a byte of the keystream used to encrypt this byte. If the packet C 'is not played by the access point, then our package is that C' is not valid, then our assumption on X was false. It retries by incrementing X, to the packet C 'is replayed. On average it will be necessary to send 128 packets to decrypt a byte. The result is obvious; we reiterate the same method to find all the bytes of D, then byte by byte. To detect the chopchop attack to the confidentiality, we generally use the IDS/IPS. In this regard, our study has focused on the potential effects of such attack on the two prevention and detections tools for wireless networks.

Table 9. Level of efficiency compared chopchop Attack

With the data encryption in wireless network the IDS tested are low. So the solution is to use the IPS to secure wireless networks.

4. Performance Assessment of the intrusion Detection and Prevention Systems Based on Artificial Neural Network

4.1. Artificial neural network

As in biology, neurons are small processing units composed of one or more inputs, an output and a cell body that performs calculations from data input to produce output (Fig 1). In practice, a neuron is able to distinguish between two classes to produce +1 or -1 as its output.

4.1.1. Inputs

The





intermediate outputs values from other neurons. A vector

T entree

E

= (x1, ..., xi, ..., xn) characterizes an input

neuron. It may be, for example, the Cartesian coordinates (x, y, z)T . Each of these inputs is weighted by a weight. These weights form a weight vector of inputs PentreeT _{= (w}

1, ..., wi, ..., wn). The last entry is called input

bias. Its value is always equal to 1 and its associate weight b is called the bias of the neuron.

Fig 1. Structure of a neuron Snort-

Wireless AirMagnet AirDefense

4.1.2. Cell

The sole function of the cell is to produce an output equal to +1 or -1. For this, it performs the weighted sum of input:

f(S) = b +



i i i

w

x

1

Knowing this sum, we use a threshold function that gives -1 if the sum is negative or +1 if the sum is positive:

+1 If f(s)0

y = -1 Otherwise

4.1.3. Output

The output of a cell is a binary value +1 or -1 in case of a threshold neuron. It is the neuron's response to a problem of sorting between two sets of elements of dimension n. In a neural network, the output (weighted or not) may be the input of a new neuron (Fig. 2).

Fig 2. Networkof two input neurons and an output neuron

4.2. Learning and Ranking

We will work on a simple neural network: the perceptron. Invented in 1957 by Frank Rosenblatt of the Cornell Aeronautical Laboratory, the perceptron can be viewed as a single neuron able to linearly separate a set of Eentree

vectors into two distinct groups labelled A and B.

4.2.1. Learning

In its initial state, a perceptron does not know how to separate the two groups. It must learn. We will develop a training sample consisting of some particular input vectors with a known appurtenance group g:

T learn

E

1 If ElearnA

y = -1 If E_learnB

The learning algorithm is to give input vectors Elearn perceptron and compare the output y to the expected output

g. If actual output and expected output are different, we will adjust the weight vector of inputs Pentree and the

bias b by incrementing or decrementing with an arbitrarily fixed learning step α. These steps are repeated t

times.

The bigger t is , the more the perceptron learns (Fig. 3).

initialize Pentree and b to 0

initialize

α

(0 <

α

< 1)

initialize t

for j from 1 to t to do

Present a vector Elearn to the entry of the perceptron

Calculate the answer y of the perceptron

if

y

≠

g

then

for every dimension w of Pentree,

i from 1 to dim(Pentree), do

w

←

w

+ x

*

α

*

g

end n for

b

←

b +

α

* g

end n if

end for

Fig. 3. Perceptronalgorithm

4.2.2. Ranking

After learning, the weights and bias of the perceptron are fixed. Then the subject Eentree vectors and the output of

the perceptron must match the group g in which they will be classified.

4.3. Classification characteristics of IDS and IPS

In this test, we want to test six of intrusion detection tools, three for wired networks and three wireless networks (Snort, Cisco and NetScreen NetRanger (IDP) tools for wired and Snort-Wireless, AirMagnet and AirDefense tools for wireless networks ).

4.3.1. Data

The training and testing data have been collected from a wired local network for wired tools and a wireless local network for three wireless tools. The network consists of three machines and an access point. A machine is used for the issuance of normal traffic and the second machine sends data alternating attacks and the last machine used to collect traffic. Data collection has been done by software that we developed specifically for this purpose. The intrusions that we have used are: DOS attack, MITM, MAC spoofing and attack chopchop for the wireless network.

The data collected have been separated into two sets: training set and test set. The first set is used to calculate the optimal weights of the synapses. Each entry is associated with the actual value of the output. By iterating this dataset, the classifier could dynamically adjust the values of connection weights to minimize the error rate between the network output values and actual values. The neural network could produce high performance on the training set, but it showed poor results on the test set. These data were not directly used by the learning algorithm. They were kept aside and the network could be used to measure the error between the output and the desired data. The network converges whenever the error is below a predefined threshold. Once the network is trained and validated, it must be able to predict the class of each entry in the test set.

4.3.2. Experimental results

The test results are obtained from the NeuroSolutions software. The perceptron of neural networks were trained with the full set of parameters [13] [14]. We have evaluated the performance of classifiers using the detection rate and learning time. The results display the efficiencies of the IDS / IPS tools.

5. Conclusion

This study has proved that both the intrusion detection systems and the intrusion prevention systems still need to be improved to ensure an unfailing security for a network. They are not reliable enough (especially in regard to false positives and false negatives) and they are difficult to administer. Yet, it is obvious that these systems are now essential for companies to ensure their security. To assure an effective computerized security, it is strongly recommended to combine several types of detection system. The IPS, which attempt to compensate in part for these problems, are not yet effective enough for use in a production context. They are currently mainly used in test environments in order to evaluate their reliability. They also lack a normalized operating principle like for the IDS. However, these technologies require to be developed in the coming years due to the increasing security needs of businesses and changes in technology that allows more efficient operation detection systems and intrusion prevention. We are working on the implementation of a screening tool of attack and the characterization of test data. We also focus on the collection of exploits and attacks to classify and identify. Further work is under way and many

ways remain to be explored. Then it would be interesting to conduct assessments of existing IDS and IPS following the approaches we have

proposed and tools developed in this work.

References

[1] Hervé Debar and Jouni Viinikka, "Intrusion Detection,: Introduction to Intrusion Detection Security and Information Management", Foundations of Security Analysis and Design III, Reading Notes in to Compute Science, Volume 3655, 2005. pp. 207-236.

[2] Hervé Debar, Marc Dacier and Andreas Wespi, "IN Revised Taxonomy heart Intrusion Detection Systems", Annals of the Telecommunications, Flight. 55, Number,: 7-8, pp. 361-378, 2000.

[3] Mohammed Gadelrab and A. Abou El Kalam, "Testing Intrusion Detection Systems: An Engineered Approach", Proceeding of IASTED International Conference on Software Engineering and Applications (SEA 2006), USA, 2006.

[4] Mohammed S. Gadelrab, Anas Abou El Kalam and Yves Deswarte, "Defining categories to select representative attack test-cases", Proceedings of the 2007 ACM workshop on Quality of protection (QoP '07), Alexandria, Virginia, USA, pp. 40-42, 2007.

[5] Mohammed Gadelrab, Anas Abou El Kalam et Yves Deswarte, "Modélisation des processus d'attaques pour l'évaluation des IDS", Act de la 3ème Conférence sur la Sécurité des Architectures Réseaux et des Systèmes d’Information, Loctudy, France, 2008.

[6] S. Fluhrer, I. Mantin,, A. Shamir. << Weaknesses in the Key Scheduling Algorithm of RC4 >>. Selected Areas in Cryptography - SAC 2001, 2259 Lecture Notes in Computer Science, 1-24. Springer-Verlag, 2001.

[7] C. Gehrmann, M. Naslund. << ECRYPT Yearly Report on Algorithms and Keysizes >>. www.ecrypt.eu.org/documents/D.SPA.10-1.1.pdf, 2005.

[8] I. Mantin, A. Shamir. << A practical attack on broadcast RC4 >>. Fast Software Encryption - FSE 2001, 2335 Lecture Notes in Computer Science, 152-164. Springer-Verlag, 2001.

[9] L. Butti. Détection d'Intrusion dans les Réseaux 802.11. In Symposium sur la Sécurité des Technologies de l'Information et des Communications 2006, pages 411-433. École Supérieure et d'Application des Transmissions,

Snort-Wireless AirMagnet AirDefense

Tools

ef

fi

cien

cy level

Fig. 4. The efficiency of the examinated wireless tools

Snort Cisco NetRanger NetScreen(IDP)

Tools

ef

fi

c

ien

c

y l

e

vel

Fig.5. The efficiency of the examinated wired tools

[10] F. Guo and T.-C. Chiueh. Sequence number-based l'l'lAC address spoof detection. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID '05), pages 309-329, Seattle, WA, USA, September 2005.

[11] J.Wright. Deteeting Wireless LAN MAC Address Spoofing, January 2003. http://forskningsnett.uninett.no/wlan/download/wlan-mac-spoof.pdf.Consulté en novembre 2007.

[12] KoreK, \chopchop (Experimental WEP attacks), 2004, available at http://www. netstumbler.org/showthread.php?t=12489

[13] Y. Farhaoui, A. Asimi, «Performance Assessment of the intrusion Detection and Prevention Systems: According to their features: the method of analysis, reliability, reactivity, facility, adaptability and performance», The 6th IEEE international conference Sciences of Electronics Technologies Information and Telecommunication (SETIT 2011), Sousse, Tunisia, 2011.

[14] Y. Farhaoui, A. Asimi, «Performance Assessment of the intrusion Detection and Prevention Systems: According to the objectives of security: Integrity, confidentiality, availability, Authentication » Congrès International Informatique et Sciences de l’Ingénieur (ISI 2011), Errachidia, Maroc, 2011