The Effectiveness of Intrusion Detection Systems.

  • Charles Iheagwara

    Student thesis: Doctoral Thesis

    Abstract

    This study investigates the following hypothesis: "The effectiveness of intrusion detection systems can be improved by rethinking the way the IDS is managed and by adopting effective and systematic implementation approaches."

    This submission introduces the work done to show the validity of this hypothesis. It demonstrates its practicability and discusses how different technical factors; local environmental (systems/network) factors; implementation and management factors affect intrusion detection systems effectiveness.

    We conduct studies on intrusion detection systems to expand our knowledge of their basic concepts, designs, approaches and implementation pitfalls. We analyze implementations of the major intrusion detection systems approaches/products and their inherent limitations in different environments.

    We discuss the issues that affect intrusion detection systems effectiveness and explore the dependencies on several components, each of which is different and variable in nature. Then, we investigate each component as a separate and independent subhypothesis.

    To provide evidence in support of the hypothesis, we conduct several studies using different approaches: experimental investigations, case studies, and analytical studies (with empirically derived arguments).

    We develop methodologies for testing intrusion detection systems in switched and gigabit environments and perform tests to measure their effectiveness against a wide range of tunable parameters and environmentally desirable characteristics for a broad range of known intrusions. The experimental results establish the impact of deployment techniques on intrusion detection systems effectiveness. The results also establish empirical bandwidth limits for selecting appropriate intrusion detection technologies/products for highly scalable environments.

    Through case studies, we demonstrate how management and implementation methods affect intrusion detection systems effectiveness and the Return on Investment.

    Finally, in our analytical work we illustrate how systems configuration settings and local security policies affect intrusion detection systems effectiveness.

    Together, the results provide the evidence in support of the hypothesis and, hence, we contribute to the existing body of knowledge by suggesting and demonstrating the ways to improve the effectiveness of intrusion detection systems.
    Date of AwardOct 2004
    Original languageEnglish
    SupervisorAndrew Blyth (Supervisor)

    Cite this

    '