NIST: Security products need standardization
- By Joab Jackson
- Jul 07, 2003
Despite wide use across government, intrusion detection systems have no standard metrics to measure their performance, according to a new report by the National Institute of Standards and Technology.
"An Overview of Issues in Testing Intrusion Detection Systems" concluded that there are no comprehensive and scientifically rigorous methodologies to test the effectiveness of intrusion detection systems, which monitor and analyze systems and network traffic for possible hacker attackers or misuse.
Internet Security Systems Inc., Network Associates Inc. and Symantec Corp. are among the vendors who sell intrusion detection systems.
NIST identified some probable metrics in the June report. They include: Coverage: The range of attacks that a system could detect.False alarms: The rate of false positives generated by a system.Detection rate: The number of attacks a system can detect in a given period of time.Resistance to attacks: The ability of the system to resist attacks to itself. Throughput: How much traffic can the system handle at a given time. Correlation: The ability to synthesize disparate events into a correct recognition of attacks. Detection of novel attacks: The ability of the system to detect attacks that have not occurred before. Detection of attack success: The ability to determine if the attack is successful.
The report identified the work needed in each of these areas to develop metrics.
Joab Jackson is the senior technology editor for Government Computer News.