NIDS Performance Evaluation And Its Application Research In Bank System

As an important part of network security, Net Intrusion Detection System(NIDS) is used to detect all kinds of intrusion real-time on line and try to defend network security. By the detection and control technology, it plays an actively defensive role. Accordingly the application of NIDS was widely put in practice, it has become a more and more urgent task to test and assess. By the result of testing and assessing, the developers can find the weakness of the products and the users can purchase more suitable IDS products for them. NIDS belongs to the scope of audit. With the improvements of NID technology and people's awareness, the position of the intrusion detection products has changed in the field of security. Besides the audit functions, NIDS also has the functions of alarming, responding, dynamic defending and so on. Therefore, the basic principle to evaluate a NIDS is to see whether it can help the network administrators to control and evaluate the state of the network and its security. The significant points of the checking should base on the comment on the intrusion detection product, NIDS. The evaluation should be from management function, performance and self-security. The above four aspects should be regarded as a whole, which cannot be divided. The key problem with checking and evaluating IDS is that it can only check the known attacks. In the process of checking and evaluating, the data can be got through the methods of simulation. While the difficulty of simulating the attacks of the invaders is that just the known attacks have been checked. For the new attacking methods, the results cannot be obtained. Thus, in checking, even the defects of IDS are not found, we cannot say that it is a complete system. However, we can try to select different types of detection samples, to cover more attackingtypes. Meanwhile, we should update intrusion information database so as to adapt new circumstances. Moreover, since the checking and evaluating data of IDS are open, if the IDS is designed according to the open data, chances are that the results of checking are satisfactory. However, this does not mean that it can operate well in practice. Besides, the analysis to the checking results also has many problems. The ideal situation is that the checking results can be analyzed automatically, but it cannot be realized easily in reality. The actual evaluation of IDS generally includes objective and subjective factors, which is related to the primary detection ability and reporting methods of IDS. The analyzers should analyze why misinformation is reasonable under the given detection network conditions. The scoring methods of the detection results are also very critical. If they are not scientific, the obtained results cannot detect a particular attack or it may provide the misinformation for a normal activity. The accurate doing should be to record the result once only because the same action may cause the same results. However, it is very difficult to achieve this. Once this effect is considered repeatedly, the . checking result of IDS will not be very ideal. In reality, the working effect of this IDS can be rather satisfactory. The paper gives several kinds of the criterion of system performance of assessing NIDS and testing standard off-line[l] by taking the developed NIDS as an object, and provides a novel method of testing and assessing NIDS. At first, this paper introduces the test environment and the configuration of each node, and describes how to achieve simulation background traffic in detail; Later, this paper discusses the principle of common attack methods and the method of the Scalability of Intrusion Signature Database by which we can train NIDS and lay foundation for ultimate assessing; Finally, this paperdiscusses the methods of assessing NIDS from the capability of detection, convenience and security, and so on, and points out the advantages and disadvantages of NIDS. During the testing, we mainly develop a kind of simulation background traffic software, which can be used to simulate an off-line network environment and test the Network Intrusion Detection truly and effectively. At the same time, by using the Intrusion Signature Database of our NDIS and snort, we also develop a kind of for replaying the established data gram based on these intrusion signatures. This kind of software is available for detecting the validity of the recorded intrusion signature andtesting the capability of the analyzer[2] and detection system.