Testing security detectors: How well will [detector X] work on my network?

Dr. Carrie Gates (CA Labs)


ABSTRACT

Network security has enjoyed a growth in interest as the number of Internet users, and threats, has increased. However, the expected performance for any given security detector cannot be predicted, nor can the ability of the detector to recognize events with differing characteristics be quantified. Further, comparing two different detectors in order to determine which will perform best under a given set of conditions is not easily performed. Rather, the performance results for security detectors, when presented at all, tend to be based on either results from testing using MIT's Lincoln Labs data set or from tests using network traces captured from a single network block. The first approach, while providing a useful baseline for side-by-side comparisons of security detectors, consists of an aging data set that has well-known shortcomings, while the second approach does not address how well a detector will perform in an environment that differs in size, usage or design.

In this presentation I will start with examining some of the issues involved in testing network security detectors. I will then present a new testing methodology, which I used to test a co-ordinated port scan detector. The end result from this methodology is a regression model that describes how well the detector performs in the test environment given scans with varying characteristics. I demonstrate the model's predictive capability when faced with a new operating environment, as well as illustrate its ability to compare the capabilities of two different detectors.

BIOGRAPHY

Carrie Gates is a Research Staff Member with CA Labs on Long Island, New York. Her role is to perform enterprise security research in collaboration with university faculty and students with the aim of providing research results that have strategic value for CA. Previously, she was a member of the technical staff at CERT, Carnegie Mellon University, where she did security research for large scale networks. Her research interests include the detection of security events using network traffic, network visualization approaches for security administrators, usable security and privacy.