Intrusion detection and the role of the system administrator

被引：7

作者：

Sommestad, Teodor ^{[1
]}

Hunstad, Amund ^{[1
]}

机构：

[1] Swedish Defence Research Agency (FOI), Linköping

来源：

Information Management and Computer Security | 2013年 / 21卷 / 01期

关键词：

Computer networks; Computer security; Information management; Intrusion detection; Intrusion detection systems; System administration; System administrator;

D O I：

10.1108/09685221311314400

中图分类号：

学科分类号：

摘要：

Purpose - The expertise of a system administrator is believed to be important for effective use of intrusion detection systems (IDS). This paper examines two hypotheses concerning the system administrators' ability to filter alarms produced by an IDS by comparing the performance of an IDS to the performance of a system administrator using the IDS. Design/methodology/approach - An experiment was constructed where five computer networks are attacked during four days. The experiment assessed difference made between the output of a system administrator using an IDS and the output of the IDS alone. The administrator's analysis process was also investigated through interviews. Findings - The experiment shows that the system administrator analysing the output from the IDS significantly improves the portion of alarms corresponding to attacks, without decreasing the probability that an attack is detected significantly. In addition, an analysis is made of the types of expertise that is used when output from the IDS is processed by the administrator. Originality/value - Previous work, based on interviews with system administrators, has suggested that competent system administrators are important in order to achieve effective IDS solutions. This paper presents a quantitative test of the value system administrators add to the intrusion detection solution. © Emerald Group Publishing Limited.

引用

页码：30 / 40

页数：10

共 16 条

[1] Axelsson S., The base-rate fallacy and the difficulty of intrusion detection, ACM Transactions on Information and System Security, 3, 3, pp. 186-205, (2000)
[2] Biermann E., Cloete E., Venter L.M., A comparison of intrusion detection systems, Computers and Security, 20, 8, pp. 676-683, (2001)
[3] Branlat M., Challenges to Adversarial Interplay under High Uncertainty: Staged-World Study of A Cyber Security Event, (2011)
[4] Fisher R.A., On the interpretation of chi-square from contingency tables, and the calculation of P, Journal of the Royal Statistical Society, 85, 1, pp. 87-94, (1922)
[5] Goodall J.R., Lutters W.G., Komlodi A., I know my network: Collaboration and expertise in intrusion detection, Proceedings of the ACM Conference on Computer Supported Cooperative Work, CSCW, pp. 342-345, (2004)
[6] Goodall J.R., Lutters W.G., Komlodi A., Developing expertise for network intrusion detection, Information Technology & People, 22, 2, pp. 92-108, (2009)
[7] McHugh J., Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory, ACM Transactions on Information and System Security, 3, 4, pp. 262-294, (2000)
[8] Mell P., Hu V., Lippmann R., An Overview of Issues in Testing Intrusion Detection Systems, (2003)
[9] Ranum M.J., Experiences Benchmarking Intrusion Detection Systems, pp. 1-10, (2001)
[10] Sommestad T., Hallberg J., Cyber Security Exercises and Competitions As A Platform for Cyber Security Experiments, (2012)

← 1 2 →