Assessing Network Intrusion Detection System performance: forensic implications
Network Intrusion detection systems (NIDS) are security systems utilized to detect security threats to computer networks. They usually log events and store other information that is useful for forensic purposes. Laurensen (2010) showed that the forensic capability of IDS in wireless networks was dependent on packet rates and under high workloads up to 50% of the packets passed uninspected. He concluded that a forensically ready network required more than IDS to assure sufficient evidence could be available after events. In this research it is proposed to test a selection of common NIDS (as listed below) and to evaluate the performance under different work loadings. The common attack problems and short comings are also to be explored. For example input validation attacks, signature recognition algorithms and attack vector information. The implications will be for a forensic treatment of NIDS capability and recommendations for fixing the short falls in current NIDS tools by specifying system requirements. The main goal of the research project addresses the implementation of common open source NIDSs and their capabilities for acquiring and preserving network digital evidence under workloads. The objective is to report the best practice for handling and reporting evidentiary trails from two types of input validation attacks. The architecture of the proposed system consists of two networks and these networks are a simulated internet network and a host-only production network. Each network has specific components. The internet network includes four machines producing traffic from common stress tools and one machine producing the Cross-site scripting and SQL injection attacks against the web server. The production networks consist of a webserver with a vulnerable web application for the proposed attacks, a firewall with NIDS including Snort, Suricata and Bro-IDS, and finally a forensic server. As a result, the proposed system works to monitor and forensically study the transmitted traffic between both networks. Four phases were conducted during the life of the research project: two initial phases were conducted to ensure the stability of the test bed and the final two phases were conducted to carry out the formal testing. Phases one and two of the initial testing consist of the implementation and installation of all the network components, the NIDSs configurations, the network performance monitoring system and the creation of the training traffic. The initial test was built to evaluate and determine the capabilities of the performance monitoring system and the NIDSs’ alert detections for the proposed attacks. Phase three recreated workload traffic and measured the performance of each NIDS in term of the resources usages and the detected alerts. Phase four consists of two methods of the evidence collection and recording the best practice to acquire and preserve the evidentiary trails of the attacks. The findings demonstrate that the proposed NIDSs’ can be used as a source of digital evidence. However, those NIDSs suffer from number of issues including dropped packets before reaching their engines. The issue is largely related to the interception functions and those functions need to be improved to eliminate the problem. Also, the findings demonstrate the fact that the extraction of the evidence can be another problem area that needs solution. In the research scripts were written to improve tool performance and preservation capability (see Appendix F for the code). Moreover, the evidence analysis examined by two different methods was either time consuming or had difficulties with making correct timestamps. Overall, this thesis shows the limitations of the NIDS, shows how the current tools can be improved, and provides advice on how to overcome common investigation issues.