A methodology for testing intrusion detection systems

Intrusion detection systems (IDSs) attempt to identify unauthorized use, misuse, and abuse of computer systems. In response to the growth in the use and development of IDSs, the authors have developed a methodology for testing IDSs. The methodology consists of techniques from the field of software testing which they have adapted for the specific purpose of testing IDSs. They identify a set of general IDS performance objectives which is the basis for the methodology. They present the details of the methodology, including strategies for test-case selection and specific testing procedures. They include quantitative results from testing experiments on the Network Security Monitor (NSM), an IDS developed at UC Davis. They present an overview of the software platform that has been used to create user-simulation scripts for testing experiments. The platform consists of the UNIX tool expect and enhancements that they have developed, including mechanisms for concurrent scripts and a record-and-replay feature. They also provide background information on intrusions and IDSs to motivate their work