A metrics-based approach to intrusion detection system evaluation for distributed real-time systems

This paper describes a set of metrics that will help administrators of distributed, real-time (clustered) computer facilities to select the best intrusion detection system for their facilities. The metrics herein are the subset of our general metric set that particularly impact real-time and distributed processing issues. We discuss related works in this field, the role of intrusion detection in information assurance, some basic classes of intrusion detection systems, a general architecture of network intrusion detection systems, and the scorecard metrics and their application to real-time and distributed processing systems. Finally we discuss the lessons we learned using a preliminary version of the metric scorecard to test three commercial intrusion detection systems and the opportunities for further work in this area.