Intrusion Detection: Characterising intrusion detection sensors

  • Authors:

  • Siraj A. Shaikh;Howard Chivers;Philip Nobles;John A. Clark;Hao Chen

  • Affiliations:

  • Department of Informatics and Sensors, Cranfield University, UK;Department of Informatics and Sensors, Cranfield University, UK;Department of Informatics and Sensors, Cranfield University, UK;Department of Computer Science, University of York, UK;Department of Computer Science, University of York, UK

  • Venue:
  • Network Security
  • Year:
  • 2008

Quantified Score

Hi-index 0.00

Visualization

Abstract

An intrusion detection sensor is defined as a device that collects and analyses network traffic for the purpose of identifying suspicious events. Too often the value of a sensor is associated with its data collection and analysis features. Experience tells us such sensors fall under a range of different types and are diverse in their operational characteristics, some of which have been little studied. In this article, researchers from the Cranfield and York universities examine some of these characteristics, such as location and response, and also characterise the various costs associated with such sensors. A common definition for an intrusion detection sensor defines it as a ''device that collects and analyses network traffic for the purpose of identifying suspicious events''.^1 Too often the value of a sensor is associated with its data collection and analysis features. This is inevitable since so many of the intrusion detection systems (IDS) are designed with such characteristics in mind. Experience tells us such sensors fall under a range of different types with diverse operational characteristics, some of which have been little studied. There is a need to examine some of these characteristics to appreciate the value they add to sensor deployments particularly from a system perspective. Such characteristics are important if sensors are to be assessed collectively as opposed to the effectiveness of individual sensors.