The Computer Journal

The Computer Journal Advance Access originally published online on September 2, 2008
The Computer Journal 2009 52(4):429-460; doi:10.1093/comjnl/bxn043

This Article Full Text (PDF) All Versions of this Article: 52/4/429    most recent bxn043v1 Alert me when this article is cited Alert me if a correction is posted Services Email this article to a friend Similar articles in this journal Alert me to new issues of the journal Add to My Personal Archive Download to citation manager Request Permissions Google Scholar Articles by Chen, Z. Articles by Wei, P. Social Bookmarking          What's this?

© The Author 2008. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions, please email: journals.permissions@oxfordjournals.org

A Pragmatic Methodology for Testing Intrusion Prevention Systems

Zhongqiang Chen¹, Alex Delis^2,* and Peter Wei³

¹ Yahoo! Inc., Santa Clara, CA 95054, USA
² University of Athens, Athens, 15784, Greece
³ Fortinet Inc., Sunnyvale, CA 94086, USA

^* Corresponding author: ad{at}di.uoa.gr

Received 20 July 2007; revised 21 May 2008

Intrusion prevention systems (IPSs) not only attempt to detect attacks but also block malicious traffic and pro-actively tear down pertinent network connections. To effectively thwart attacks, IPSs have to operate both in real-time and inline fashion. This dual mode renders the design/implementation and more importantly the testing of IPSs a challenge. In this paper, we propose an IPS testing framework termed IPS Evaluator which consists of a trace-driven inline simulator-engine, mechanisms for generating and manipulating test cases, and a comprehensive series of test procedures. The engine features attacker and victim interfaces which bind to the external and internal ports of an IPS-under-testing (IUT). Our engine employs a bi-directional injection policy to ensure that replayed packets are subject to security inspection by the IUT before they are forwarded. Furthermore, the send-and-receive mechanism of our engine allows for the correlation of engine-replayed and IUT-forwarded packets as well as the verification of IUT actions on detected attacks. Using dynamic addressing and routing techniques, our framework rewrites both source and destination addresses for every replayed packet on-the-fly. In this way, replayed packets conform to the specific features of the IUT. We propose algorithms to partition attacker/victim-emanated packets so that they are subjected to security inspections by the IUT and in addition, we offer packet manipulation operations to shape replayed traces. We discuss procedures that help verify the IUT's detection and prevention accuracy, attack coverage and behavior under diverse traffic patterns. Finally, we evaluate the strengths of our framework by mainly examining the open-source IPS Snort-Inline. IPS deficiencies revealed during testing help establish the effectiveness of our approach.

Key Words: testing of intrusion prevention systems • testing methodology • inline operation • detection and prevention accuracy of IPSs

CiteULike    Connotea    Del.icio.us    What's this?

Online ISSN 1460-2067 - Print ISSN 0010-4620

Copyright © 2009 British Computer Society

Oxford Journals Oxford University Press

• Site Map
• Privacy Policy
• Frequently Asked Questions

Other Oxford University Press sites: Oxford University Press Oxford Journals China Oxford Journals Japan American National Biography Booksellers' Information Service Children's Fiction and Poetry Children's Reference Corporate & Special Sales Dictionaries Dictionary of National Biography Digital Reference English Language Teaching Higher Education Textbooks Humanities International Education Unit Law Medicine Music Online Products Oxford English Dictionary Reference Rights and Permissions Science School Books Social Sciences Very Short Introductions World's Classics