1 Scope
This standard specifies technical requirements and testing and evaluation approaches for network-based intrusion detection system, including security function requirements, self-security functional requirements, security assurance requirements and testing and evaluation approaches and proposes grading requirements for network-based intrusion detection system.
This standard is applicable to design, development, testing and evaluation of network-based intrusion detection system.
2 Normative References
The following documents for the application of this document are essential. For dated reference, only the edition cited applies. For undated references, the latest edition of the normative document (including any amendments) applies.
GB/T 18336.1-2008 Information Technology - Security Techniques - Evaluation Criteria For IT Security - Part 1: Introduction and General Model
GB/T 25069-2010 Information Security Technology - Glossary
3 Terms and Definitions
For the purposes of this document, the terms and definitions established in GB/T 18336.1-2008 and GB/T 25069-2010 and the following ones apply.
3.1
Event
A record of occurrence or modification of system, service or network state, as a basis of security event analysis.
3.2
Incident
Occurrence of a system, service or network state is identified by the analysis and process of event which indicates one possible breach of security rules or failure of some protective measures or indicates one case likely to be security-related but used not to be known, such case is very likely to harm the business operation and threat the information security.
3.3
Intrusion
Any behavior which harms or possibly harms the resource integrity, confidentiality or availability.
3.4
Intrusion detection
Find behaviors in breach of security policy and attack sign in the network or system by collecting and analyzing several key points in computer network or computer system.
3.5
Network-based intrusion detection system
An intrusion detection system which takes the network data package as data source to monitor and analyze all the data packets within the protective networks and find the abnormal behavior.
3.6
Sensor
A component of intrusion detection system which is used to collect real-time event likely to indicate the intrusion behavior or misuse information system resource and make a preliminary analysis on the information collected.
3.7
Alert
Urgent notice which the network-based intrusion detection system sends to the authorized administrator in case of attacks or instrusion.
3.8
Response
The behavior of protecting information system and stored data and restoring them to normal operation environment in case of attack or intrusion.
3.9
False positives
The network-based intrusion detection system alarms when the attacks do not occur or sends false alarms.
3.10
False negative
Network-based intrusion detection system fails to alarm in case of attack.
4 Abbreviated Terms
For the purpose of this document, the following abbreviated terms apply.
ARP: Address Resolution Protocol
DNS Domain Name System
FTP File Transfer Protocol
HTML Hypertext Markup Language
HTTP Hypertext Transfer Protocol
ICMP Internet Control Message Protocol
IMAP Internet Message Access Protocol
IP Internet Protocol
NFS Network File System
POP3 Post Office Protocol 3
RIP Routing Information Protocol
RPC Remote Procedure Call
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
TCP Transport Control Protocol
TELNET Telecommunication Network
TFTP Trivial File Transfer Protocol
UDP User Datagram Protocol
5 Grading of Network-Based Intrusion Detection System
Foreword I
1 Scope
2 Normative References
3 Terms and Definitions
4 Abbreviated Terms
5 Grading of Network-Based Intrusion Detection System
5.1 Grading
5.2 Grade Table
6 Technical Requirements for Network-Based Intrusion Detection System
6.1 Grade 1
6.2 Grade 2
6.3 Grade 3
7 Testing and Evaluation Approaches for Network-Based Intrusion Detection System
7.1 Testing Environment
7.2 Testing Tool
7.3 Grade 1
7.4 Grade 2
7.5 Grade 3
Reference