Edinburgh Napier University

  Nowadays, the majority of corporations mainly use signature-based intrusion detection. This trend is partly due to the fact that signature detection is a well-known technology, as opposed to anomaly detection which is one of the hot topics in network security research. A second reason for this fact may be that anomaly detectors are known to generate many alerts, the majority of which being false alarms. Corporations need concrete comparisons between different tools in order to choose which is best suited for their needs. This thesis aims at comparing an anomaly detector with a signature detector in order to establish which is best suited to detect a data theft threat. The second aim of this thesis is to establish the influence of the training period length of an anomaly Intrusion Detection System (IDS) on its detection rate. This thesis presents a Network-based Intrusion Detection System (NIDS) evaluation testbed setup. It shows the setup of two IDSes, the signature detector Snort and the anomaly detector Statistical Packet Anomaly Detection Engine (SPADE). The evaluation testbed also includes the setup of a data theft scenario (reconnaissance, brute force attack on server and data theft). The results from the experiments carried out in this thesis proved inconclusive, mainly due to the fact that the anomaly detector SPADE requires a configuration adapted to the network monitored. Despite the fact that the experimental results proved inconclusive, this thesis could act as documentation for setting up a NIDS evaluation testbed. It could also be considered as documentation for the anomaly detector SPADE. This statement is made from the observation that there is no centralised documentation about SPADE, and not a single research paper documents the setup of an evaluation testbed.